Spamhaus Subscription Bombing: Things You Need Know

Posted by Kent McGovern 

On Monday, August 15 2016, some email senders started noticing an increase in the amount of IP addresses being blacklisted by the anti-spam organization Spamhaus. The Spamhaus SBL listings were the result of “Abused/ misconfigured newsletter service” as the result of spammers and malicious people “subscription bombing” newsletter signup forms.

In these cases, a large number of government addresses from different countries were subscribed through the newsletter sign up form by the use of a script/bot or an automated process. This resulted in those email addresses receiving hundreds—if not thousand—of opt-in confirmation email as well as marketing email.

Laura Atkins of posted three great blog articles giving a summary of the issue, comments from Spamhaus CEO, Steve Linford and a followup article about the ongoing attack from security reporter Brian Krebs.

Whether you have received a Spamhaus SBL listing on your sending IP addresses or not, Return Path recommends reviewing all subscribers that you acquired in August, to ensure you have not been a victim of subscription bombing.

Some of the areas to review:

  • Sudden unexplained increase in subscribers.
  • Large amounts of .gov email addresses
  • Email addresses that have signed up to multiple mailing lists you control
  • The same IP addresses used to sign up for different email addresses to your mailing lists

If you are seeing subscribers signing up from the same IP addresses or the same email addresses signed up to multiple mailing lists you should consider blocking those subscribers—doing so could prevent a future Spamhaus SBL listing.

So, what are some things that senders can do to prevent their sign up forms from being abused?

  1. Implement CAPTCHA on all sign up forms: Adding a CAPTCHA system—such as reCAPTCHA by Google to sign up forms—adds a challenge response to all signups which prevents bots and automated systems from being able to subscribe.
  2. Implement confirmed opt-in (COI): While implementing COI will not prevent your sign up forms from being abused, it will allow you to be proactive in identifying and receiving permission from real subscribers and determining which email addresses are malicious, allowing you to remove them from your list.

If you have any questions about preventing sign up abuse or about dealing with a Spamhaus blacklisting please reach out to your Return Path Technical Account Manager and they would be happy to help you.

Author Image

About Kent McGovern

Kent McGovern is a Client Support Manager at Return Path. Leveraging almost a decade in the email optimization industry he helps senders with their most difficult deliverability challenges such as authentication and blacklist mitigation. When he is not going through bounce logs and email headers you can usually find him on a pool table or playing video games.

Author Archive