Subscription Bombing: What to Know and How to Prevent It
Picture yourself in a situation of suddenly receiving hundreds or thousands of unsolicited emails about subscriptions to your newsletter.
It could be that...
Your newsletter has gone viral and you are getting a lot of new subscribers.
A bad actor is using spam bots to create fraudulent signups and send you unwanted messages.
If you observe a lot of mail signups on your web forms at a rapid pace, it's more likely to be number 2 than number 1.
This type of cyber attack is called subscription bombing or list bombing. It can happen for several reasons, including to harass your email service provider, ruin your IP reputation, or it might be that a malicious competitor aims to flood your inbox with unwanted emails to destabilize your service.
Over 300 billion spam emails are sent every day, and they come in many forms, including subscription bombing. It is important to recognize what subscription bombing is and the steps to take to avoid becoming a victim of the bad actors propagating it. The good news is that this article will show you just that.
What is subscription bombing?
It is a cyber attack that involves submitting fraudulent email accounts on your web forms. This type of attack can be difficult to defend against because the bad actor uses bots to add multiple email addresses to your list at a rapid pace. The attack can occur for a short or long period depending on the attack's goals.
It is very important to know how to tackle subscription bombing because this form of attack can disrupt your entire system and make it difficult to differentiate legit signups from fake ones. It can also get you added to Internet spam lists and blocked by certain email services, e.g., Gmail.
Cyberattacks are on the rise and grew 38% in 2022 compared to the previous year, which shows the importance of guarding against them.
What are the effects of subscription bombing?
1. General disruption
The first thing that subscription bombing does is disrupt your entire operations. When you suddenly see hundreds or thousands of new emails added to your list that are likely fake, confusion sets in. You will likely not continue to send emails to your subscribers until you avert the email bomb. Some people start panicking because they don't know how to react to a cyber attack. Essentially, it can jeopardize your entire operations, which may translate to lost revenue and lapses in customer interaction and communication.
2. Sender/IP reputation
Email providers assign scores to specific domain names or IP addresses that send messages to their users. This score is very important, as it determines the likelihood of a mail getting marked as spam or not. If you fall victim to list bombing and unknowingly keep sending messages as usual, you will likely be reported for sending spam by many addresses, which, in turn, tanks your sender or IP reputation.
3. Increase in costs
Email service providers usually charge you according to the number of subscribers and emails you send to them. If your list is suddenly filled with a lot more email addresses, it could translate into higher costs even as you work to identify and eliminate fake sign-ups.
4. Server overload
If you operate your own email servers, a list bombing attack could overload the server and cause it to malfunction. In that case, you won't be able to send any emails until the issue has been rectified.
5. Poor unsubscribe rate
List bombing can lead to a sharp uptick in your email unsubscribe rate, which, in turn, increases the likelihood of emails coming from you being marked for spam. This happens because spammers tend to have high unsubscribe rates for obvious reasons, and email providers like Gmail note the unsubscribe rate and flag emails coming from those addresses.
5 steps to prevent subscription bombing
1. Double opt-in process
Double opt-in is a system that involves sending a confirmation link to every new address that signs up on your web form. When a user provides their e-mail address, a unique link will be automatically generated and sent to the address. It is only when they click on that unique link that the address is formally added to your list.
With double opt-in enabled, then dodgy actors can't just bombard your email list with unwanted addresses unless they somehow find a way to hack into all the addresses and click the confirmation links, which is almost impossible.
2. Enable reCAPTCHA
reCAPTCHA is a verification system created by Google to protect websites from abuse. If you enable it on your web form, the person submitting their address will have to solve a quick puzzle (deciphering hard-to-read text or matching images) to confirm that they are human. Spam bots can hardly pass individual reCAPTCHA tests to perform list bombing. Over 15 million websites use reCAPTCHA, so you'll be in good company.
3. Create filtering systems
You can create a field in your web form that looks like a time stamp. A typical person spends about a minute to fill out five form fields. If you notice a submission that takes a very short while, e.g., one to five seconds, then you can toss the submission because it is likely a bot.
To learn more about email security best practices, why not explore our authentication series, starting with What Is DKIM? and What Is An SPF Record?
4. Optimize your form's features
You should include certain features on your forms to reduce the likelihood of falling victim to an email bomb attack.
They include:
Rate limits. You can add rate limits to prevent data from being submitted from the same IP address multiple times over a short period.
Use blank fields. A smart way to detect bots is to include a field on your form that a human would never see. If this field ends up getting filled, then the submission likely came from a bot that was able to read the website's code.
Unconventional field names. The simple scripts that hackers use for subscription bombing look for common field name variations to submit information to, e.g., "firstname", "lastname", "emailaddress", etc. To avert this, you can use unconventional field names such as "First_Lemon", "Last_Apple", etc. This looks silly, but it is actually a smart way to avoid automated script attacks.
Geographical restrictions. If your customer base is concentrated in one region, then you can block the forms from showing when someone visits your website from other regions.
5. Use Mailer To Go
The email service provider (ESP) you choose plays a major role in avoiding becoming a victim of a malicious cyber-attack. Any ESP you choose should have advanced features to tackle different types of attacks including email bombing.
Mailer To Go is a good example of a secure email service provider. The platform's underlying infrastructure is hosted on Amazon Web Services (AWS), the world's biggest and most trusted data center provider. It has advanced features that protect it against distributed denial of service attacks like email bombing.
In conclusion
Cyber attacks are on the rise and costs businesses billions of dollars annually. They come in different sophisticated formats, including subscription bombing.
We have explained what subscription bombing is, its effects, and the steps that you can take to avoid this type of attack. Follow our tips, and you'll likely reduce your chances of falling victim to subscription bombing.
Explore our blog to learn all about email types and best practices.
Frequently asked questions
What is subscription bombing?
Subscription bombing, also known as email bombing, is a type of cyber attack where an individual's email address is maliciously subscribed to numerous online subscriptions, newsletters, or services.
This results in the victim's inbox being flooded with unwanted emails, making it difficult to find legitimate messages.
What are the effects of subscription bombing?
The effects of subscription bombing can be disruptive and damaging. The victim's inbox can become overwhelmed with unwanted emails, making it difficult to find and respond to legitimate messages.
This can lead to missed important emails and decreased productivity. In some cases, subscription bombing can also be used as a distraction tactic to hide fraudulent activities like unauthorized transactions.
How can I protect myself from subscription bombing?
Protecting yourself from subscription bombing involves a combination of proactive and reactive measures. Proactively, be careful where you share your email address, and consider using a separate email address for online subscriptions.
Reactively, if you find yourself a victim of a subscription bombing, use your email service's filtering and reporting tools to manage the influx of emails. If you're using a transactional email service like Mailer To Go, they may provide additional tools and support to help you manage and prevent such attacks.
What should I do if I'm a victim of subscription bombing?
If you're a victim of subscription bombing, start by reporting the issue to your email service provider. Use your email's filtering tools to automatically move these unwanted emails to your spam or trash folder.
It's also important to monitor your accounts for any suspicious activities, as subscription bombing can sometimes be used to hide other types of cyber attacks.
Can subscription bombing be prevented?
While it's difficult to completely prevent subscription bombing, there are steps you can take to reduce your risk. Be careful where you share your email address and consider using a separate email address for online subscriptions. Use strong, unique passwords for your email accounts and enable two-factor authentication if available.
If you're a business, consider implementing CAPTCHA on your subscription forms to prevent automated sign-ups.