January 3, 2019

Prevent mail bombing to protect your reputation.


A new vector of abuse emerged in the email world, one that is hard for any individual brand to catch, but when targeted, the impact on reputation can be serious (Spamhaus-listed serious). It’s known as “mail bombing,” and it is an active and serious threat to both consumers and brands. Why is it so serious? Because the reputation impact of mail bombing includes potential violations of privacy and anti-spam legislation for false subscriptions, blacklistings, and an increase in spam folder placement for future commercial and transactional messages. Even if you are utilizing confirmed opt-in, you are not immune to the reputation impact of mail flooding.

How does mail flooding work?

This attack relies on a script filling out hundreds of subscription forms to one email address. This process launches confirmation messages, subscription notifications, or other transactional messages to the victim’s mailbox to overwhelm their account and cause it to cease functioning for an extended period of time. Many times a single form is not abusive in a significant number on its own, but as part of a massive subscription effort across hundreds of websites at the same time, the impact is exponential. This process makes it harder for a single company to recognize they are part of the problem.

Why does this happen?

There are a few reasons:

  1. People think it’s a funny joke to play on a friend. While it’s possible for it to be funny for about a minute, it could result in the individual being forced to abandon their email account.
  2. Revenge against someone that has made an individual angry.
  3. The attack is being used to cover more nefarious activities, like accessing important accounts without the individual noticing. These emails will cover error messages and password rest notifications sent to the individual, or intrusion prevention notices sent to a system admin.

How do you protect your forms against this attack?

We find it takes a few different approaches to best prevent this type of abuse. Using several of these options together will build a strong form that is harder to recruit to a mail bombing attack.

  1. Look at how the form submits information and limiting the activity to just that page makes a good impact. Eliminate the ability for someone to map the form submission and then automate their way around the web page. It adds friction to the submission process and the attacker will usually move on.
  2. Consider adding a Captcha. Ensure it was set up properly. We’ve seen them set up, but not actually configured to be part of the form submission evaluation, making them basically useless.
  3. Add in rate limits preventing the form from being submitted multiple times by the same IP over a period of time. This works when the same IP is hitting the form repeatedly, though some bots change IPs all the time.
  4. If you only service a small geographical region, you might limit the form by region (showing form only when the IP matches a set area).
  5. Add blank fields to the form that only a bot might fill out, but a person would never see. For instance, make a visible email field, and an invisible email field (human eyes won’t see them, but bots can read the code), and negate any with both fields filled.
  6. Create a field that looks at the time stamp or generated key for the page load, and if the submission time is less than a reasonable time you think it might take for someone to fill it out, or if that time is missing entirely, toss the submission. Automated forms will be filled out much too quickly. A typical person should take about a minute to fill out five fields, while a bot might take just one second.
  7. Some address validation services might catch this type of behavior, so if you use one or are considering one, it’s at least something to ask about.
  8. Change the name of the fields to something other than standard code, like “firstname, lastname, email,” to something like “First_Banana, Last_Apple, Em_Orange.” While it might feel silly, the scripts running these submissions are looking for common field name variations to submit to. Unusual form fields won’t register.
  9. Consider using the new standard (currently in draft) found here: “A Message Header to Identify Subscription Form Mail.” Implement a defined message header identifying an email message is being sent in response to a web form submission to help the recipient mail systems better recognize and mitigate the mail bomb.

What if your forms were involved in a mail bombing?

Take a step back and take a moment to asses the situation. See if you can identify the period of time in which these submissions started. Subscriptions could potentially be weeks old before you notice them impacting your reputation. Trending your daily subscription patterns over time could show when your normal pattern started to change and subscriptions started to rise faster than normal. Once you identify this timeframe, you can evaluate your next steps.

  1. If there is a way to identify the forged subscribers’ segment and remove them from your list: a) Look for data points seemingly machine-generated (garbage data); and b) Look for the same IP address submitting the forms over and over.
  2. Take the form offline while you are correcting the code to address the attack.
  3. Once you identify the timeline, segment all users within it and suppress them from your current programs during the investigation. Consider removing identified names altogether and also consider sending a confirmation of consent to addresses that look to be normal.
  4. Relaunch your site with a more secure version of your form.

There really is no one-size-fits-all solution to this problem, but all of these solutions will help minimize the impact to your brand if/when it is unknowingly recruited into a mail bombing attack against a user. If you do find yourself at the center of a reputation crisis caused by mail bombing, let us know.

Author: Matthew Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matt is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

You may also like...

The Year in Email 2018

The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders have been naughty or nice. Another year in email is coming to a close, and boy, what a ride. While most thought leaders are busy making predictions about 2019, we like to learn from the past to […]

Poorly designed emails could cost you millions of dollars. But what does that really mean?

We partnered with the smart folks at Lab42 to research what people really think about marketing email. Do they like how they look on their preferred device? Do they prioritize the same design elements you do? If you’re not aligned with your recipients, you could end up sending unwanted, unsatisfying email. You know what that […]

The Year in Email 2017

Can you believe it? The year 2017 is coming to a close and what a year it has been in the email ecosystem. Email’s staying power continues to flex its muscles as a dynamic channel that can adapt to the ever-changing landscape of digital marketing. This past year saw many changes, trends, and announcements that […]

Ready to get started?