List Bombing: The Latest Trend in Online Harassment

Email Security

Fighting malicious activity on the Internet is an ongoing, ever-evolving battle. Bad actors are constantly finding new ways to profit off of businesses and harass organizations by negatively affecting their day-to-day operations.

The most recent tool in their arsenal is something called “list bombing,” which occurs when cyber criminals identify vulnerable email sign-up pages and use bots to subscribe users from a particular domain to hundreds of thousands of unwanted newsletters.

This action negatively impacts the recipients’ email environment, as the high volume of emails creates a DDoS-like effect and shuts down their inboxes for an extended period of time. The use of these vulnerable email sign-up pages often leads to blacklisting, which prevents subscribers from receiving your legitimate email.

At Rackspace, we’ve  recently seen an increase in our IPs being listed on the Spamhaus Block List because of this issue. Last year, Spamhaus wrote an informative piece about being on the receiving end of a list bombing attack.

As the piece mentions, in addition to unsecured newsletter subscriptions, account sign-up pages for WordPress were also used in the attack. Any type of web-based sign-up process is vulnerable and must be protected from this type of malicious activity.

One of the easiest ways to prevent this type of attack is the use of a CAPTCHA for email sign-up forms. Google provides a free reCAPTCHA that is easy on human eyes and also mobile friendly.  This helps authenticate that the user entering the email address is a real person and not a bot.

If your sign-up page has been abused through list bombing or another means of attack, it’s important to identify when a spike in sign-ups occurred so that users who were subscribed without consent are removed from your mailing list in a timely manner.

If you’re unable to pinpoint a specific time or date when the list bombing occurred, we recommend re-confirming your email list to ensure that you are only sending to willingly subscribed users. Re-confirming your email list entails sending out a single email asking your users to re-subscribe to your list within a certain period of time. Any users who do not re-subscribe within that period should be removed from your email list.

Failure to clean up your email list after a list bomb attack will lead to subsequent blacklistings. Additional best email practices to implement include something known as “confirmed opt-in,” which ensures that the person subscribed is indeed the owner of the email address and that the address hasn’t been mistyped or otherwise entered incorrectly or fraudulently. The Messaging Malware and Mobile Anti-Abuse Working Group has compiled a great document regarding best practices when it comes to sending commercial email.

As malicious users continue to shift and adapt, it’s increasingly important for businesses and everyday Internet users to remain vigilant and adapt just as quickly.

Do you have additional questions about email security and protecting your business or email from malicious actors online? Visit the Rackspace Support Network to find out more about our best practices and ways we help email users stay safe

Jessica Robles has worked at Rackspace since 2013 and is currently a member of the legal department. Her primary focus is with the anti-abuse team helping customers mitigate abusive behavior online to protect the integrity of the Rackspace network.


Please enter your comment!
Please enter your name here