January 3, 2019

Prevent mail bombing to protect your reputation.


A new vector of abuse emerged in the email world, one that is hard for any individual brand to catch, but when targeted, the impact on reputation can be serious (Spamhaus-listed serious). It’s known as “mail bombing,” and it is an active and serious threat to both consumers and brands. Why is it so serious? Because the reputation impact of mail bombing includes potential violations of privacy and anti-spam legislation for false subscriptions, blacklistings, and an increase in spam folder placement for future commercial and transactional messages. Even if you are utilizing confirmed opt-in, you are not immune to the reputation impact of mail flooding.

How does mail flooding work?

This attack relies on a script filling out hundreds of subscription forms to one email address. This process launches confirmation messages, subscription notifications, or other transactional messages to the victim’s mailbox to overwhelm their account and cause it to cease functioning for an extended period of time. Many times a single form is not abusive in a significant number on its own, but as part of a massive subscription effort across hundreds of websites at the same time, the impact is exponential. This process makes it harder for a single company to recognize they are part of the problem.

Why does this happen?

There are a few reasons:

  1. People think it’s a funny joke to play on a friend. While it’s possible for it to be funny for about a minute, it could result in the individual being forced to abandon their email account.
  2. Revenge against someone that has made an individual angry.
  3. The attack is being used to cover more nefarious activities, like accessing important accounts without the individual noticing. These emails will cover error messages and password rest notifications sent to the individual, or intrusion prevention notices sent to a system admin.

How do you protect your forms against this attack?

We find it takes a few different approaches to best prevent this type of abuse. Using several of these options together will build a strong form that is harder to recruit to a mail bombing attack.

  1. Look at how the form submits information and limiting the activity to just that page makes a good impact. Eliminate the ability for someone to map the form submission and then automate their way around the web page. It adds friction to the submission process and the attacker will usually move on.
  2. Consider adding a Captcha. Ensure it was set up properly. We’ve seen them set up, but not actually configured to be part of the form submission evaluation, making them basically useless.
  3. Add in rate limits preventing the form from being submitted multiple times by the same IP over a period of time. This works when the same IP is hitting the form repeatedly, though some bots change IPs all the time.
  4. If you only service a small geographical region, you might limit the form by region (showing form only when the IP matches a set area).
  5. Add blank fields to the form that only a bot might fill out, but a person would never see. For instance, make a visible email field, and an invisible email field (human eyes won’t see them, but bots can read the code), and negate any with both fields filled.
  6. Create a field that looks at the time stamp or generated key for the page load, and if the submission time is less than a reasonable time you think it might take for someone to fill it out, or if that time is missing entirely, toss the submission. Automated forms will be filled out much too quickly. A typical person should take about a minute to fill out five fields, while a bot might take just one second.
  7. Some address validation services might catch this type of behavior, so if you use one or are considering one, it’s at least something to ask about.
  8. Change the name of the fields to something other than standard code, like “firstname, lastname, email,” to something like “First_Banana, Last_Apple, Em_Orange.” While it might feel silly, the scripts running these submissions are looking for common field name variations to submit to. Unusual form fields won’t register.
  9. Consider using the new standard (currently in draft) found here: “A Message Header to Identify Subscription Form Mail.” Implement a defined message header identifying an email message is being sent in response to a web form submission to help the recipient mail systems better recognize and mitigate the mail bomb.

What if your forms were involved in a mail bombing?

Take a step back and take a moment to asses the situation. See if you can identify the period of time in which these submissions started. Subscriptions could potentially be weeks old before you notice them impacting your reputation. Trending your daily subscription patterns over time could show when your normal pattern started to change and subscriptions started to rise faster than normal. Once you identify this timeframe, you can evaluate your next steps.

  1. If there is a way to identify the forged subscribers’ segment and remove them from your list: a) Look for data points seemingly machine-generated (garbage data); and b) Look for the same IP address submitting the forms over and over.
  2. Take the form offline while you are correcting the code to address the attack.
  3. Once you identify the timeline, segment all users within it and suppress them from your current programs during the investigation. Consider removing identified names altogether and also consider sending a confirmation of consent to addresses that look to be normal.
  4. Relaunch your site with a more secure version of your form.

There really is no one-size-fits-all solution to this problem, but all of these solutions will help minimize the impact to your brand if/when it is unknowingly recruited into a mail bombing attack against a user. If you do find yourself at the center of a reputation crisis caused by mail bombing, let us know.

Author: Matthew Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matt is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

You may also like...

The Year in Email 2019

It’s hard to believe we are nearing the end of yet another exciting year in email, and 2019 proved to be one of the most momentous and active years to date. Over the past year, the number of new technologies, mergers and acquisitions, mailbox provider (MBP) announcements, news, and highlights is evidence of the versatility […]

[Infographic] Global Privacy Relationship Status: It’s Complicated

I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]

The Year in Email 2018

*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]

Ready to get started?