Secure Your Sites Subscriber List – reCAPTCHA

It is extremely frustrating to be used by bots … BOTS of all things. Are you kidding me?! Now, I have to fight Artificial Intelligence! Not only is it a nuisance to constantly delete spam emails, but it is incredibly annoying when these emails are sent in large quantities, making it difficult to sort through legitimate emails. While not super technical, you can save yourself a headache and inconvenience through my experience.

Recently, I had a substantial increase in subscribers to my site. Not only was I excited, but I was also eager to see the new names that had joined. Unfortunately, that excitement was short-lived. I had allowed my site to be used as a tool to spam legitimate email accounts in part of an “email bomb.”

Email Bomb?

Email bombing is a type of cyber attack in which the attacker sends many emails to a specific email address or address to overwhelm the recipient’s email server and cause it to crash or become otherwise unusable. This is typically done by sending many emails in a short period or by sending emails with huge attachments that consume a lot of server resources.

The goal of an email bombing attack is to disrupt the normal functioning of an email system and cause inconvenience or disruption for the user. Email bombing can be carried out by individuals or groups with malicious intent and directed at individuals or organizations. These attacking groups can use bots to enlist legitimate sites using unprotected subscriber lists to unwittingly participate in this attack.

The good news is after finding out that I had been used as a tool in an email bombing campaign, I secured my list and deleted the illegitimate subscribers from my mailing lists. They were easy to identify as the only legable content was the email address; the other required fields were populated with gibberish, i.e., “fbbbbgesfdsfsda.”

Using WordPress Contact Form Plug-ins to help set up reCAPTCHA

Many companies like Sendinblue that manage subscriber lists and automated notification campaigns also offer a way to help protect these subscriber forms, even on their free tiers. In previous posts, I showed how to set up email distribution lists using Sendinblue. Sendinblue does this, like many other providers and plug-ins, through a captcha (Completely Automated Public Turing test to tell Computers and Humans Apart).

I chose to use an Invisible Captcha to minimize the inconvenience to users having to select anything on the screen or interact with the Captcha. Looking in the menu of the Sendinblue plug-in on my WordPress instance, you can clearly see options to add a Google Captcha. You will need to sign up for this via Google, but it’s free, and when you do, you will be provided with a Site Key and Secret Key to get started.

Sendinblue Pluging

Setting up Google reCaptcha Account

To sign up for a Google reCAPTCHA account, follow these steps:

  1. Go to the Google reCAPTCHA website at
  2. Click the “Get reCAPTCHA” button.
  3. If you already have a Google account, you can use it to sign in. If you don’t have a Google account, click the “Create account” button to create a new one.
  4. Follow the prompts to create a new Google account, if necessary.
  5. Once you’re signed in, you’ll be taken to the registration page for Google reCAPTCHA.
  6. Fill in the form with the necessary information, including the name of your website and the URL where you’ll be using reCAPTCHA.
  7. Select the type of reCAPTCHA you want to use (e.g., “reCAPTCHA v2” or “Invisible reCAPTCHA”) and agree to the terms of service.
  8. Click the “Register” button to complete the registration process.

After you’ve registered, you’ll be given a site key and a secret key, which you’ll need to integrate reCAPTCHA into your website.

google reCAPTCHA Settings

I am running v3 of reCAPTCHA (invisible). Google reCAPTCHA v3 is an invisible CAPTCHA designed to prevent automated bots and spam from interacting with a website. It works by analyzing the user’s behavior on the website and assigning a score that reflects the likelihood that the user is a human or a bot. This score is then used to determine whether or not to allow the user to access certain features or functions on the website.

With reCAPTCHA v3, there is no need for the user to click on a checkbox or solve a CAPTCHA challenge. Instead, the CAPTCHA runs in the background, and the user can interact with the website normally. The website can then use the reCAPTCHA score to decide whether or not to show a CAPTCHA challenge to the user or to allow the user to access certain features or functions.

Overall, reCAPTCHA v3 is designed to provide a more seamless and user-friendly experience while protecting the website from automated bots and spam.

Summing It Up

This is one of my most minor technical posts, but I wanted to share the experience I had being used as a tool in an email bombing campaign. I was upset about being used this way, and we all need preventative actions to avoid being easy targets. This did not cost me anything good or bad, but not taking action can lead to sites being flagged as suspicious or known malicious. I like being a resource and repo for projects I complete that help others. I don’t want to be another junk mail provider.

1 thought on “Secure Your Sites Subscriber List – reCAPTCHA

  1. Ezzy says:

    I’m sorry this happened to you! I know how frustrating that can be. Glad that you’re providing solutions to both big and small issues though! Gracias!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.