What is this user doing?
Between Nov 20 and Dec 14, someone with the IP address 34.66.115.47 has submitted 16 requests to join my email newsletter on my website form with nonsense email accounts like mphtnarrwqrs@gmail.com and qrzqoiakkubp@gmail.com. In one instance they used a real email address, so I have their name and know the company they work for (which is in my industry and we actually have mutual colleagues). What could this person possibly be doing with all these weird form submissions? I have a very basic, static website, do no A/B testing, and haven't made any updates to it in months. What do you think?
Welcome to public-facing application security :) Any number of reasons, potentially more than one at once:
1. Being a dick / bored / ...
2. Pen-testing you for some reason.
3. Trying to inflate your signup numbers for some reason.
4. Trying to see how many users you have (see other comment)
5. Testing their own fake email system for something
6. Trying to increase your costs
7. Demonstrating something for someone else not realizing it's production
8. Pure, unadulterated incompetence
9. Something else malicious
So in terms of 16 requests, that's nothing. Something actually malicious would be thousands.
Either this person is setting up to do something malicious and hasn't even started, or they're more likely studying your sign up process, struggling with it, and have a short memory so they did it many times over 15 days.
The fact is, having an open form on the internet is like having an open invite to come shit in your toilets.
Since this person is within your industry, I'd just poke them and ask. That will most likely make them stop. The fact that they use their own IP address and used a real email address means to me that this person is non-malicious.
Plus point for sending them a report of their own activity, real time as they submit it, to their email address.
Send an email to the proper looking address and ask them what's up with all the different sign-ups. Check in to see if they're experiencing technical problems or something that you can help with.
Also report back here because now we're curious too ;)
Does your newsletter have a "Welcome user number 1234"? or similar, like a number in the URL? Ages ago I used a similar approach to gain data on growth of a website. They would increase a number in the URL for every (shopping) checkout session, easy way to figure out if there was growth or not.
He/she is developing something similar to what you are exposing and is reverse engineering the behavior for quick solutions/shortcuts.
Or is learning how form submissions work.
Not that i haven't done anything like that, ever :)
That's really strange. Only thing I can think of is the person is using multiple throwaway email accounts to join your newsletter. They are then marking all your messages as spam in an attempt to get your email blacklisted. Hopefully someone has a less malicious explanation.
Given how many times my real email is used incorrectly to sign up for everything from nursing courses in Florida to Golf Sundays in Michigan, I would no longer trust that "real email" address to be tied to the real person without more information.
Benign explanation: for whatever reason, they're not getting the newsletters so they're trying to subscribe again using a throwaway.
I agree with another comment here that this is likely them signing up with throwaway emails and trying to get you blacklisted by putting all your messages to spam. In the off chance that they are somewhat more sophisticated, I would try to log these requests and look for SQL injection attacks. It's possible that these bogus signups are an artifact of them doing something more malicious.
The IP address 34.66.115.47 points to Google Cloud. I think there's a possibility the real address is legitimate and it's just a coincidence? Or maybe they're using a Tor-like service that "covers their tracks" by sending randomized data?
If you don't see any obvious reason for malice, I think you should email them and ask!
One they get your newsletter you will receive an email asking about your privacy practices.
Probably competitor analysis of your newsletter signup flow
I did something like this to someone once. I wanted to see if their camera worked in our in-app browser (it didn't). It was part of a loan application process. I tried fixing the bug a few times and didn't work each time.
I actually gave my real details the first time but didn't submit the form, so someone tried calling me about 20 times before I picked up and was confused when I said I wasn't interested.
See if your newsletter leaks emails? Many do.
> In one instance they used a real email address, so I have their name and know the company they work for (which is in my industry and we actually have mutual colleagues).
So what will you do with this information?
As someone else mentioned, this is coming from Google Cloud IP address space. You might consider blocking that net block or silent discarding signup attempts from it.
35.238.4.0/22 (AS15169)
Are you sure your newsletter is actually getting sent out?
It sounds like they're not receiving it, so signing up with junk emails to check.
That sounds like they’re writing a script of some kind and testing as they write it. Who knows what their motives are.
“If you build it, they will come.”
Fishing for new hires. ;]