Understanding Subscription Bombing

Subscription bombing can cause many kinds of problems when spambots flood your system with fraudulent sign-ups. This type of abuse is becoming more common. You should know the ways to identify subscription bombing, minimize impact, and prevent further attacks.

Tip: Are you looking for information about Constant Contact’s Email and Digital Marketing product? This article is for Constant Contact’s Lead Gen & CRM product. Head on over to the Email and Digital Marketing articles by clicking here. Not sure what the difference is? Read this article.

Defining Subscription Bombing

Subscription bombing is a form of abuse caused by spambots (automated computer programs) submitting fraudulent information through forms on websites. Subscription bombing may also be referred to as form abuse, list bombing, or mail-bombing.

The intended use of subscription bombing can include:

• Harassing recipients by flooding their inbox with emails sent in response to the form-fill
   
• Negatively impacting a company’s sending reputation
   
• Intentionally distracting recipients to prevent them from seeing a legitimate account alert email
   
• Harassing your company or email service provider (ESP) to start a denial-of-service (DoS) event

Potential Hazards

There are many hazards that can come from form abuse. For example, fraudulent email sign-ups will result in the sending of unsolicited mail. This, in turn, will cause an increase in spam complaints, spam trap hits, unsubscribes, and hard bounces. These fraudulent sign-ups will then begin to force your system to send emails to the fraudulent addresses.

This is a problem, as sending too many emails too quickly—in these cases, potentially upwards of thousands of times within a span of minutes—can result in your sending Internet pool (IP) being blocked by major Internet service providers (ISPs) like Gmail or Yahoo. These ISPs can then block you from delivering mail, which will in turn diminish your deliverability.
 

Protecting Yourself

You have several tools available to protect yourself from subscription bombing. Consider the following:

• Use hidden fields. These fields are hidden from human view. If a hidden field on a form is filled out, that suggests spambot activity.
   
• Use opt-in methods, such as double opt-in. Your leads need to confirm that they want to receive your content, known as opting in. This is normally done by having leads click a link to confirm that they want to remain subscribed to your emails. If you have a subscription bombing event, only the confirmation email will be sent. This minimizes the risk of repeated email sends to fraudulent email sign-ups.
   
• Enforce reCAPTCHA security on your forms. Spambots are unable to complete reCAPTCHA tasks like humans can. Lead Gen & CRM forms come with the option to enable reCAPTCHA by default. Third-party forms will need reCAPTCHA implemented. 
   
• Look for data abnormalities. Routinely look for suspicious sign-ups. This activity is often seen in strange name and domain information. Spambots often enter in a mix of letters and numbers in the name fields. Domain issues often reveal that spambots are hosted in countries your company does not provide service to. It is not uncommon for companies to visually identify a subscription bombing event by looking at their data and identifying those abnormalities when compared to their usual form submissions.

When Events Occur

In the event of a subscription bombing, do the following:

1. Pause all automation that uses the when a lead fills out a form trigger.
2. Secure your forms using reCAPTCHA.
3. Clear out the fraudulent form sign-ups.
4. Communicate with your ISP.

Doing this during a subscription bombing event will help to prevent further submissions and email sends. Only after you have cleaned out your database and secured your email forms should you restart your forms and automation events.

Contact Support for more information on modifying Lead Gen & CRM settings or disabling features during a subscription bombing event.

Questions?