Engineering Update — Sept 23, 2016

Hey :) Two quick things I want to talk about today: CAPTCHAs and performance.

CAPTCHAs

A few weeks back, there was a dramatic increase in a specific type of spam attack called subscription bombing. In brief, it works like this:

A bot grabs hold of an email address (an innocent one like david@convertkit.com) and launches an attack on it specifically by subscribing it to as many subscription lists as it possibly can. The victims here are then plagued by an onslaught of hundreds or thousands of emails into their inbox at a rate they can’t unsubscribe from fast enough.

The kicker here is that since the mailing lists are legitimate with good open rates and user engagement, these messages won’t get routed to the spam folder. Like other kinds of mail, they get dropped right where you’d want them if you’d intentionally signed up for that list.

It’s a mean attack. What I hate most about it is that it puts all of us in a position where we’re unintentionally responsible for flooding some poor soul’s inbox.

As a result, this has put us in a place that we’d prefer not to be: we now have to be a little bit more aggressive about making sure that humans — and only humans — are subscribing themselves to our users’ lists. While we also are working to improve the knowledge our machines have of malicious behavior and how to stomp on it, we also had to make some changes fast. And one of those is the CAPTCHA.

How CAPTCHAs effect you and your subscribers

For your subscribers, the effects are pretty minimal. Based on the algorithms we use to determine when to display it, most of them will never see the CAPTCHA at all. They’ll go through the process just like they always have, with no inhibitions. A normal subscriber looks nothing like a robot to our system.

However, when you’re setting up a form on your website for the first time, you very well might see the CAPTCHA. This is alarming to many of our customers because they believe that all their subscribers are seeing this, but be assured that they aren’t. I’m not going to share specifics of how we determine when to display the CAPTCHA screen, but I’ll say that there are enough commonalities between bots and customers setting up forms that you’re likely to get asked to verify your humanity.

I think we all have a love/hate relationship with CAPTCHAs. They can be a little arduous, hard to read, and anxiety-producing. But the improvements in the technology lately have helped reduced the strain on humans, and they’re a sensible, reliable way to protect your lists.

Performance

I wanted to give a quick shout-out to my engineers on application performance. The strides we’ve made in the past few weeks have been incredible, and I’m excited at our momentum as we continue to squash as many performance issues as we can.

To illustrate the positive trend, though, take a look at these two graphs. The first is illustrating response time over the past three days:

Compared with the same timeframe, two weeks ago:

Dramatic! They’re barely even on similar scales. I’m super proud of this team.

If you have questions, the customer success team and engineering team are ready for you. Email us any time at help@convertkit.com.