Six years ago I started distributing my blog as a newsletter, using the free tier of MailChimp. It’s a set-and-forget thing; I point MailChimp at the RSS feed for whatever blogging service I’m using at the moment (currently Micro.blog) and MailChimp bundles up the new updates and sends them out daily. Folks can sign up using a form hosted by MailChimp; I link to it from my websites, Twitter, and Facebook.
Subscriptions steadily crept up through the years and by February 2021 I had 2,500 subscribers.
However, many of those signups were spammers. It was obvious from the format of the addresses. They look like this – long URLs in the “first name” field of the signup form.
Some of the names are just random characters.
Or slogans like this:
Still, the newsletter showed a 30+% open rate – about a third of my subscribers were opening the emails, indicating that they were actual human subscribers.
I was pleased – hundreds of people read my blog and enjoy it.
Or do they?
Recently I noticed that MailChimp had missed a day or two sending the newsletter, and when I had a few moments, I investigated. I discovered I’d gotten a spurt of spam signups – several hundred in the span of 24-48 hours. The spam signups had pushed my subscriber count above 2,000, which is the threshold over which you have to pay MailChimp.
Time to delete the spammers. I went through my subscriber list and started identifying spammers by eye.
MailChimp does NOT make it easy to delete email addresses from your list. They want you to “archive” the addresses instead. Even that is not a simple process. You have to create a “segment” – a subset of your mailing list subscribers – and then archive selected addresses within that subset.
And the archived addresses still show up in you overall list of people who have ever given you their mailing address; MailChimp calls that an “audience.” I have yet to figure out a way to just make those spammers disappear.
When I’d finally archived all the likely spam addresses, I was left with 27 subscribers.
Not 2,500. Not hundreds. Twenty nine. Less than three dozen.
And one of those subscribers is me; I subscribe to my own newsletter just to be sure it looks OK when it goes out.
So, 26 people are reading my newsletter. Maybe. If I haven’t missed some bots. And if they even bother to read it.
It’s possible the newsletter only has four actual subscribers; I recognize the names of four people I know.
This was only a little bit surprising. I rarely received email responses on the newsletter – once every couple of years. If hundreds of people were reading it, I’d have expected more activity.
I’m fine with 20 people reading my newsletter. Or four. If they enjoy it. Though I’m thinking of switching to just sending the newsletter out manually. MailChimp is a complicated email marketing platform, with questionable privacy practices. It’s not designed for a guy who’s just sending out article links and childish memes for his own enjoyment and the enjoyment of others.
The big mystery
Which leads me to a question that’s been bugging me for some time:
Why are spammers signing up for my newsletter?
Spammers SEND email. It’s what spammers do. Spammers do not sign up for email.
I’ve done some research on the web and come up with the following possible explanations.
1) It’s camouflage for an attack
Dina Bekerman wrote in 2016 on the imperva.com blog how he started getting hundreds of mailing list messages every day. An attacker had signed him up for hundreds of mailing lists. Here’s the article: How Registration Bots Concealed the Hacking of My Amazon Account.
Looking closely at the inbox, he saw a few Amazon confirmation messages mixed in. Someone had hacked his Amazon account to have stuff delivered, and was using the bogus newsletter messages as a smokescreen, hoping that Bekerman wouldn’t notice the evidence of criminal activity in the noise.
In this scenario, I’m not the target of the attack. It’s some other poor shmo – or shmos; this is probably a mass attack – whose email accounts are being flooded by mailing lists they did not sign up for.
2) It’s a denial-of-service attack.
Email costs money to send.
But who is the target of the attack here? It would gratify my ego in some small way if it were me. But I am just not badass enough to justify that kind of campaign. Wish I were, but I’m not. And I’m on a free MailChimp tier anyway. I’m not paying money to send the newsletter.
And if I was the target of an attack, the attackers would tell me. Probably anonymously. Where’s the fun of attacking someone if they don’t even know they’ve been attacked?
3) Spammers are stupid.
Maybe they think they’re doing something smart, but they’re not.
4) Spammers are smart, but spambots are stupid.
The spambots are possibly entering the preprogrammed names and URLs into any open field they can find on the Web, in the hopes of boosting their search engine mojo.
I’m not convinced by any of these theories
None of these theories feel right to me, or have supporting evidence.
A writer named Mathias Jakobsen has had a similar experience, on a different email provider. He doesn’t have answers either.
MailChimp has this advice to give on fake signups. It doesn’t do anything to address the question of why.
I’m flummoxed. Why are spammers signing up for my mailing list?
Why was MailChimp reporting an open rate around 30+%, when nearly all my subscribers are bots? This suggests that MailChimp’s performance statistics are unreliable.