Using Confirmed Opt‑In and Captcha to Mitigate Mail Bombing Effects
By Ken Pfeiffer | August 25, 2016
As global director of deliverability, Ken leads Sailthru’s strategic and technical efforts to ensure high deliverability and inboxing rates. He is a recognized expert in email deliverability.
Last week a widespread attack targeting email signup forms resulted in a serious mail bombing incident, a form of online harassment and abuse. Using BOT software the attackers added the email addresses of unsuspecting recipients to thousands of email lists, flooding the recipients’ inboxes and paralyzing their email accounts. Security journalist Brian Krebs reported on the attack, speculating that it was “designed to render the targeted inboxes useless for a period of time.” While the incident may not have involved any breach of personally identifiable information, for Email Service Providers (ESPs) and their customers, it highlighted the need to adopt industry best practices to prevent future abuse.
Spamhaus, the world’s largest black-listing organization, maintains the Spamhaus Block List (SBL). Messages sent from an IP address listed on the SBL will not reach most of their recipients, but instead will be rejected by Internet service providers and bounce.
On August 15 there was a massive increase in the Spamhaus SBL listings at ESPs across the industry as a direct result of BOT mail bombing.
The attack focused on unsecured opt-in forms, which includes any form that does not require additional validation, such as Captcha. The opt-in form added target addresses to senders’ accounts so the recipients would get mail from the sender throughout their normal sending cycle via ESPs.
Responding to the attacks
Sailthru is working diligently to mitigate the continuation of these attacks. We are taking precautions to identify potential suspicious or abnormal activity.
ESP clients are not the perpetrators of these attacks, but they are being used as the means to mail bomb user accounts. To stop this instance and mitigate future abuse of this nature it is important that all brands secure their opt-in forms. Recommended steps for doing so are outlined below.
Implement Captcha so BOTs cannot auto submit addresses to forms. Sailthru recommends Google reCAPTCHA as it is easy to implement and very effective at stopping BOTs from abusing forms.
Restrict form submission from well-known BOT or abusive IP ranges. Contact your ESP directly for these ranges.
Implement Confirmed Opt In (COI). Senders using COI to confirm subscriber addresses are already helping to limit the effectiveness of these attacks. While abused email addresses are still receiving a flood of mail, these addresses will not be added to the normal email cycle and the abuse will be limited to one COI email.
Update input fields on your signup forms. Add a hidden form field or a field that is hidden by CSS. Most BOTs will automatically fill in all form fields it can find, so a hidden field will help you to identify BOT form fills over user form fills. As an additional or alternate solution, change “email” and/or “name” input fields as these words provide the indication that this form is one that can be used in this type of attack. By changing the HTML input field names the BOT may bypass your form.
This kind of attack is unprecedented; however we expect to continue to see similar attacks in the future. By working together – ESPs, advocacy groups and brands, alike – we can mitigate the impact. Please do your part by discussing the recommendations above with your IT team.
For Sailthru customers seeking more information, please contact your customer success representative.
2020 Holiday Marketing Playbook
With all that has happened this year, we expect to see a holiday season unlike any other. That said, the time to start testing and building out email and CRM strategies is now. Along with our Retail Advisor, former JustFab VP Monica Deretich, Sailthru has developed this playbook to help retailers crush Q4 and beyond.
WWD Byline: How Nordstrom Brings Personalized Customer Service Online, at Scale
It’s easy to think that a brand has to be a digital native to offer a superior digital experience. Nordstrom shows that absolutely doesn’t...
By Jason Grunberg
How The Vitamin Shoppe and TechStyle Fashion Group Prosper with Dynamic Personalization
Sephora’s app boasts an augmented reality fitting room and Best Buy’s has a “local store mode,” ensuring that products match the store’s inventory. Urban...
By Francesca Nolan