Silverpop - Defend Your Database Against the Bad-Address Bots
It appears you are using an older version of your browser. This site was developed to be progressive and future-compatible. Please take a minute to upgrade your browser for an optimal experience.
Skip to content
  • Subscribe:

Defend Your Database Against the Bad-Address Bots

blog post thumbnail image
by: Loren McDonald (@LorenMcDonald)
04 March 2014

Your database is your most precious email asset. A regular stream of valid, active addresses is the lifeblood of a vital, revenue-driving email marketing program.

Keeping bad addresses out of your database is just as crucial as adding good ones. Bad addresses can result from accidents (a customer fat-fingers a wrong email address on a smartphone) or deliberate attempts to defraud your company using bogus or valueless email addresses.

Bots, which scavenge the Internet for anything with value, are the most serious problem. You've probably seen their impact within minutes of posting a discount coupon, sweepstakes entry or free download in exchange for an email opt-in. You get thousands of hits in a short time, but it's not high-five time yet.

Enter the Bot

Much of your traffic probably comes from bots, which can flood your database with addresses that, while technically deliverable, have no value because they don't belong to customers or human subscribers.

Websites that do nothing to stop bad addresses from reaching the database are the most vulnerable to bot attacks. Double opt-in and other credential-checking programs were supposed to stop malformed or bogus email addresses, but only a minority of marketers uses them (estimates range from 3 percent to 21 percent for double opt-in according to industry surveys), and they are far from foolproof.

The answer, according to list-hygiene experts, is to keep the bad addresses out without making opt-in more difficult for your legitimate subscribers. The good news for marketers is that this has become much easier in recent years thanks to automated validation and verification services that can correct mistakes and block bot traffic in real time.

I'll cover the basics of the problem in this blog post. In my follow-up, I'll go into detail about what you can do to defend against automated attacks and human error. (Read: "10 Steps to Keep Bad Addresses Out of Your Database.")

Diagnosing the Problem

Regular list-hygiene services can scrub malformed addresses (misspellings, improperly formed addresses such as those missing an "@" sign, etc.) and well as "role" accounts which, while technically deliverable, usually belong to a job rather than a person.

But what about email addresses that look authentic, accept email and yet record no activity?

If they come from just one or two domains, chances are good they are bot addresses. High inactivity coupled with high deliverability can be an indicator, especially if you post lots of high-value coupons or downloads on your website and do little or no address confirmation or verification.

As I noted above, you can get thousands of hits on a juicy offer at your website, but without bot-blocking services, you could waste thousands of dollars on ghost addresses. Thousands or even millions of bogus and bot-generated addresses also dilute your database's quality if you aren't removing undeliverable addresses regularly.

"Bots are created to do something that generates value," says Matt McKee, founding partner of BriteVerify. "They're usually associated with linkspam in blog comments to generate a lift in search rankings, but in the case of retailers, they are looking to scoop up high-value coupons and other offers."

Companies that create these automated programs often remarket those offers on "supercoupon" sites, eBay, Craigslist and similar sites, says Austin Bliss, president and co-founder of FreshAddress.

Are You at Risk?

"Bad addresses are always going to make their way through Web forms, especially now that more forms are being presented through a mobile device with a virtual keyboard," says McKee. "The most common non-fraud invalid email entry is simply because somebody fat-fingered the email address, creating an invalid record."

"We see an average invalid rate at point of collection of 6.7 percent," says Craig Swerdloff, CEO/co-founder of LeadSpend. "That number goes up to 8.6 percent when people are filling out forms on mobile devices."

Retail email marketers who use aggressive acquisition tactics without sufficient safeguards against invalid records are most at risk. If you do any of the following in exchange for an email address, you're susceptible:

  • High-dollar-value or percentage discounts
  • Sweepstakes and giveaways
  • High-value downloads
  • Other freebies and similar promotions

… Especially if your opt-in process looks like this:

  • Only one or two required fields in an opt-in form
  • No address validation before opt-in
  • No confirmation email or onboarding program

Each scenario on its own makes you open to bad addresses, but if you have multiple conditions, it's time to check your delivery reports and get ready to act.

Prevention: What Works, What Doesn't?

Below is a list of opt-in techniques with varying degrees of success in keeping out bad email addresses:

1. Confirmed opt-in

How it works: A thank-you email is sent with a prominent unsubscribe link. If the email bounces or the recipient unsubscribes, the address is removed.

Advantage/disadvantage: An undelivered confirmation email keeps out the associated address (misspelled, incorrectly formatted or faked) but not bot addresses or impersonations. However, a confirmation page can be effective on mobile screens if it shows the address and includes an edit function to correct mistakes.

2. Double opt-in

How it works: The customer submits an email address but must click a link in a confirmation email or reply in order to subscribe successfully.

Advantage/disadvantage: Can keep out malformed and bot addresses but also reduces legitimate subscriber rates. Double opt-in confirmation rates can range from a high of about 80 percent to a low of 20 percent. Also, some coupon resellers hire people to fake-confirm addresses (same for CAPTCHA, below).

3. Double entry

How it works: The email registration form requires subscribers to fill in their addresses twice before processing the request.

Advantage/disadvantage: The system can detect misspellings, which the user can correct on the spot. But people can circumvent it by copying the address in the first form and pasting it in the second. Bots also can be programmed to fill in both address fields.

4. CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart")

How it works: Users must type a code, do a simple math problem or otherwise prove they are human before having their addresses accepted.

Advantages/disadvantages: High frustration level, especially for people who can't view the codes or are trying to complete them on smartphone screens. Some CAPTCHAs can be formatted to show only if the system detects potential abuse.

5. Real-time correction

How it works: The system matches the typed domain against legitimate domains and asks the user to correct a potential misspelling before processing the opt-in.

Advantage/disadvantage: It can keep out accidental or deliberate misspellings, but unless it also cross-references a database of genuine domain names, it won't protect against common impersonations like ""

6. Real-time validation/verification

How it works: The system asks to correct apparent misspellings but also checks its database for legitimate domains and impersonations and can detect bot abuse.

Advantage/disadvantage: The system can pass through anyone with an apparently legitimate request while barring or putting up additional requirements for suspicious-looking requests.

Although several of the solutions listed above can effectively block malformed email addresses and some bot traffic, they have one big disadvantage: They treat everyone the same, whether they are legitimate subscribers or bots and fraudsters. That reduces the number of good email addresses flowing into your database.

What's the solution? I cover that in my next blog post, "10 Steps to Keep Bad Email Addresses Out of Your Database," and share more insights from our list-hygiene experts: Matt McKee of BriteVerify, Austin Bliss of FreshAddress and Craig Swerdloff of LeadSpend. (All three companies are technology partners with Silverpop.)

In the meantime, if you have questions or comments, put them in the comments field below and I'll do my best to get answers quickly.

Related Resources:

1) White Paper: “List Hygiene Guide

2) Blog: “5 Tips for Spring-Cleaning Your Database

3) Blog: “Email Marketing ‘Best’ Practices: A Modern Framework


Sign up Now!

Subscribe to IBM Marketing Cloud's Digital Marketer Newsletter!

Popular Categories

Top 5 Posts


To give you the best experience, this website uses cookies.

Continuing to use this website means that you consent to our using cookies. You can change your cookie settings in your browser at any time.
Find out more here or by clicking the Cookie Policy link at the bottom of this page.