Using Confirmed Opt-In and Captcha to Mitigate Mail Bombing EffectsAug 25, 2016 - by Ken Pfeiffer
As global director of deliverability, Ken leads Sailthru’s strategic and technical efforts to ensure high deliverability and inboxing rates. He is a recognized expert in email deliverability.
Last week a widespread attack targeting email signup forms resulted in a serious mail bombing incident, a form of online harassment and abuse. Using BOT software the attackers added the email addresses of unsuspecting recipients to thousands of email lists, flooding the recipients’ inboxes and paralyzing their email accounts. Security journalist Brian Krebs reported on the attack, speculating that it was “designed to render the targeted inboxes useless for a period of time.” While the incident may not have involved any breach of personally identifiable information, for Email Service Providers (ESPs) and their customers, it highlighted the need to adopt industry best practices to prevent future abuse.
Spamhaus, the world’s largest black-listing organization, maintains the Spamhaus Block List (SBL). Messages sent from an IP address listed on the SBL will not reach most of their recipients, but instead will be rejected by Internet service providers and bounce.
On August 15 there was a massive increase in the Spamhaus SBL listings at ESPs across the industry as a direct result of BOT mail bombing.
The attack focused on unsecured opt-in forms, which includes any form that does not require additional validation, such as Captcha. The opt-in form added target addresses to senders’ accounts so the recipients would get mail from the sender throughout their normal sending cycle via ESPs.
Responding to the attacks
Sailthru is working diligently to mitigate the continuation of these attacks. We are taking precautions to identify potential suspicious or abnormal activity.
ESP clients are not the perpetrators of these attacks, but they are being used as the means to mail bomb user accounts. To stop this instance and mitigate future abuse of this nature it is important that all brands secure their opt-in forms. Recommended steps for doing so are outlined below.
Implement Captcha so BOTs cannot auto submit addresses to forms. Sailthru recommends Google reCAPTCHA as it is easy to implement and very effective at stopping BOTs from abusing forms.
Restrict form submission from well-known BOT or abusive IP ranges. Contact your ESP directly for these ranges.
Implement Confirmed Opt In (COI). Senders using COI to confirm subscriber addresses are already helping to limit the effectiveness of these attacks. While abused email addresses are still receiving a flood of mail, these addresses will not be added to the normal email cycle and the abuse will be limited to one COI email.
Update input fields on your signup forms. Add a hidden form field or a field that is hidden by CSS. Most BOTs will automatically fill in all form fields it can find, so a hidden field will help you to identify BOT form fills over user form fills. As an additional or alternate solution, change “email” and/or “name” input fields as these words provide the indication that this form is one that can be used in this type of attack. By changing the HTML input field names the BOT may bypass your form.
This kind of attack is unprecedented; however we expect to continue to see similar attacks in the future. By working together – ESPs, advocacy groups and brands, alike – we can mitigate the impact. Please do your part by discussing the recommendations above with your IT team.
For Sailthru customers seeking more information, please contact your customer success representative.