Shopify Spam Customer Accounts with Real Email Addresses

New Member
2 0 8

Hi, I have a Shopify website and in the past week or so, I've been inundated with over 100 fake customer accounts that have gibberish names with no locations, but attached to real people's email addresses. I've even received an email from a person saying, "I never signed up for email marketing from you, please remove me from this list." So now my site looks like I'm the one who's spamming people. When in reality, it's a bot with people's real email addresses, creating fake accounts without their knowledge and the Shopify site is sending them email marketing confirmation emails. 

 

This has been going on for a week now. I am wondering what I can do to stop this. Any help would be much appreciated. 

5 Likes
Shopify Staff
Shopify Staff
225 20 46

Hi, @mrbriandev!

 

Julie, here from Shopify Support.

 

It can definitely be frustrating to deal with bot signups. While Shopify’s newsletter signup forms are designed to have a Captcha appear after a user has signed up using the same IP address more than once in a 24 hour period, this doesn’t always protect against bot signups. 

 

There are a couple of ways around this, however. One thing you could do is install an app like Zero Spam Contact Form, which uses Google’s reCAPTCHA tool. Compared to traditional captcha, reCAPTCHA uses the "I'm not a robot" checkbox on every single signup, a process many users know from other websites. 

 

If you'd prefer not to use an app, there is another popular method called Honeypot Trap technique. The basic idea behind the Honeypot Trap is that you can actually code a blank space into your contact form, hidden from normal users. The bots will automatically fill out this field, assuming it's part of your form. Then, you can track which signups in your Customers section are bots. From there, you can either block their IPs using an app like Traffic Guard, or you can follow this guide on how to filter bot signups out of your customer email list using email automation flows. While this guide is relevant to Mailchimp users, you can typically achieve this following similar steps in any other email marketing platform

 

The best part about the Honeypot Trap technique is that you are not forcing customers to click or fill out forms to distinguish themselves from bots. Instead, you are actively using code to trap bots and then blocking them entirely. There are multiple resources on how to implement this you can find online. Here is a great guide on Honeypot Trap. If you’d like help coding this in, you can always reach out to a Shopify Expert for assistance.

 

I hope this helps! If you have any further questions, feel free to respond here.

Julie | Social Care @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 

3 Likes
Highlighted
Tourist
8 0 16

I am having the same problem.  I do not believe it is in the contact form, but rather in the new account setup.  I do not receive contact form notifications, and the account just appears in my customer list with name fields filled with random letters, but a legitimate looking email.  I have received around 50 in the past two weeks. 

 

Shopify tech support - I believe this to be a newish problem given the dates on the community issues.  Please look into how we can fix the problem.  Thank you. 

4 Likes
Shopify Staff
Shopify Staff
225 20 46

Hi, @JRCoburn.

 

Unfortunately, spambots are pretty common in the e-commerce space and something we have been seeing for quite some time. While they most commonly occur through newsletter signup forms, spambots have also been known to create customer accounts, which is likely why you are seeing an increasing amount of spam signups. 

 

I managed to come across an app called Shop Protector, which analyzes your store traffic in real-time to protect against fake account creations and newsletter signup, automatically preventing bots from filling out these forms. I recommend taking a look at this app and giving it a try; it has some great reviews and should drastically reduce the number of spambot signups you're receiving.

 

I'd also be happy to look into a few other options for you. How do customers typically sign up for accounts on your website? Do they simply use a "create an account" link built into your theme, or do you have an app that handles this? If you're not using an app, which theme are you using? 

Julie | Social Care @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 

1 Like
New Member
2 0 7

Not useful, spam bots bypass the form and re-captcha is not a solution, a spam bot can bypass the form. 

We're sitting on 12-15 spam registrations per hour, with a Re-Captcha functioning.  Most of these spammers are concerned only with creating a  confirmation email to go to their targets.  They build a target list for identity theft, they then seek an onslaught of spam emails going to the target.  They want to generate an onslaught of spam to their targets  so as they try to steal from those targets, notifications from banks or credit cards are caught up in that spam and ignored.  The way to eliminate the effectiveness of this type of spam is to allow us to disable account setup notification emails - but Shopify won't do that.  So we get the same lame responses from Shopify, year, after year, after year. 

Forum comments and questions on this issue go back to 2016 and Shopify provides the same lame responses.

7 Likes
Excursionist
17 0 26

I just had a flurry of spam account signups today. The only reason I noticed was that I received an out of office reply from one of them. This is something shopify needs to address, not an app. The shopify IP's for the emails will start to be flagged as spam by the email providers. Here is an example of the spam names

 

bweyRhmNM nyAwGBqMJokVY
0 orders
$0.00 spent

EfnwVSYarZ SousEyQznPOgGYD
0 orders
$0.00 spent

clwnSVoZDrLqO HmhKoBqtbwTcQsLa
0 orders
$0.00 spent

xrmsCLNZVtbQ dOGEaoUgZV
0 orders
$0.00 spent

AkYOtjsK NVIlLYKDCp
0 orders
$0.00 spent

Fine Art Landscapes - Sawusch Photography - USScenics.com
10 Likes
New Member
2 0 0

I've also just discovered this after receiving an email from someone that has detected that my website is vulnerable to 'clickjacking' which I've just spent the last 2 hours trying to figure out.  I did a test 'create an account' on my store and after pushing 'submit' was asked to 'confirm my email address by clicking on the link sent to your email' which is not a normal request from my website.  I tried creating another account and this time got the usual 'gotcha' request...

What the heck?!  

0 Likes
New Member
2 0 5

asdasd.JPGI have had this same issue! The Shopify support team assure me that it is external but I am worried that their has been an internal breach.... Hoping by disabling the account sign up on the homepage and password protecting the store for a few days will solve the problem although time will tell. Very scary though. 

5 Likes
Tourist
9 0 14

I've been having the same problem for about 2 weeks. It's roughly 10-20 accounts that are created per day. The issue, of course, is that the email addressees receive a confirmation from my store, so it looks like I'm the bad guy. This is really frustrating. Is it possible to require that people enter a physical address to create their account?

5 Likes
Excursionist
13 0 42

I'm getting this exact same problem.  Has anyone heard anything from Shopify as to whether they're going to implement a solution to this? I wouldn't have thought it seem like great PR if all these Shopify stores are being hijacked and spamming thousands of people every day!

3 Likes