Fake signups: What to Do

Fake signups can occur on any website mostly due to "bots" which are automated by hackers. WordPress websites are often targeted by them. 

Steps to Prevent Fake Signups in MailPoet

1. Enable signup confirmation in your MailPoet > Settings > Signup Confirmation. This option is turned on by default. When using MailPoet Sending Service, signup confirmation is mandatory. MailPoet never sends any emails to unconfirmed subscribers;
2. Add a Captcha to your subscriptions forms directly in MailPoet;
3. If you enable sign-ups in the comments (MailPoet > Settings > Basics): enable Akismet or similar anti-spam for comments;

MailPoet's Bot Protection Mechanism on Its Forms

MailPoet implements preventive measures by default to prevent bots from subscribing to MailPoet's forms repeatedly. This is mitigate Email Bomb type of attacks which became popular in 2017.

When multiple signups occur quickly, MailPoet's forms enforce a delay in seconds between each signups using the same IP address. The message "You have to wait xxx seconds before you can sign up again." will be displayed.

The more signups occur, the longer the delay in seconds will be enforced. 

This option cannot be turned off.

Fake WordPress Users Signups 

The most common form of fake signups occurs in WordPress and not in MailPoet. Nefarious bots register as WordPress users which in turns adds these fake users to the default MailPoet list "WordPress Users".  

1. Check your WordPress users for any suspicious users, possibly with the same email addresses. Disable user registration in your ;
2. See in your WordPress Comments > Spam if the email addresses there match the signups in MailPoet;
3. Check in your database, with phpMyAdmin, if there are no hidden WordPress users (common hack);
4. Check in your database, in the table "..._mailpoet_email" if there are any suspicious email addresses.