Increased spam signups via embedded forms

[jeffpaul]

Is your enhancement related to a problem? Please describe.

Several users have reported a significant increase in spam signups through Mailchimp embedded forms. These fake signups are causing issues such as:

• Distorted subscriber metrics.
• Unnecessary charges for spam accounts.
• Difficulty identifying and removing bot accounts.

Key Observations:

1. Many fake signups have nonsense email addresses (e.g., oecgw0y6z@gmail.com), but some appear normal, making it challenging to identify them.
2. Some bot signups bypass Double Opt-In and appear as "Subscribed," while others are flagged as "Unsubscribed" or "Cleaned."
3. Spam signups often lack certain custom field inputs (e.g., radio buttons), which can act as a temporary filter to identify them, but this is not a universal solution.

User Reports:

• Report 1:

  Experiencing a huge increase in spam signups, some of which are flagged as "Subscribed." This inflates audience metrics and incurs additional charges. Cleaning them manually is tedious. A suggested solution is to add a nonce or hidden field to block bots effectively.

• Report 2:

  Fake signups continue to bypass existing protections, despite enabling Double Opt-In and reCAPTCHA in Mailchimp audience settings. Looking for additional measures to mitigate this issue.

• Report 3:

  Spam signups are a recurring issue, and protecting audience quotas from being filled with spam should be a priority.

Some user reports via https://wordpress.org/support/topic/huge-increase-in-spam-signups-any-solution/, but another came direct via email. We'll want to credit folks on that dotorg issue as well as @ethanclevenger91 on any resulting changelog reference.

Proposed Enhancements:

1. Spam Prevention:
   • Add a nonce or other hidden fields to the embedded form to block bots.
   • Improve compatibility with Mailchimp’s reCAPTCHA feature to ensure it’s fully effective.
2. Form Flexibility:
   • Allow block-by-block customization for the new block, including:
     • Selecting specific audiences/lists.
     • Adding groups or tags to form submissions.
     • Improved styling options aligned with core Gutenberg patterns.
3. Integration Philosophy:
   • Align plugin updates with WordPress core and Gutenberg design principles. Avoid over-opinionated theming systems that conflict with theme.json configurations, ensuring seamless integration.

We'll likely want to chat through potential handling here with colleagues at Mailchimp to ensure we're not overriding or duplicating anything that happens on the platform side there. So probably best to gather our approach for handling within the plugin and then review with the Mailchimp team before implementing anything.

Designs

No response

Describe alternatives you've considered

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[jerclarke]

Thank you for assembling this Jeff. As the first commenter on the forum thread, I'll point out that I also have Double-opt-in and recaptcha turned on in the MC settings, which makes it even stranger that so many of these fake signups are marked as "Subscribed" in MC. Is it possible someone is actually automating all these signups to "click" the links in the email and confirm? It seems unfathomable but not impossible given how easy automation is becoming.

I've been keeping track of how many of these signups are in our system and it's kind of breathtaking.

Our form for reference:

There's two main categories I've identified:

• "No frequency but subscribed" These are marked as subscribed, but because they didn't choose an option from the groups radio field, they are obviously not real people (the field is populated by default via. JS, so this implies the automation system doesn't finish rendering JS before submitting). Since Nov 11 there have been 1,767 of these, so 883/month.
• "Unsubscribed+Announcements These are unsubscribed and have the "Announcements" option for groups radio field. The combination means they are very low stakes to remove, which is good. The Announcements option actually shouldn't be possible to select on the form though, which is another strange detail that points to relatively dumb automation. Since Nov 11 there have been 3,643 of these, so 1,821/month.

So it seems to me there are two different systems hammering us with slightly different properties, most specifically that the first manages to get subscribed while the second just submits the form.

IMO it's very possible that the second "Unsubscribed" group is simply comment spammers submitting every form they can find. The first group seems to be targeting MC forms, or else it's getting very lucky to end up subscribed.

P.S. The thing with our "Announcements" option is we no longer want new users to subscribe with it, but we want to keep existing users in the groups system of MC, so we use CSS to hide that option. I just realized that at some point the CSS stopped working fully, so these numbers are based on a weird scenario where the actual radio button for Announcements is hidden, but the label is visible and can be clicked, so I guess the bot "clicks" that label...

P.P.S. I hope someone at MC can take a look on their end to help explain how these are happening. Our account, which is clearly summoning enough fake signups for them to check at any moment and see some, is under the account name globalvoicesonline and the audience is called Global Voices.

[jeffpaul]

Noting that this was just brought up via a WP.org Review:

Unfortunately, the lists are full of spam with the update! Very bad.