Recently, valid email addresses have been fraudulently added to many open email lists, flooding inboxes with spam and resulting in a blockage of IP addresses.
Here’s a new worry that digital marketers can add to their growing list:
A recent spate of email list bombings has led international spam fighter Spamhaus to block IP addresses from a number of well-known email service providers (ESPs), including possibly yours. (See below for advice on what you can do.)
And here’s the backstory:
On Monday, August 15, anti-spam consulting service Word to the Wise’s founding partner Laura Atkins posted about the difficult morning many ESPs were having:
“A number of ESPs [email service providers] woke up to a more-than-usually-bad Monday morning. Last night Spamhaus listed 10s of networks, including ESPs, on the SBL [Spamhaus Block List].”
She pointed out that Spamhaus was blocking IP addresses used by various ESPs, because those IP addresses were the source of email lists that were sending confirmation requests, newsletters and other emails to addresses that hadn’t signed up.
“To have this [IP blockage] listing removed,” she quoted the Spamhaus notice, “the newsletter service needs to clean up their email address list and ensure that bulk emails are only being sent to recipients who have previously subscribed to their bulk email service.”
Atkins noted that the problem appeared to be widespread among ESPs, and that some email recipients were receiving hundreds of emails per minute from hundreds of unwanted lists, creating what was essentially a denial of service attack that made it impossible to unsubscribe fast enough.
The lists that were being “list-bombed” were ones that did not include one or both of common email best practices: a CAPTCHA to prevent bots from adding email addresses and a confirmed opt-in (COI) which, after an address was added to a list, immediately sent out an email to that address with a confirmation link. If the email address owner did not click the link, in theory, the email address was soon deleted from the list.
In practice, though, a number of email lists added another wrinkle, which should be excluded from best practices: if the email recipient did not click the confirmation link within a given amount of time, the list sent another email with a confirmation link … and sometimes another … and another.
In fact, reports indicate that many of the spamming emails were additional email requests from the same list, asking for confirmation.
Shortly after her post, Spamhaus Chief Executive Steve Linford added a comment:
“This incident involved a large number of government addresses belonging to various countries being subscribed to very large numbers of lists in a very short space of time by scripts run by the attacker(s). Most of the lists hit by the attack used COI and therefore only sent confirmation requests and did not subscribe any addresses. […]
“The issue is the badly-run ‘open’ lists which happily subscribed every address without any consent verification and which now continue as participants in the list-bombing of government addresses.”
As a result of this massive spam attack, Spamhaus blacklisted the IP addresses that were delivering this torrent. Internet Service Providers (ISPs) that follow Spamhaus’ advice then blocked emails from those IP addresses, which are utilized by a variety of major ESPs that send emails for the world’s most famous brands.
One of those major ESPs is YesMail. Director of Deliverability Bob Sybydlo told me his company found that one of its IP addresses was blacklisted and blocked by Spamhaus. He added that, in talking with others in the email provider community, it appears “many ESPs and IPs have been blocked.”
Every two or three seconds
“This is new,” he told me, because it’s “the first time Spamhaus has started implementing blocking because of list bombing attempts.”
A few days later, on August 18, security expert Brian Krebs posted on his widely-followed blog:
“Over the weekend, unknown assailants launched a massive cyber attack aimed at flooding targeted dot-gov (.gov) email inboxes with subscription requests to thousands of email lists. According to experts, the attack — designed to render the targeted inboxes useless for a period of time — was successful largely thanks to the staggering number of email newsletters that don’t take the basic step of validating new signup requests.”
He noted that, while the attacks apparently happened “at a low level” for several weeks, they “intensified tremendously over this past weekend,” and included email addresses from the governments of several countries.
Krebs reported that his own KrebsOnSecurity inbox began filling up at about 9 a.m. ET on Saturday, August 13, with new newsletter subscriptions at the rate of about one new email every two or three seconds, leaving his email account “basically useless.”
It’s not clear who is conducting these list-bombing attacks, or why. It may be related to attempts by Russian, Chinese or other hackers to disrupt various governments’ operations, or it may simply be a prank.
What to do
Here’s the advice about what to do now and in the future, from Spamhaus, Word to the Wise and Yesmail’s Sybydlo:
- Check to see if your email domain or the IP addresses delivering your emails have been blocked by Spamhaus. If so, take steps to remove the offending email addresses, and then have your ESP contact Spamhaus to lift the blocking.
- Make sure your ESP is continually monitoring Spamhaus’ blacklist.
- Yesmail’s Sybydlo told me marketers should check out email addresses that have recently been added to email lists, looking for spikes in signups over a very short period of time, as well as additions of large numbers of addresses containing .gov, .mil and other reserved domains. Also look for frequently used IP addresses.
- If suspicious activity is discovered, he recommends isolating the addresses and conducting an investigation, such as checking Spamhaus for blocked addresses or attempting to confirm the signup (without numerous requests) from the address owner.
- Use a CAPTCHA to prevent bot signups.
- Send one email with a confirmation link. It’s possible you might send a followup reminder, but remember that more reminders could be seen as spam.
- Selectively place email signups near content sections, instead of making them available immediately for everyone as soon as they enter your site, which could make them more susceptible to malware attacks.
We’ve reached out to Spamhaus for comment but have not yet heard back. We’ll update this story if we do.