On Monday, August 15, people all over the world woke up to find their email inboxes stuffed with unwanted email, victims of an organized and relentless “subscription bombing” attack. This attack used a bot designed to find sign-up forms and enter thousands of email addresses on a site before moving on to the next one, where the process was repeated. Before the bot was through, each address ended up subscribed to hundreds of newsletters. The owners of the email addresses remained unaware of what had happened until they started receiving the emails. Faced with what appeared to be unsolicited emails, they did what many people would do in this situation: they flagged the mailings as spam, which sent the reputation scores for the attacked companies spiraling down.¹

Most of the companies that were victims of this attack were respectable, legitimate companies whose only crime was that they made their newsletter sign-up processes too easy, also making it easy for attackers to enter false information. Many well-respected email senders suddenly were having trouble landing in the inbox and were getting relegated to junk status. Even the New York Times felt the effects of this attack.

The attacks started over the weekend, but because not everyone checks their mail services on Saturdays and Sundays, by Monday morning some accounts were packed with new, unwanted emails. In many cases, the amount of emails was massive enough to make it impossible to identify and separate the legitimate mailings from the junk. More diligent people took the time to try and unsubscribe from these emails, but as security expert Brian Krebs noted, “By the time I’d finished deleting and unsubscribing from the first page of requests, there would be another page or two of new newsletter-related emails.” For most people, the easiest solution was to select all the new email and either delete it or mark it as spam, which sent reputation scores spiraling. Suddenly, hundreds of a company’s mailings were being identified as spam, landing several legitimate companies on blacklists.

High-profile companies that use a single opt-in method without a verification test appeared to be the most at risk, but were, by no means, the only ones affected. Many of the sign-up email addresses ended in “.gov,” suggesting that the attack might have had a political motive behind it. A belief strengthened by the recent Russian hacker reports. Some people have speculated that it was simply the work of bored computer geeks out for kicks. Whatever the reason, it caused many legitimate companies to wind up being blacklisted.

No Easy Unsubscribe

The problem was exacerbated by the fact that, by its very structure, there’s no quick way to mass unsubscribe from several email subscriptions. It’s easy to select a dozen emails and either delete them or send them to the spam folder, because both of these actions occur within the mail reader. Unsubscribing is a little trickier. Each piece of email must be unsubscribed from separately. There’s no way to select a batch of emails and unsubscribe from them en masse because the unsubscribe information for each piece of email is going to a different place and is handled in a different fashion. Some require verification, others present a display of settings that need to be unchecked.

Some services, such as Gmail, Outlook.com, and the latest update to the iPhone’s Mail app feature an unsubscribe button, but only when the unsubscribe link in the email leads to automatic unsubscribe. Links with multiple choices, or multiple step unsubscribes don’t show up. So when hundreds of emails arrive in the inbox at the same time, nobody (Brian Krebs notwithstanding) is going to go to the trouble of trying to unsubscribe separately from all those mailings. It is far easier to accomplish the same effect by selecting everything and deleting it, but since none of these emails were actually solicited, it is even more likely for people to use the spam button to show their dissatisfaction. When enough people do this, blacklisting services, such as SpamCop, Junk Email FIlter, Barracuda, and especially Spamhaus, sit up and take notice.

Blacklists

How each of these blacklist services handles junk mail varies, with equally varied results in terms of effectiveness. The most well-known and commonly used blacklisting service is Spamhaus. When Spamhaus decides to put you on their “Spamhaus Block List” (SBL), you’ve got a serious problem. Everyone from Yahoo to McAfee, and Gmail (to some extent) use the SBL data, so staying off this list is mandatory of you ever want your mailings to be read.

After this latest subscription attack, we saw several obviously legitimate news organizations end up on blacklists after this attack. Getting on this list is relatively easy. Getting off it often takes a concerted effort by your ESP or deliverability team. How difficult that process is will depend on several factors, such as past transgressions as well as subjective considerations, such as the general impression of your site by the people at the blacklist service (and not just Spamhaus either).

The Double Opt-In

Spamhaus has always maintained that the double opt-in (DOI—also known as the confirmed opt-in) will help prevent surreptitious sign-ups. Some services, such as MailChimp, now use double opt-ins exclusively (much to the dismay of their subscribers if the questions Quora and Reddit are any indication). But a DOI doesn’t solve the initial problem of bot sign-ups. Even Spamhaus acknowledges that a DOI does not automatically prevent your company from landing on their blacklist. The recipients will still receive that annoying first deluge of DOI verification mail, which, when thousands have been entered, is enough of a problem by itself. The double opt-in might keep the problem from compounding though, which is certainly preferable than continuing to send emails to increasingly more annoyed recipients.

For Canadian and European emails, where adequate verifications of acknowledged sign-ups are required, the double opt-in is already the safest option. While most ESPs (Goolara included) let you decide what sort of opt-in procedure you want to implement, you should be aware that a single opt-in puts you in greater danger of a malicious and erroneous sign-ups. If your site is popular enough to experience more than one or two sign-ups a day, you should consider switching to a double opt-in.

CAPTCHAs

Currently, Spamhaus recommends the use of a CAPTCHA as part of your sign-up process. A CAPTCHA requires an action by the user, such as solving an equation or identifying two words that are either distorted or partially obscured by a pattern. They are easy to implement and may be the only way to get your company off the SBL. The most common one is ReCAPTCHA, which is provided by Google, but there are others on the market. We also recommend using a CAPTCHA, but this technology brings its own set of issues, which we’ll take a look in more detail in our next blog post.

Worst Case Scenario

So what do you do if you’ve already fallen prey to an attack? Preventative maintenance is always the best course of action. Besides double opt-ins and the use of a CAPTCHA, a regular practice of looking at your report metrics and subscription sign-ups can alert you to potential problems before they get out of hand. Noticeable increases in the amount of email being greylisted or sent to the junk folders might be a warning sign of worse things to come. Sudden increases in sign-ups from “gov” sources can also indicate potential bot attacks, so you may want to segment out these mailings for closer examination. In most cases, though, these attacks are sudden and unexpected, and nothing you do once the attack starts will stop the problem from escalating.

If you do end up on a blacklist, you should notify your ESP immediately and see what steps they can take to solve the problem. Some ESPs, such as Goolara, also offer deliverability services, and they can help you get your IP removed from the blacklist. Otherwise, you might want to seek the services of a professional deliverability expert. As long as you don’t have a history of sending to spam traps (which will normally only occur if you don’t keep your list up to date, or have a nasty habit of buying questionable lists), you should be okay.

Next time we’ll take a closer look at CAPTCHAs and other methods of sign-up verification.

1. The reputation score is how email services identify whether a mailing has any value. The higher your reputation score, the better your chances of ending up in the inbox. For more information on this, see our white paper Deliverability Enhanced.