The email abuse technique called "list bombing" or "email bomb” has been occurring more frequently for the last couple of years.
Any brand which collects email addresses with web forms is vulnerable to list bombing. This type of attack can harm your deliverability and can lead to the following:
- spam complaints
- junk folder placement or a block by mailbox providers
- being completely blocked by email service providers
This article describes how the attack works, why it happens and what can be done to protect your brand.
What is a list bombing attack?
List bombing is an automated attack submitting a legitimate email address multiple times into subscription forms across hundreds or thousands of websites at the same time. It floods the victim's address with emails, making the mailbox unusable.
What does happen during the attack?
The following symptoms can help you to detect an attack:
- An unexpected and significant increase of subscription requests or new subscribers
For example, if you usually have up to 200 new subscribers daily and suddenly there are more than 2000 subscriptions per day, this can be a sign of an attack.
- A sudden change of audience
For example, if you have a business, based in Germany, and have mostly European mailboxes on your list, but suddenly you start receiving subscription requests from out-of-the-ordinary locations, this might be a cause for suspicion.
- Multiple requests from the same IP
For example, a user that submits numerous requests for different (or the same) mailboxes might be a bot.
- A sharp increase in complaints or bounces
This is a good indicator that something is going wrong.
You can find real examples of Subscription Bombs in this Spamhaus article.
Why does it happen?
There are a few possible reasons for a list bombing attack:
- It is used to divert attention of the victim from important notifications. For example, among thousands of unsolicited emails there could be hidden password recovery attempts, unrequested bank transactions or online purchases, and other important alerts. In such cases, the attack is used as a distraction from a hacking attempt.
- A person can do it for fun, to annoy someone, for revenge, or for other malicious reasons.
- It can also be used to distribute spam. If the web form collects names or surnames, these fields can be filled with spam texts and phishing websites, which will be later used in the personalization of your emails, such as, Double Opt-In (DOI) emails, Welcome emails and even marketing campaigns (in absence of Double Opt-in).
Why does it happen to you?
In recent years, ISPs have learnt to effectively combat simple attacks, but spam is still evolving.
Sending emails from unknown IPs and random domains does not work anymore. Thus, spammers seek an opportunity to use a legitimate email infrastructure with a well-established reputation.
Malicious scripts scour the web in search of unprotected websites (without CAPTCHA and Double Opt-in solutions) with forms to exploit them. Subscription forms usually trigger transactional emails, which have a better reputation, may bypass suppression and subscription filters. Also, they may be sent with higher priority and have the best deliverability. This means that this type of attack has a higher chance of landing in the inbox. It is always hard to differentiate between a legitimate DOI email and an unsolicited one meaning that the attack may go on for days from the same source.
How does it affect you?
In fact, there are three victims of a list-bombing attack:
- The recipient - the affected mailbox becomes unusable or the recipient mail server is overloaded
- The sender - high spam or bounce rates lead to sender reputation damage. It can lead to blocks from Spamhaus (or other public blocklists), thus no or hard delivery of emails, or legal complications due to the non-legitimate way of newsletter opt-in (ie. Contacts ending in your database without their knowledge and should not receive newsletters)
- The email service provider - it can lead to blocklisting of sender IPs or even whole IP ranges which impacts your ESP’s ability to send emails for other customers as well
Even though the sender is not the initiator of the email bomb, mailbox providers will hold the sender and the email service provider partially responsible for being unable to protect their infrastructure, thus being a participant of the attack. To protect their network and reputation, email service providers may have to take preventative action against accounts being subjected to an attack.
How do you prevent it?
Essential preventative solutions
- CAPTCHA or reCAPTCHA
CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge response test used to determine whether the user is human or not. CAPTCHA asks users to identify distorted letters or numbers. Such tests help to filter out bot activity.
reCAPTCHA is a verification system owned by Google which uses behavioral analysis to detect whether the user is a human or a bot. Learn more in Google's documentation.
Use CAPTCHA or reCAPTCHA as a part of a form submission process to protect your brand from a bot attack.
- Double Opt-In (DOI)
DOI will not protect your forms from being abused but it will help you to protect your list hygiene. This typically means that an abuse or spam email can only be sent once. A Double Opt-in process sends an email with a confirmation link. Once the recipient clicks the link, you can verify that this is not a bot and you can subscribe the contact for your newsletter.
The absence of a DOI allows adding bad addresses directly to your subscription list, damaging the integrity of your database and making it hard to identify the abused contacts. In some cases, victims of list bombing attacks may receive unsolicited marketing campaigns years after the attack.
Optional preventative solutions
- IP/value limitation and time validation
Limit the ability to submit multiple requests from the same IP. Remember that bots are often changing IP addresses, therefore, this is not a bulletproof protection.
For list bombing attacks, adding a limit for submitting the same value (the same mailbox) multiple times also makes sense.
Another metric you can use is the time the user spends to fill in the form. It will take up to a minute for a human to fill out a couple of fields while a bot can do it in 1 second.
- "Honeypot" method
The Honeypot method includes adding a special field, which is hidden in the HTML, to a form, so that it is not visible to a human but can be seen by a bot. If this field is filled, then you have a request from a bot, and it should be rejected.
What should you do if you are abused?
Do not panic and start troubleshooting.
- Identify which web form is abused and the time frame of the attack. List bombing might have been going on in the background for days or even weeks.
- Take the form offline and implement the described measures.
- Set the form back online and continue monitoring it.
- Identify the contacts which were added to your list by bots and remove them or block them.
Here are some simple steps to achieve this:
- Filter for users that were created around the time of the list bombing
- Look for the users with similar names, similar email domains or signed up from same IPs
- When you are able to pinpoint the common denominator, you can start to remove all the users that look similar
List bombing may be damaging to your brand and sender reputation, inbox placement and deliverability of your emails. Fortunately, there are simple steps, which will help to protect your website or stop an ongoing attack. Be prepared and do not let anyone involve you in a cyber-attack!