If you were to pull the average e-commerce manager aside and ask them if they’ve ever come across a “fake” subscriber, you’ll surely get a long monologue back about every attempt they’ve made at fixing the issue. For most of us, getting a grip on spambots is becoming more and more of a problem and focus point. You may be telling yourself, “Who cares? It’s not like they’re trying to hack me. They’re not costing me any money.” Unfortunately, even in the case where spambots are not directly costing you money, they are in other ways. A marketer’s success is measured in the same way as he or she measure’s his or her client’s success: ROI. As a marketer, your investment is your time (it’s an allocation of a part of a client’s budget). One way spambots are impending on your success is through wasted time. When time is wasted, you are throwing client budgets into the trash. This blog post is meant to uncover the possible reasons for a sudden increase in SpamBots, and offer a remedy to combat this epidemic.

Note: Though this blog post was created as a result of SpamBots creating fake Customer Accounts on Shopify, the remedies listed can be applied to almost any E-Commerce platform and/or store.

Overview

What defines a fake subscriber/customer account in Shopify?

How can you distinguish real accounts from fake accounts?

Ways fake subscribers/ customer accounts are hurting your business

How MailChimp fights off Spammers

The additional remedy you need

How to clean your data base before moving forward

Why do “Registration-Bots” Exist?

There are a number of reasons why SpamBots exist and plenty of conspiracy theories to go around that match those. At the end of the day, there are a few things to keep in mind while you draw your own conclusions:

Integrations make money off of data

Integrations make money off of subscribers

Shopify doesn’t mind the traffic on your site

An email spambot for example, is deployed with the end-goal of harvest email addresses that can be used to build mailing lists for future unsolicited emails (purchased lists). In this instance, the spambot would act as a web crawler. Forum spambots are more interested in spamming readers in the comment section of blogs. Other times they post bogus spam messages that aren’t meant to engage the reader but rather increase the number of backlinks to their own website in effort to boost their SER. In this article, we are focusing on Registration Bots. Registration Bots create accounts because CMS systems (Shopify is a CMS) sometimes have an open list of user profiles that contain really valuable information like their name, email, resident or business address, birthday and more. By default, those user Profiles are accessible to Google’s search engine. Once the bot creates a fake customer account, the spammer can check security rights and it doesn’t have a “write ability”, the bot will leave the site. Unfortunately, the bot does not clean up the mess it created in your data base before taking off.

What Defines A “Registration-Bot”?

Spambots are automated computer programs that have been specifically built to find sign up form codes on websites, blogs, forums, etc, in an effort to submit fake information. Web hosts and site managers like you and me have responding by creating different parameters that bots cannot bypass. However, bot authors have found ways to evade these programs and/or counteract these strategies.

How to Distinguish Between Real & Fake Accounts

It’s fairly simple to recognize SpamBots and RegistrationBots amongst other customers in your Shopify. For one, there is often a void of information (i.e. Shipping address, Phone Number, etc.) since they didn’t complete the full check-out process. Second, there is usually a commonality or “formula” in the domain they choose. In 2019, I’ve noticed a lot of .ru email domains being used as Russian bot authors crank up their prototypes. If the information isn’t missing, you’ll find weird number strings or repeating names (i.e. MarkmarkMarky). Last, there is no transaction or real abandoned shopping cart attached to their account.

How Fake Subscribers Hurt Your Business

Skewed analytics on your Shopify store (Abandoned Checking Cart and other performance metrics)

Skewed analytics within your email marketing

Assuming you are using a syncing plugin like “ShopSync”, your are importing fake subscribers, therefore causing your list to grow and your subscription tier to increase.

If the email used to spam you is fake or belongs to someone else, it could backfire when your automation workflow is triggered. If upon registration MailChimp automatically sends an email to a bad address or someone who did not register, you’ll look like a Spammer. If your MailChimp begins sending emails to non-existent gmail accounts (as an example), Gmail may choose to automatically throw all future emails into the spam folder. This would in turn, hurt your actual gmail users.

