Email abuse and security risks have evolved significantly in recent years. But one decades-old threat remains difficult for even the most email-savvy brands to catch and prevent: mailbombing.
When someone uses your brand messages as part of a mail bombing attack, the impact on your sender reputation can be serious—Spamhaus-listed serious—causing harm to both your recipients and your brand.
To help you better understand what mailbombing is and how to protect your brand, let’s answer common questions like “what is a mail bomb” and explore ways you can lower your risk of email bombing.
Mailbombing, commonly referred to as mail flooding, happens when someone uses your email subscription forms—and those of other brands—to subscribe a single user to a large number of newsletters and other email communications in an attempt to render their mailbox unusable.
Mail bombing is a serious threat because it can involve potential violations of privacy and anti-spam legislation. Plus, you don’t want to have to perform a blocklist lookup because you’ve noticed a significant decrease in your email deliverability, nor do you want your legitimate commercial and transactional emails getting automatically routed to spam folders.
Even if you use confirmed opt-in with your email subscriptions, you are not immune to the reputational impact of mailbombing and the risk that your site can be used to support mail bombs.
A mailbombing/mail flooding attack uses a script to fill out hundreds of subscription forms to be sent to one email address. This process sends the target of the attack confirmation messages, subscription notifications, and other transactional messages that overwhelm their inbox and cause it to stop working for an extended period of time.
Any single email enrollment form is usually not abusive on its own, but as part of a massive subscription effort across hundreds of websites at the same time, the impact is exponential. This process makes it harder for a single company to recognize they are part of the problem.
There are several reasons people commit mailbombing:
Wondering how to stop email bombing? It takes a few different approaches. Keep reading to understand how you can best prevent mailbombing and minimize the damage to your brand if/when it is unknowingly recruited into a mail bombing attack.
Employing more than one of the following methods will help build a strong defense and prevent your company from being involved in a mail bombing attack.
Standard practice is to send a confirmation email for an email recipient to opt-in for messages from your brand. This is a necessary step to ensure your email servers do not automatically send multiple messages to a recipient without their consent.
As a part of these confirmation emails, you should implement a defined message header that identifies an email message as being sent in response to a web form submission. This helps your recipient’s email server better recognize and mitigate a potential mail bomb attack.
Create a field in your submission form that looks at the time stamp or generated key for the page load. If the submission time is less than a reasonable time—a typical person takes about a minute to fill out five fields—or if that time is missing entirely, toss the submission. A bot might take just one second to fill out an entire form.
A CAPTCHA test is commonly used to ensure that a human is completing an online form. When you enable CAPTCHA, ensure that it’s set up properly. We’ve seen multiple sites enable a CAPTCHA test but not actually configure it as part of the form submission evaluation, which effectively makes the test useless.
Continue to update your website to ensure it meets the latest security standards. Everything from your content management systems, plugins, themes, extensions, and server should be routinely updated to make certain they do not present a potential security threat.
Closely related to keeping your website updated, it’s crucial you enable security features with your website forms to reduce the likelihood of your site and email servers being used for mailbombing. This means you should:
If you suspect your email servers have been used in a mailbombing attack, take a moment to assess the situation. See if you can identify the period of time when these submissions started. Subscriptions could potentially be weeks old before you notice they’re impacting your reputation.
Tracking your daily subscription patterns over time can help you identify when it was that your normal trending pattern started to change or subscriptions started to rise more quickly than normal. Once you identify this timeframe, you can evaluate your next steps, which include the following:
Although it can be difficult to immediately know when your emails are being used in a mail bombing email attack, there are proven ways to strengthen your website forms and ensure that your website security is up to date.
To learn more about how to protect your sender reputation and ensure your email recipients are not targeted by a mailbombing attack, download our all-in-one sender reputation toolkit.