This opens up for an interesting discussion. We experienced the very same issue in the past for few customers and enabling a captcha was the only viable option. The "bots" (don't really know actually) managed to complete a COI process with several free accounts.
Ip ranges were different some on CBL some not but blocking a listed IP in a COI process can be dangerous. For the very same reason I'd rule out e-hawk and alike. The vast majority of the addresses were listed on cleantalk.org The hidden link in the confirmation email (an HTML comment would work better than a "white-on-white tiny font" from a deliverabilityperspective) in may opinion is the way to go. Even if it can be very tricky to implement, we are seriously considering it to prevent bot clicks across the board. HTH Alberto Miscia | MailUp | Head of Deliverability & Compliance 2016-05-26 15:05 GMT+02:00 Vick Khera <vi...@khera.org>: > > On Wed, May 25, 2016 at 6:04 PM, Al Iverson <aiver...@spamresource.com> > wrote: >> >> I've heard John Levine propose the "hidden link to catch scanning >> robots" solution but I've never heard of an email system implementing > > > I'm running through my head how that would work, and makes for some very > complicated state transition diagrams to go from "signup requested" to > "confirmed". What if they scan in parallel and the timing works out they > poked them in the opposite order, etc. I see a few new states and many > transitions, and some timeout based events. Not pretty. > >> >> it. Similarly, senders have often suggested that spamtrap systems >> shouldn't follow links. (Security systems, sure, but don't do that >> with spamtrap addresses.) And today I heard it suggested that it would >> be wiser to have COI have a second click (probably an HTTP POST-based > > > What if the confirmation email button itself was a POST form rather than > just a GET to a page? Are scanning systems following POSTs too? > >> >> >> button) on the landing web page, to prevent security systems from >> erroneously completing COI confirm steps. All good stuff, but it > > > I don't think you're going to get much buy-in for requiring so many clicks > to get activated. I know we already lose customer just for requiring COI. > Making the COI be more work for the subscriber will just make people go > elsewhere faster. > >> >> doesn't sound as though any of it has been widely broadcasted as a >> best practice or requirement. > > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
