Email Subscription DDOS Attacks: Why You Should Secure Your Email Signup Forms NowSendGrid Team
Do your email subscription forms put your business at risk of a Spamhaus deny listing? When the world’s most influential anti-spam organization taps you on the shoulder, you pay attention. Like a boxer delivering a six-point combination counterpunch, Spamhaus recently issued hundreds of deny lists to limit harm and get the attention of email senders and website owners across the globe. Why? Tens of thousands of websites have unknowingly become conduits for a wave of harmful subscription bombing attacks that overwhelm victims’ mailboxes with a tsunami of unwanted mail.
If your website collects email addresses via web forms and doesn’t have appropriate defenses in place, then your site may become a funnel for this abuse, and that increases your risk of being added to a Spamhaus deny listing. That would significantly harm your sending reputation, reduce your email delivery by 15 – 40%, and take a significant toll on your bottom line.
Whenever enterprising criminals harm others by exploiting the Internet’s systemic vulnerabilities, we need to pause and ask ourselves four essential questions:
- If we were targeted by this attack, how would it affect our business?
- Does our own email or web infrastructure enable or amplify this type of attack?
- What steps can we take now to protect our business or users in case we are targeted?
- How can we prevent our websites and email systems from being exploited, so innocents aren’t harmed?
Motives and Methods
Why do malicious actors flood mailboxes? Sometimes just to harass victims or disrupt their work, but sometimes as part of a larger scheme to commit fraud. For example, when financial institutions detect suspicious activity on your account, they commonly send you a warning notification by email. If an attacker times their mailbomb to coincide with these warning notifications, the warnings are easily missed because they’re mingled with thousands of unwanted emails that arrive simultaneously. (If you’re ever the victim of a mailbomb attack, be alert that this may be an intentional distraction to direct your attention away from a greater threat.)
These recent mailbomb attacks are particularly effective because they distribute a tsunami of unwanted email, aggregated a trickle at a time, from many different legitimate senders. These messages frequently bypass spam filters. Attacks are difficult to block without disrupting the delivery of legitimate email from trusted senders.
An Ounce of Prevention
There are legal and practical repercussions for sending messages to the wrong address. You can greatly reduce the risk of a Spamhaus deny list by ensuring each of your recipients truly intended to subscribe to your list.
You will reduce the risk of a Spamhaus deny list by implementing a “confirmed opt-in” (COI) process, but that alone will not prevent subscription bombers from abusing your web forms. (Even subscription confirmation emails can be weaponized. Victims can be overwhelmed with separate subscription confirmation emails from thousands of distinct lists.) Here’s more motivation: Some countries, like Canada, enforce laws that require affirmative consent for commercial email.
At a minimum, your email address collection forms should prevent “web robots” from automatically subscribing victims to your list. (Consider adding Google’s free reCAPTCHA to your collection forms. Other bot detection methods may be effective too—ask your webmaster. If you choose not to implement a CAPTCHA directly, have one pre-integrated and ready to activate with the flip of a switch, just in case your other defenses don’t work as intended.)
Pain provokes change. In the not-so-distant past, vast numbers of email servers were configured as “open relays.” Spammers discovered this vulnerability and exploited these open relays. In response, open relays were deny listed, and the painful deliverability disruptions motivated system administrators to update their systems and fix the vulnerability.
History repeats itself. Subscription bombers will continue exploiting web forms that don’t deter automated “bot” signups or confirm subscription requests. Deny list organizations like Spamhaus will encourage website owners, email senders, and their ESP and web hosting providers to take action and add defenses to email subscription forms.
A word to the wise: We make changes when it’s in our best interest. The question is, will you protect your address collection forms proactively, or will you wait until a painful deny list forces you to?
Spamhaus explains why senders need to ensure the integrity of subscriber email addresses:
- Subscription Bombing: https://www.spamhaus.org/news/article/734/subscription-bombing-coi-captcha-and-the-next-generation-of-mail-bombs
- Mailing Lists vs. Spam Lists: https://www.spamhaus.org/whitepapers/mailinglists/
- Confirmed Opt-In — A rose by any other name: https://www.spamhaus.org/news/article/635
- Spamhaus Marketing FAQ: https://www.spamhaus.org/faq/section/Marketing%20FAQs
Laura and Steve Atkins at Word to the Wise provide blow-by-blow details of the recent subscription bombing incidents. Spamhaus CEO Steve Linford also left comments on their blog: https://wordtothewise.com/2016/08/subscription-bombing-esps-spamhaus/#comment-135919
Mickey Chandler gives us several more good reasons why senders need to ensure the accuracy of the addresses they’re collecting: https://www.spamtacular.com/2016/08/23/its-time-to-consider-non-users/