Email abuse and security risks have evolved significantly in recent years. But one decades-old threat remains difficult for even the most email-savvy brands to catch and prevent: mailbombing.
When someone uses your brand messages as part of a mail bombing attack, the impact on your sender reputation can be serious—Spamhaus-listed serious—causing harm to both your recipients and your brand.
To help you better understand what mailbombing is and how to protect your brand, let’s answer common questions like “what is a mail bomb” and explore ways you can lower your risk of email bombing.
What is mailbombing?
Mailbombing, commonly referred to as mail flooding, happens when someone uses your email subscription forms—and those of other brands—to subscribe a single user to a large number of newsletters and other email communications in an attempt to render their mailbox unusable.
Mail bombing is a serious threat because it can involve potential violations of privacy and anti-spam legislation. Plus, you don’t want to have to perform a blocklist check because you’ve noticed a significant decrease in your email deliverability, nor do you want your legitimate commercial and transactional emails getting automatically routed to spam folders.
Even if you use confirmed opt-in with your email subscriptions, you are not immune to the reputational impact of mailbombing and the risk that your site can be used to support mail bombs.
How do mail bombs work?
A mailbombing/mail flooding attack uses a script to fill out hundreds of subscription forms to be sent to one email address. This process sends the target of the attack confirmation messages, subscription notifications, and other transactional messages that overwhelm their inbox and cause it to stop working for an extended period of time.
Any single email enrollment form is usually not abusive on its own, but as part of a massive subscription effort across hundreds of websites at the same time, the impact is exponential. This process makes it harder for a single company to recognize they are part of the problem.
There are several reasons people commit mailbombing:
People think it’s a funny joke to play on a friend. It isn’t. And it could result in the target being forced to abandon their email account.
Revenge against someone that has made an individual angry. For example, journalists are often targeted by mailbombing attacks.
The attack is being used to cover nefarious activities that require accessing important accounts without the individual noticing. These emails will cover error messages and password reset notifications sent to the individual, or intrusion prevention notices sent to a system admin.
5 steps to prevent mail bombing
Wondering how to stop email bombing? It takes a few different approaches. Keep reading to understand how you can best prevent mailbombing and minimize the damage to your brand if/when it is unknowingly recruited into a mail bombing attack.
Employing more than one of the following methods will help build a strong defense and prevent your company from being involved in a mail bombing attack.
1. Allow recipients to opt-in with email validation
A standard practice is to send a confirmation email for an email recipient to opt-in for messages from your brand. This is a necessary step to ensure your email servers do not automatically send multiple messages to a recipient without their consent.
As a part of these confirmation emails, you should implement a defined message header that identifies an email message as being sent in response to a web form submission. This helps your recipient’s email server better recognize and mitigate a potential mail bomb attack.
2. Create filtering systems
Create a field in your submission form that looks at the time stamp or generated key for the page load. If the submission time is less than a reasonable time—a typical person takes about a minute to fill out five fields—or if that time is missing entirely, toss the submission. A bot might take just one second to fill out an entire form.
3. Enable CAPTCHA
A CAPTCHA test is commonly used to ensure that a human is completing an online form. When you enable CAPTCHA, ensure that it’s set up properly. We’ve seen multiple sites enable a CAPTCHA test but not actually configure it as part of the form submission evaluation, which effectively makes the test useless.
4. Keep your website up to date
Continue to update your website to ensure it meets the latest security standards. Everything from your content management systems, plugins, themes, extensions, and server should be routinely updated to make certain they do not present a potential security threat.
5. Optimize your form security features
Closely related to keeping your website updated, it’s crucial you enable security features with your website forms to reduce the likelihood of your site and email servers being used for mailbombing. This means you should:
Create unconventional field names. Change the name of the fields to something other than standard code, such as “firstname, lastname, email,” and opt for something like “First_Banana, Last_Apple, Em_Orange” instead. While it might seem silly, the scripts running these submissions look for common field name variations to submit to. Unusual form fields won’t register.
Employ rate limits. Add rate limits that prevent your subscription forms from being submitted by the same IP address multiple times over a short period of time. Note that some bots will change IPs, so this is not a guaranteed defense.
Limit geography. If you only service a small geographical region, you might want to limit your form use by region, only showing the form when the IP matches a set area.
Use blank fields. Add blank fields to the form that only a bot might fill out, but a person would never see. For instance, make a visible email field, as well as an invisible email field (human eyes won’t see them, but bots can read the code) and negate any with both fields filled.
What to do if your forms are used for email mailbombing
If you suspect your email servers have been used in a mailbombing attack, take a moment to assess the situation. See if you can identify the period of time when these submissions started. Subscriptions could potentially be weeks old before you notice they’re impacting your reputation.
Tracking your daily subscription patterns over time can help you identify when it was that your normal trending pattern started to change or subscriptions started to rise more quickly than normal. Once you identify this timeframe, you can evaluate your next steps, which include the following:
If there is a way to identify the forged subscribers’ segment and remove them from your list: a) Look for data points seemingly generated by machines (i.e., garbage data); and b) Look for the same IP address submitting forms over and over.
Take the form offline while you’re correcting the code to address the attack.
Once you identify the timeline, segment all users within it and suppress them from your current programs during the investigation. Consider removing identified names altogether and sending a confirmation of consent to addresses that appear to be normal.
Relaunch your site with a more secure version of your form.
Preventing email bombing protects your subscribers
Although it can be difficult to immediately know when your emails are being used in a mail bombing email attack, there are proven ways to strengthen your website forms and ensure that your website security is up to date.