Blog

At FASO, we've recently enhanced security on our newsletter signup forms by adding a Google reCaptcha requirement.  

Unfortunately, malicious bot activity has increased exponentially over the past few years and we've been forced to implement this counter measure to ensure that only humans are signing up for your artist newsletter.

I know that some people feel that our security in this area is overkill.  That complaint is usually because you see the higher, enhanced version of the reCaptcha form.  

One important thing to keep in mind is that most of your site visitors will only see the simple version of the reCaptcha form which simply asks them to click "I'm not a robot."

Why do we need reCaptcha at all?

You might wonder why we need reCaptcha at all? 

After all - all FASO newsletter lists require double opt-in.  That means that the visitor is required to verify themselves by clicking a link in the opt-in email before they are added to your newsletter lists, isn't that enough?

It used to be enough, but unfortunately it no longer is.  Incidentally, FASO isn't the only service requiring reCaptcha - many of the other services now require or strongly recommend  reCaptcha - For example, we know Mailchimp  requires it on Mailchimp hosted signup forms. 

There are two main problems with leaving your newsletter forms unprotected:

1.  Damage to your reputation - imagine that a bot hits your newsletter form and signs up 50,000 fake email addresses, old email addresses, bad email addresses and spam traps to your newsletter.  That means your website still sends out 50,000 opt-in emails to all these horrible and usually known-bad email addresses from your email address.   That will result an a huge downgrade of the reputation of your email address, the ip address from which your emails are sent, your domain, and, in some cases, could get you banned from our sending partners.   This is not a hypothetical suggestion - we've actually seen this happen and had to scramble to fix the issue and protect our user's reputation as well as clean up and protect our database systems.

2.  Your newsletter being used by criminals - imagine that a bot goes around the web and signs up your email address for 10,000 newsletters.  You login to your email box to find it flooded with 10,000 newsletter signups that you don't want.  What would you do?  It would be hugely annoying wouldn't it?  So you bulk delete all those unwanted emails.  But, because there are so many of them, you don't notice the password reset emails, the purchases at Amazon.com, and other emails - because your accounts have been hacked and the criminal flooded your inbox to hide his activity.  Without protection on your newsletter signup form, it can be used to aid this criminal in hiding his activity.

Google reCaptcha is currently the best way to protect your site against the two spam/criminal scenarios described above.  

About reCaptcha

We chose reCaptcha because it is the least annoying form of Captcha.  In fact, when Google launched it, they called it the "no Captcha Captcha".

reCaptcha uses a lot of information that Google collects to determine if a site visitor is likely to be a spammer or not.

The vast majority of site visitors are considered safe and normally see the following simple reCaptcha form:

When visitors see this form, all they have to do is click it and they are finished.  It's that simple.

Occasionally, for a number of reasons, Google may need to confirm the visitor is a human with a harder challenge.  That's when visitors will see something like the following:

What's Next?

Even with all the issues of unprotected sign up forms, we don't actually like Captcha and are looking at additional ways to protect your newsletter signup forms.  We are experimenting with some additional protections that if they prove robust enough will allow us to disable the reCaptcha and/or let you enable the alternatives as an optional add-on.

We'll keep you posted!

Sincerely,

Clint Watson

BoldBrush/FASO Founder & Art Fanatic