List bombing, the unknown: what it is and how it works
List bombing, also known as Subscription bombing, is a type of cyber attack caused by bots that automatically and fraudulently subscribe multiple email addresses – which can be legitimate, obtained from public lists, or randomly generated – to numerous subscription or registration forms which then trigger the sending of unwanted messages (spam).
Why it happens and the consequences for its victims
The reasons behind a List bombing can be varied, as can the damage caused, both to those receiving the unwanted messages generated by the attack and to those sending them:
- Annoy the recipient
- Make the recipient's mailbox inaccessible
- Distract the recipient from important notifications (such as password recovery, bank transactions, payment deadlines, etc.)
- Spread spam or phishing
- Execute a DoS-type attack – denial of service – to drain the resources of the website hosting the form and render it unusable
- Compromise the reputation of the brand owning the form and the integrity of its customer database: fraudulent email address subscriptions and the sending of unwanted messages may lead to high rates of spam reports, hard bounces, and spam traps, which can damage reputation, lead to deliverability issues, and raise privacy concerns
- Harm the reputation of the Email Service Provider handling the emails generated by the form: the attack may result in blacklisting (e.g., Spamhaus) of some of its IPs or its entire sending IP range, thus compromising the ability to correctly send emails for its clients.
How to check if your online forms are subject to List bombing
There are various signals that can help you determine if you have been a victim of this attack:
- Abnormal and unexpected increase in new subscribers compared to usual
- Numerous subscriptions from the same IP within a very short timeframe
- Same email addresses subscribed to multiple subscription or registration forms
- Numerous subscribers with:
- email addresses from mail providers not aligned with your target. If your target market is Italian or European, the email domains of your subscribers will mostly belong to Italian or European email providers. Therefore, the presence of email addresses with domains such as comcast.com (American domain), qq.com (Chinese domain) or .gov (US government agencies) should make you suspicious
- textual fields (e.g., “first_name” and/or “last_name”) showing suspicious character sequences or recurrent values
- fields filled incorrectly – for example, city, address, or phone number fields filled with people's names
Security measures to adopt for protection
CAPTCHA or reCAPTCHA
Most effective protection to block bots.
CAPTCHA – Completely Automated Public Turing test to tell Computers and Humans Apart – is a test designed to distinguish automated bot submissions from those of a human.
Traditional CAPTCHA asks users to identify letters or numbers that are distorted in such a way that makes it extremely difficult for a bot to recognize them.
To pass the test, users must interpret the distorted text, type it in the appropriate field, and then press enter. If the letters and numbers do not match, users are prompted to try again.
reCAPTCHA is a free service offered by Google as a replacement for traditional CAPTCHAs. There are different types of reCAPTCHA tests, for example:
- Recognizing words or texts, similar to the traditional CAPTCHA but with the difference that they are extracted from real-world images
- Ticking the famous “I’m not a robot” checkbox
- Recognizing images
The latest versions of reCAPTCHA can also determine if the person filling out an online form is a bot or a human without requiring them to complete a test.
If this is not the case, then the user will receive a typical reCAPTCHA “challenge.”
Inserting a hidden field in the form
Its completion indicates that it was done by a bot and not a “real” user, as it would not be visible to the human eye.
However, this method does not protect you from all bots, as the most advanced ones do not fill in hidden fields, thus simulating human behavior.
Limitations on IP, values, and completion time
To detect and block automated bot submissions, it may be useful to set limits on:
- The number of submissions from the same IP or the number of submissions involving the same email address.
- The time it takes for a user to complete the form. A human will take up to a minute to fill in a couple of fields, while a bot can do it in a second.
What about Double Opt-In?
This procedure requires the user who signed up to receive an email with a unique link to click, to confirm the registration to the requested service.
Implementing the Double Opt-In without other protection will still expose your forms to List bombing and unlawful registration attempts.
Subscribed users will receive confirmation emails for unexpected registrations, which could trigger a chain of events (spam reports, bounces, blacklisting) damaging your reputation and that of the server you use to send emails.
However, its implementation is equally important for protecting the integrity of your database, because it ensures you are not sending unwanted emails to users who signed up illicitly and would be difficult to detect.
Help, I'm under attack: what should I do?
First of all, don't panic!
Breathe and follow these very simple steps:
- Identify the form or forms under attack and the duration of the attack. The List bombing might have been ongoing for days;
- Take the form offline;
- Implement CAPTCHA or reCAPTCHA;
- Consider implementing other previously described security measures;
- Put the form back online and continue monitoring the subscription flow;
- Identify the email addresses that were added by the bot and remove them from your database.
Underestimating List bombing is very dangerous because it can severely damage the reputation of your brand, the Email Service Provider you use to send emails, cause blacklisting, or legal complications. Don't risk compromising your email marketing project, hurry to implement our advice.