How MailChimp Fights Off Spammers

The quickest way to streamline your database is through the use of MailChimp’s embedded forms. According to MailChimp’s response to Fake Signups, their team has taken several measures to protect their embedded sign up forms. MailChimp also seems to have considered the manual effort it would take to individually unsubscribe/delete contacts from Audiences and have in turn offered a way to easily bulk-delete contacts. Here are a few ways MailChimp is helping to keep your database safe:

You Can Enable reCAPTCHA

One of the most problematic areas of fighting off Spambots, is figuring out how to do so without harming your real users’ current customer journey. ReCAPTCHA is a tool that forces potential subscribers or “account holders” to check a protected box in order to complete the signup process. If the bot cannot detect the box, they are unable to be synced to your list. ReCAPTCHA acts as a terrific first line of defense, and I highly recommend enabling it on the Audience name and defaults page.

MailChimp Throttles New Signups

One of the reasons spambots exist, is to distract the victim from knowing they’ve been hacked, by flooding their inbox with emails. An abuser, or “hacker” may sign up for a bunch of new “newsletters” or “email lists” in hopes the victim will be overwhelmed. That being said, MailChimp can detect when the same email address is added to multiple “Audiences” in a short period of time and in turn, block it from being added to other audiences for 24 hours (just an example). This action is called throttling and has proven somewhat effective against SpamBots.

Honeypot Fields Have Been Added

A honeypot field is a fake field that isn’t visible to the human eye (thanks to languages like CSS or JavaScript which hide the field). The reason honeypot fields are great is because they don’t mess complicate the user journey for real customers like a ReCAPTCHA might. However, spambot authors have since doubled down on efforts and some have found a way to add code that can detect honeypot fields (especially fields that are always the same). There are some ways to still trick spambots using smarter honeypots, however, it is advisable to unionize all methods to counter spambots.

How to Clean Audiences & Delete Spam Signups

Now that you have an understanding of how to prevent future spam signups, you’re probably wondering how you’re going to manually clean up the mess of not having security measures up in the first place. If you’re suffering from the same pain point as many marketers, your MailChimp and ecommerce integration has been disolved because of the LemonStand acquisition and your shitty data is now being communicated across all of your channels. This means two things:

As mentioned above, your analytics are now skewed across the board. You have no way of bulk-deleting spam contacts across all platforms.

MailChimp already makes it difficult to manually delete contacts. To clean this mess up, I would have to go into Shopify, copy the address of the “potential spambot”, and paste it into MailChimp to find it, delete it and then confirm I want to delete it by manually typing in the words “PERMANENTLY DELETE” into MailChimp. Luckily, if you’ve caught this disaster early on, and you see a sudden increase of spam signups around a certain time, MailChimp has created a workaround for deleting spam signups. Here is the segment MailChimp recommends you use in order to delete RegistrationBots:

Create a segment (Segmentation is a tool that can filter contacts within your database based on field data, preferences, transactional activity and more) If you are unsure of how to create a multi-part segment in MailChimp, you can read about them here. Set the Contacts match drop-down menu to all. For condition #1, set the drop-down menu to Date added | is after | a specific date | and choose a date. For condition #2, set the drop-down menu to Signup Source | source was | Hosted Signup Form. Click Preview Segment to see who meets the criteria

Most of the time, Registration Bots will use similar email addresses, or formulas that can aid you in recognizing fake contacts. One I’ve come across often is an email with the domain (.ru). These spambots seem to bypass ReCAPTCHA and honeypot fields (Russian Bots, YAY). Another common domain used to spambots is Gmail, which as mentioned above can be exceptionally harmful. I can easily tell which Gmail Users are Spambots since there is no transactional data, and no email activity. From this view, I can mass delete SpamBots and ultimately keep my email list clean and clear of potential Spammers. I also located an article that walks you through the creation of a “Bot Scrub Automation Flow”, which essentially automates what we’ve just done and runs it on a regular basis.

A Shopify App Remedy for SpamBots

When I first started doing research on this topic, I wasn’t able to find a whole lot. Mostly because I didn’t have the right terminology. However, in discussing this pain point with past clients and other marketers, I was able to find an App that I am currently trialing on a client site. The App available through the Shopify Platform is called “Shop Protector” and comes with a 14-day free trial. After downloading the app, Shop Protector walks you through a really simple set-up that involves creating or connecting a “Human Presence™” account. From there is takes a digital audit of your website to see what forms are currently unprotected. It then enters a few lines of code into your liquid templates and let’s you know which forms it has protected. I will pair this with the existing security measures of MailChimp, and with new arsenal of segment remedies to filter out the bad apples that get through.