Your data is important, and keeping it safe, structured and clean is hard work on a regular day. With even the best practices around your data, there are external threats that can affect your program and make any marketer’s best intentions go awry.
Introducing: List Bombing
List bombing is simply defined as an attack on your data that usually involves hackers exploiting vulnerable online forms to seed you list with bad data. The intention of this kind of attack is to load up your list with specific email addresses, that when sent to, will flood a targets email server with unwanted email.
– Cause a server to get bogged down (and even crash!)
– Flood recipients inbox
– Disrupt business activities
Sender deliverability can be negatively affected by this type of action due to the triggering of anti-spam systems that will in turn block and report your domain and sending IP to black lists, abus reports and even file abuse complaints against your domain. Your email service provider may also block you from sending until the problem is fixed.
Ironically, a list bombing attack is often not detected by marketers. To the marketer, it may actually look like a sudden spike in subscribership of 5000, 12 000 or even 20 000 subscribers and seen as a good thing when in fact, something more nebulous is going on. A sudden and unexpected spike in subscribers may be a red flag!
How to prevent list bombing in 5 easy steps:
Fortunately, this type of attack is mostly avoidable. Applying the following preventative steps and best practices can help you to make sure that your data stays clean and avoid the headaches such an exploit can cause.
Step 1: Are your forms all accounted for and are they all secure?
The easiest way for hackers to bomb your list is via an unsecured online form. When hackers find an unsecured form, they see this as an open door to load your list with bad data. With automation and scripting tools, they can fill and submit forms to your list at a high rate.
Start by making an inventory of all signup up forms that are connected to your list, either on your site or on external sites. External sites could include that “contest signup” that ran for 3 months last year. Was that contest site form properly taken offline?
Once you have identified and accounted for all sign up forms you can jump to step 2.
Step 2: Secure ALL your forms with CAPTCHA’s
One of the best ways to prevent bots and script attacks from bombing your list is to use captchas. They are cost efficient and very easy to implement.
Captchas have come a long way from the days of the distorted words, street signs, and numbers that we had to decipher in the past. Google’s Invisible reCaptcha is not even displayed, keeping the user experience simple. There are many excellent articles on how to implement this correctly.
Make sure that every signup form you have in place is secured from bots with a captcha. This is one part of the solution and is not fool proof! There have been instances of attackers, organized in large groups, using “humans” to do the bombing, one by one on a Captcha secured form.
Step 3: Use a real time email validation service in your forms
Many list validation services offer real time verification via an API. While it may not be fool proof, (hackers may have lists that are composed of legitimate emails) it will make sure that invalid emails do not get into your list. It works in real time and depending how it is set up, could actually help your customers to make sure that they correctly enter their email address.
This step also helps your data acquisition strategy overall by ensuring that your list data is cleaned upstream.
Step 4: Use double opt in’s
A double opt in consists of sending a confirmation email to the new recipient who must confirm that they are the actual owner of the email (or phone number for SMS text messaging) that signed up.
Double opt in has often seen some detractors claim that it may deter sign-up’s to their list. The fact is that recipients who are validated using a double opt-in tend to be engaged at a higher rate with your program and this engagement may help you improve your deliverability.
The double opt in step, combined with the other methods will help ensure your reputation does not get affected by a list bomb attack.
Taking this a step further by adding customer journey automations can go beyond a simple double opt in and create compelling onboarding flows to build even stronger bonds with your customers.
Step 5: Keep an eye on your list growth
Unless you are running an aggressive acquisition campaign. Your list growth should be relatively steady. If you are seeing a 5% monthly growth and suddenly you notice a large spike without reason, it is worth your time to investigate the source of this spike.
Looking for clusters in the record creation date and source of the sign up should point you in the right direction as to where the spike is coming from.
What about phone mobile numbers for Text Messaging?
If you are using SMS Text Messaging as a channel in your program, you can also be a target for a list bomb attack. Steps 1,2,4 and 5 above also apply in making sure that your data is clean.
Using a validation service as listed in step 3 may a worthwhile step. You will need to check locally to see if this service is available to you as phone number validation services are not available everywhere. If you are planning to use SMS Text Messaging to connect with your customers, it should be a priority to check if phone number validation is available for you.
Oops I bombed my own list!
Unintentional list bombing does happen. “Hey look we found a list of 50 000 recipients on a usb key from a contest we ran 2 years ago!”. A bad list manipulation (usually a manual list upload) or untested segment can suddenly make you send a lot of unwanted emails, effectively causing some serious deliverability problems.
This can happen to the best of us and it is why step 5 is so important. Being vigilant and rigorous can avoid a lot of problems.
We were bombed, what should we do now?
The first step is to find and neutralize the bad data. It is usually easy to spot the suspect data as the create dates of the list bomb addresses or numbers will occur within a short time frame. Once identified, flag the data and remove it from your list. Keep a copy of the bad data on hand in case it is needed for further investigations.
Contact your messaging service provider (if they are not already contacting you). This is important as it will help everyone to understand what happened and take preventative measures.
If your sending reputation was affected, your service provider can assist you by closely monitoring your sending data and assist you to take measures to resolve any black lists and blocks.
Find and shut down the source of the attack. Do not give the opportunity to the hackers do this again.
Do I need to contact all the affected recipients? At this point as it is not a “data breach” as your client’s data has not been breached. There is no obligation to communicate that a list bomb attack has occurred to your recipients. Sending all your recipients a second message could actually cause your deliverability problems to get worse.
As ISP’s, anti spam systems and data capture end points improve (as recommended above) we are likely to see less and less of these types of attacks in the future. This does not mean we should let our guard down.
Being vigilant and keeping up with best practices is the best way to avoid a list bomb attack.
As the old saying goes: An ounce of prevention is worth a pound of cure. -Benjamin Franklin (Or for our metric friends 28.35 grams or prevention is worth 453.59 grams of cure)