[arp242]

I used to run a mailing list for my blog. I've gotten some pretty hostile responses to people who were adamant they never subscribed to my mailing list.

I have no idea how this happened; I just coded a simple form with a basic Turing test ("please enter the number 9 here" works well enough for small sites). Did they forget they subscribe? Did someone else use their email? Did someone typo the email address? Bots? No way for me to know.

[JimDabell]

This is why double opt-in is best practice. They enter their email address, and you send them an email with a link they have to click to confirm sign-up. It makes it impossible for somebody to sign somebody else up.

Even with the best of intentions, somebody with the email address jim@example.com might inadvertently enter kim@example.com. You don’t want to lose Jim and you don’t want to spam Kim. So the outcome of entering an email address in a form should always be “now check your email to confirm”.

[Ciunkos]

Just assume every form on the Internet is being constantly filled with leaked or stolen data.

I am pretty sure they (the pissed of recipients) have never even visited your site. Their emails had been submitted by persistent fraud groups hammering every possible input 24/7 for their scam and spam ops. I observe such behavior on our apps and sites, even those that you would assume no one is even aware of.

Cloudflare’s Turnstile will help you block 90% of such threats, and the final solution is to double-confirm the subscription - this way you can be pretty sure subscribers are there willingly and have not been put in by crooks.

Nowadays, I would even ditch the email input and force “Subscribe with Google/Apple/xyz” via Oauth to completely mitigate this broken unauthorized newsletter subscription flow.