Postmatic

Why we ask a user to confirm their subscription with the word ‘agree’

WordPress has been known now and again to be a target for spammers. Most of it is in the form of comment spam. There is an entire army of plugins available to make sure bots can’t spam your comments area with their unsavory bits. It’s a cat and mouse game that, if you are on top of it, you can easily win. Posting a spam comment to the front-end of a WordPress site can be made nearly impossible. We even have a guide if you need some help.

But what about where we are now? In the new world of commenting by email?

Enter Postmatic. Now there is a brand new way to post a comment to your site – by email. Email. Home turf of spammers everywhere. The origin of it all. Where spamming began. The capital city of Spammopolis! We’ve created a convenient back door and it’s been our challenge since day one to be sureit is securely locked. We’ve probably spent more time thinking about, planning for, and building defenses against spam than most any other part of designing and executing Postmatic. It’s huge.

Just imagine this scenario.

You run a WordPress blog with 3,000 subscribers. Postmatic emails your post to 3,000 inboxes, and in the footer of each email is an invitation to leave a comment just by hitting reply (thereby subscribing to future comments as well) or at least subscribe to comments by replying ‘subscribe’. And let’s say this is a particularly interesting post. Five hundred people subscribe to the comments from either web or email. Ninety-nine people send a reply. And then one spambot sends in a reply and blasts a viagra ad to them all. Directly into 599 inboxes. And you can’t take it back. Email is forever. Ouch. This makes you look bad. It makes us look bad. It makes WordPress look bad. And it makes your subscribers run for the hills.

This is why we make subscribing to your site just a little bit harder than it needs to be.

When someone subscribes to your site or comments on a post they have to opt-in. That’s a no brainer. We send them an email with an overview of how it all works and prompt them to confirm their subscription by replying with the word agree. We don’t give them a convenient link because bots know how to click links. They’ve been doing it for years.

This method keeps the bots out and by training users to the behavior at present we can do something even cooler (and absolutely bulletproof) in the future: let the site admin define a question which the subscriber has to supply the correct answer to.

For example the subscription confirmation email on a Vermont-based blog might say in order to confirm your subscription please answer the following question: what is Vermont’s sweetest export? The answer, of course, would be maple or maple syrup.

These options put us in a good place to keep bots from ever becoming email-based subscribers to our customers’ sites.  We’ve sent millions of email on behalf of WordPress sites both high and low profile. And so far?

Not a single spam message.