Email list bombing: How to protect your list
It’s been roughly a year since you started to really concentrate on growing your email list and every month since you’ve seen a steady growth of high single digits, low double digits. Not bad considering that you’re relatively new to the game and just starting to figure everything out.
Then suddenly out of the blue, you get an influx of new subscribers that leads to a monthly growth rate of over 2000%! Pretty good, right? It seems your efforts are finally being rewarded and things are moving in the right direction.
As you dive into the data to figure out which of your efforts on which channels are responsible for this amazing growth, you start to notice some irregularities.
It turns out that this amazing result is not thanks to anything that you’ve done specifically, but rather it’s a form of cyber attack that you got caught up in. These types of attacks whereby a large number of email addresses are signed-up to different lists without the owner’s consent are known as list bombing. In this article, we’re going to get up-close and personal with it.
What is list bombing?
List bombing refers to the practice of abusing and attacking email list sign-up pages by bombarding them with a large number of new email addresses at the same time. For you, it looks like a spike in signups. In reality, it’s a cyber attack.
If there’s anything positive about it, it’s that with these kinds of attacks you’re more than likely not the one under attack, but rather you’re simply used as a vehicle to help out with one. It’s not very reassuring for sure, but at least you’re not the one under direct attack. That’s something at least.
The term “list bombing” came into relevance during the summer of 2016 when, without warning, a prominent anti-spam organization called Spamhaus started blacklisting an increasing amount of IP addresses of prominent email marketing software providers. What it meant for merchants was that they were unable to send out any campaigns as the provider of their marketing software was banned.
The reason that Spamhaus took this drastic step, blocking reputable software companies, was a large number of government email addresses from different countries were being used to sign-up to an increasing number of different email lists by using an automated script/bot. This resulted in those email addresses receiving hundreds, if not thousands, of emails.
One company saw nine specific addresses signed up over 9,000 times over the course of two weeks, creating 81,000 confirmation emails. When an anti-spam organization is seeing these kinds of numbers coming from one provider, it’s clear that something is up. To protect its customers, Spamhaus effectively banned the “offending” providers.
And while it’s undoubtedly a big problem for merchants when their lists get attacked, having an email address that is used in an attack is no fun either as Brian Krebs, a cyber-security researcher, recently found out.
At its peak, these “subscription” emails came in at a rate of about one new message every 2-3 seconds. At that rate whichever email service you were using is basically useless. It created a DDoS-like effect and effectively shut down his inbox for an extended period of time.
The worst part? It’s very difficult to protect against these kinds of attacks, as the email lists being bombarded are genuine and the requests are coming from so many different sources at the same time.
Image via Krebs on Security
How to identify if you’re being list bombed?
Fortunately, there are a number of telltale signs that you can use to identify if you’re being used for list bombing. First is the aforementioned unexplained sudden increase in new subscribers. When that happens, immediately look at the data and try to identify repeating email addresses that signed up in quick succession to more than one of your lists (if you have more than one).
Another sign is to look at the IP addresses used when it’s the same one over and over again, it’s safe to say that that’s the attacker and you can block that IP and delete the email addresses signed-upped via that IP from your database.
One last thing to look out for is a large amount of .gov or other more exotic top-level domains and email providers. If you usually get the bulk of sign-ups with Gmail or other well-known email service providers and suddenly you see a switch, that’s a clear sign that something is up.
How to protect yourself
As far as protecting yourself against these kinds of attacks, there are a couple of things we strongly recommend that all list owners implement ASAP:
CAPTCHA On Sign-Up Forms
A CAPTCHA system, such as reCAPTCHA by Google, adds an extra layer of security by forcing users to solve a puzzle before subscribing them. This prevents bots and other automated systems from being able to successfully subscribe.
Enable Double Opt-In
While having double opt-in enabled will not protect sign-up forms from abuse, it will allow you to be proactive in identifying real subscribes and determine which email addresses should be removed from your list. When someone is not confirming their email sign-up, don’t keep sending them confirmation emails! Two is the maximum you should go for confirmation.
While these two steps seem simple, they could have been enough to stop the bulk of the attacks on having any major effect if every merchant had implemented them. According to Steve Linford, Chief Executive of The Spamhaus Project “the (main) issue is (was) the badly-run ‘open’ lists which happily subscribed every address without any consent verification.”
Enable double opt-in and use a CAPTCHA for your email list sign-ups now and you could save hours and hours of work with cleaning up your lists in the future.
Even when you’re not directly being attacked, getting caught up in cyber attacks is never fun. It creates more work for you and simply slows everything down. Luckily, there are simple steps that all merchants can take to lessen the effects of similar attacks in the future.
Implementing CAPTCHA and double opt-in doesn’t take a lot of time upfront, but could save potentially hours and hours work in the future when the inevitable attacks happen. Be prepared and go enable them now.