Spamhaus Subscription Bombing: Things You Need Know

On Monday, August 15 2016, some email senders started noticing an increase in the amount of IP addresses being blacklisted by the anti-spam organization Spamhaus. The Spamhaus SBL listings were the result of “Abused/ misconfigured newsletter service” as the result of spammers and malicious people “subscription bombing” newsletter signup forms.

In these cases, a large number of government addresses from different countries were subscribed through the newsletter sign up form by the use of a script/bot or an automated process. This resulted in those email addresses receiving hundreds—if not thousand—of opt-in confirmation email as well as marketing email.

Laura Atkins of posted three great blog articles giving a summary of the issue, comments from Spamhaus CEO, Steve Linford and a followup article about the ongoing attack from security reporter Brian Krebs.

Whether you have received a Spamhaus SBL listing on your sending IP addresses or not, Return Path recommends reviewing all subscribers that you acquired in August, to ensure you have not been a victim of subscription bombing.

Some of the areas to review:

  • Sudden unexplained increase in subscribers.
  • Large amounts of .gov email addresses
  • Email addresses that have signed up to multiple mailing lists you control
  • The same IP addresses used to sign up for different email addresses to your mailing lists

If you are seeing subscribers signing up from the same IP addresses or the same email addresses signed up to multiple mailing lists you should consider blocking those subscribers—doing so could prevent a future Spamhaus SBL listing.

So, what are some things that senders can do to prevent their sign up forms from being abused?

  1. Implement CAPTCHA on all sign up forms: Adding a CAPTCHA system—such as reCAPTCHA by Google to sign up forms—adds a challenge response to all signups which prevents bots and automated systems from being able to subscribe.
  2. Implement confirmed opt-in (COI): While implementing COI will not prevent your sign up forms from being abused, it will allow you to be proactive in identifying and receiving permission from real subscribers and determining which email addresses are malicious, allowing you to remove them from your list.

If you have any questions about preventing sign up abuse or about dealing with a Spamhaus blacklisting please reach out to your Return Path Technical Account Manager and they would be happy to help you.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time