Are You Aware of This Hidden Danger of Collecting Email Addresses on Your Website?


Subscription bombing, also known as mail bombing, is an internet-wide trend where malicious bots attack a person via their email address, ultimately rendering the address and email account useless for a period of time. In this article, we’ll discuss how you – the sender, can be compromised by an attack if the forms on your website that collect email addresses are not protected, and this will often happen without you even knowing.

We’ll also explain why you should be worried about subscription bombing and how it can impact both your marketing and transactional email like newsletters, promotional offers, password resets, and more.

Finally, we’ll finish the article by telling you the one thing that you can do to defend yourself from being caught up in this malicious activity.

What is Subscription Bombing?

So what is Subscription Bombing anyway?

Well, Subscription Bombing happens when a victim’s email address is entered into thousands of forms simultaneously by bots, resulting in a barrage of unwanted messages (sometimes as many as 20k+) to the victim’s mailbox. When this happens, the victim’s email address will often become unusable as a result of the sheer volume of mail that’s delivered to the single email address.

How You’re Involved in This Process as the Sender:

If you collect email addresses on your website with an unprotected form, then you can easily become one of the thousands of senders simultaneously delivering mail to a victim’s address. This can result in a number of negative consequences for you, such as hitting spam traps and getting blocklisted, ultimately impacting the deliverability of both your marketing and/or transactional email.
How subscription bombing works

In the diagram above, the bot simply submits the victim’s email address into your unprotected form (and thousands of other forms). After the email address is submitted, the victim will begin to receive thousands of confirmations and other emails. In addition, you could continue sending messages to the victim if you are not using a confirmed opt-in mechanism.

How Subscription Bombing Affects You

An important distinction to make is the role that you (the sender) plays in Subscription Bombing. For example, you’re not the victim who is receiving thousands of messages. But, instead – you are one of the thousands of senders spamming the victim’s email address, even if you’re sending out good content. As you can imagine, this can lead to many negative side effects, such as:

Your IP Address Could be Blocklisted:

Failure to deal with the issue of abusing email addresses via Subscription Bombing, may result in your IP address becoming blocklisted by Spamhaus, a blocklist organization.

Spamhaus is actively identifying and blocking IP addresses of senders who are vulnerable to Subscription Bombing. A blocklisting from Spamhaus could have a major impact on your deliverability, since such a blocklisting will prevent you from reaching roughly 60% of email addresses worldwide.

Continuing the Abuse:

If your systems are susceptible to abuse and send out content to a victim as part of a Subscription Bombing, then it will continue to happen until steps have been taken to mitigate the issues.

List Quality Suffers:

Since individual victims of Subscription Bombing attacks are real, it can be difficult to identify if one of your subscribers is a genuine subscriber, or a victim of a Subscription Bombing attack. As more victims of Subscription Bombs enter your list, your overall list quality will begin to suffer, especially if you don’t have any data hygiene practices in place, such as using an Automatic Suppression List.

Sender Reputation May Decrease:

Your sender reputation may decrease as a result of being blocklisted by Spamhaus and the increase in complaints from affected recipients. This will ultimately impact your ability to reach the inbox.

Now that we discussed some of the reasons why you should be worried about Subscription Bombing, let’s take a look at what you can do right now, to better defend your systems from being vulnerable.

How SocketLabs Helps You

At SocketLabs, our Email Deliverability Team is always monitoring our network for unusual activity and working on ways to fight back against Subscription Bombing. Our Deliverability Team uses a 7+ step process for identifying abuse. If you have any questions about whether or not your systems may have been compromised, then you can contact our Email Deliverability Team – here.

You are the only one that can protect yourself from Subscription Bombing, and you do that by following best practices which we discuss next. So, when it comes to Subscription Bombing, you are your first and last line of defense. That’s why you should take all necessary steps to defend yourself.

How to Defend Yourself

Here’s the one thing that you can do right now, to defend yourself:

Protect the Subscription Forms on Your Website:

Currently, the only way to prevent your system from being used in a Subscription Bombing attack is to implement any form of Bot mitigation, including: adding a captcha to the form, honeypot form fields, and IP/UserAgent blocklists. 

SocketLabs recommends introducing a captcha to your form at the very least. This is one of the most effective ways to prevent a malicious bot from entering a victim’s email address into your list.

One of the most advanced and user-friendly captcha’s that you can use is the Google reCAPTCHA, also known as the No CAPTCHA.

With the Google reCAPTCHA, a significant number of your users can now attest they are human without having to solve a CAPTCHA. With just a single click they’ll confirm they are not a robot.

At SocketLabs, we use Google’s advanced reCAPTCHA technology in all of our Email Capture Forms to help prevent bots from submitting a victim’s email through your form.

SocketLabs offers free email capture forms as part of our suite of Simple Email Marketing Tools. Our forms come with reCAPTCHA pre-installed, so you don’t have to do the work of adding a captcha form yourself. If you’d like to use captcha to defend yourself from Subscription Bombing, then you can replace any existing, unprotected forms with our embedded or popup forms.

What About Confirmed Opt-in?

You may have read on other sites that Confirmed Opt-in (COI), also known as Double Opt-in, is also a solution. However, it’s important to note that Confirmed Opt-in will not prevent your system from being abused, since the victim will receive the first email from you, regardless of whether or not you’re using COI. Also, the vast majority of abused services are only sending a single email without further action.

COI however, will make cleanup a little less miserable for the victim and it will prevent you from sending further follow-up that could trigger the victim to click the spam button. So, while COI is not a solution for preventing your system from being vulnerable to a Subscription Bomb attack, it’s a highly recommended best practice for mitigating damage.

Use the Suppression List as Part of Your Cleanup Process:

By the time you realize that your system has been abused, your resources have most-likely already been used repeatedly by attackers.

If a subscription request will only lead to a limited number of emails, such as a single notification or COI email, then you’ll want to suppress follow-up emails to any recipient that you can identify. If you’re a SocketLabs user, then you can easily add a victim’s address to your Automatic Suppression List.

If the victim will continue receiving emails indefinitely after they’ve subscribed, then in addition to adding the email to your Suppression List, some extra list hygiene is called for – such as looking for other subscriptions from the same IP address.

Here’s What to Do Next

Check your website to ensure that all of your forms are protected and using some form of bot mitigation, such as captcha.

To protect your forms with SocketLabs – just login to your account and go to the Email Marketing section of your Control Panel to get started.

If you’re not a SocketLabs user, then you can try our captcha protected signup forms for free. Click here to signup for an account.

Have questions?

If you have any questions, then please don’t hesitate to reach out to our Support Team. You can visit the Support Center to open a ticket. After you submit your ticket, an Email Expert will get back to you as soon as possible.