Email bombing is a topic rarely discussed in the email industry. However, it’s an issue that affects brands and individuals every day. And, it’s an experience I went through recently with my personal email account.
So, what is email bombing? I’ve been in the email space for almost four years now, and I’ve heard of it a few times but never experienced it for myself until just recently.
What is Email Bombing?
List bombing is different from a traditional bot attack. Instead of targeting a specific company, bots target the individual recipient.
Email bombing is a cyber attack that uses bots to sign up legitimate email addresses to hundreds or thousands of different mailing lists in just minutes. When this happens, the recipient of the legitimate email gets bombarded with email subscription confirmation emails in just a few minutes.
In my experience, I got over 1,000 emails in under 5 minutes sent to my personal email address. I had lots of questions! How do I stop this? How does this happen? Is any of my personal information stolen? What do I check and do first?
How List Bombing Affects the Individual Recipient
Fraud: List bombing happens because your credit card information or other personal information was compromised. Flooding the individual's inbox is a distraction mechanism, so you can't find the alert emails informing you that your information was stolen.
Thankfully, my credit card company provided a text alert so I could catch the fraud activity immediately. Thanks to Webbula, and the security training we take throughout the year, I was even cautious about the text alert from the credit card company and called to verify the situation. The credit card company flagged the activity and sent me a new card.
List bombing also affects the individual's reputation. As soon as I realized my inbox was being flooded with unwanted messages, I immediately googled how to stop it. My experience in the industry told me the best thing to do is unsubscribe. A few additional articles advised me to mark the emails as spam if it continued to happen to alert the ISPs that list bombing is occurring and to set up filters for my important messages.
I wondered what this would do to the brands’ reputations. If I continue to mark all of the emails from brands who thought I signed up to receive emails as spam, I will look like a complainer or screamer and I could damage their deliverability and reputation.
Lastly, suppose this continually happens to individuals. Consumers might get tired of the effort it takes to mitigate the damage of email bombing and abandon their compromised email account for a fresh start. This leads to my next point, how brands are affected.
How Email Bombing Affects Brands
- When an email is abandoned, ISPs turn it off, which could turn it into a spam trap. Sending to this email could get you in some email deliverability trouble and your sender reputation could suffer.
- More and more people use disposable domains (temporary email addresses) to sign up for discounts or coupons to avoid list bombing. This results in another scenario where the brand suffers from poor deliverability and damaged sender reputation. Although someone signed up, opened and clicked, after they received their offer, they abandoned the email shortly after.
- The first thing the recipient should do when experiencing a list bomb attack is unsubscribe. Like I mentioned above, when searching for what to do, a Google article advised me to click the spam button to alert Gmail about the list bombing attack and to avoid receiving any more emails.
But what about best practices? Someone not in the email space will take the “mark as spam” advice which could harm the brands deliverability, reputation and could cause the brand to be blocklisted.
How to Protect Yourself from List Bombing
The good news is there are ways that brands and recipients can protect themselves from list bombing attacks.
Brands
- CAPTCHA
CAPTCHA Is an acronym for “Completely Automated Public Turing Test to Tell Computers and Humans Apart.” Putting a CAPTCHA system in place is your first line of defense to defend against bots and prevent them from entering data into your forms. In my experience, a bot used my REAL email address to sign up for a bunch of accounts. If these websites had a CAPTCHA in place, it’s most likely the bot wouldn’t have been able to get through.
DOI requires users to confirm their new subscription request. DOI is another great solution to avoid list bombing, but many brands still do not use it for fear of reducing conversion rates. If the subscriber doesn’t verify the subscription, you’ll have a pretty good idea it was a bot. However, you never want to take the chance. It’s wise to have extra layers of protection and utilize both CAPTCHA and DOI.
- Regularly Cleanse with an Email Hygiene Provider
Because data ages and email addresses such as temporary domains, spam traps, and emails involved in phishing scams can pass through CAPTCHA and DOI; regularly working with a hygiene provider can help detect those malicious email addresses and help protect your deliverability and sender reputation.
Individuals
- Passwords: Ensure that your online passwords are unique and secure, and all of your accounts are secure with multi-factor authentication. Take it a step further and get a solution like 1password in place for all of your accounts. You’ll never have to remember a password again and it will prevent you from getting hacked.
- Turn your alerts on for all of your payment methods to ensure you catch fraud immediately.
- Don’t click on any suspicious links in emails or text messages. Always stop and think before you click.
Marketers and Consumers Should Take Steps Necessary to Protect Themselves
If not already, brands should implement CAPTCHA and Double Opt in to prevent list bombing. It is a serious headache for marketers and consumers and can cause ongoing inboxing, blocklisting, deliverability issues, and eventually cause sender reputation issues
Consumers will continue to turn over email addresses. That is why it’s important for brands to have an email hygiene partner to periodically cleanse email databases identifying and mitigating threats to sender reputation and deliverability.