Do you need COI/DOI? Probably.

In case you've been living under a rock, or you've been lucky enough to not be affected, here's the deal: Some bad guys, probably Russian or Eastern European, have decided to mail-bomb unsuspecting folks by signing them up for many hundreds or thousands of mailing lists. The bad guys built a tool that either searches for or has a list of signup forms at many hundreds or thousands of websites. The bad guys then submit many email addresses to those forms.

The net result is, if you're on the wrong end of this attack, your mailbox gets filled up with a bajillion newsletters. Some from big brands. Some from small brands. Some from companies you've heard of. Some from non-profits you've never heard of.

In a recent post, Brian Krebs of Krebs on Security shared his own experience with being mail-bombed in this way. Brian said that it's targeting .gov addresses, but I know from what I'm seeing that it's broader than that. It's definitely not targeting just .gov addresses. It also seems to be targeting various anti-spam groups, security researchers, email administrators, and so forth.

For senders, this is bad news, because you end up with a bunch of subscribers that don't want your mail, and they're drowning under mail. They're mad that you're part of the flood. They're going to report that mail as spam, if they can. It's not going to help your sender reputation.

And on top of that, Spamhaus has gotten involved. As Laura Atkins of Word to the Wise reports, the problem has grown large enough for anti-spam blacklist group Spamhaus to take notice. Their position is that the senders operating open mailing list signup forms are running attractive nuisances, and that the best way to stop this problem is for list managers and email marketing managers to update their signup forms to implement functionality to prevent or deter the bad guys from mass submissions of non opt-in email addresses.

How? What I'm hearing is that the best things you can do are implement a double opt-in process and/or implement a CAPTCHA process on your signup page, to prevent bots from signing up.

Double opt-in, aka confirmed opt-in, isn't new, and isn't very hard to set up. (Heck, here's a link to me talking about it on this very blog, thirteen years ago.)

And if you're already using double opt-in? Now would be a bad time to turn it off. Spamhaus has taken to blacklisting senders whose lists were fed by these bad guy bots. Spamhaus has listed more than FIFTY different ESP/ISP senders in the past two weeks over this issue. It's clearly an issue Spamaus is taking seriously, and is watching out for.

Whether or not you like or respect Spamhaus or not, getting blacklisted by them just kills your deliverability. Their blacklists are broadly used and they as an organization are widely respected by internet service providers. My recommendation is, if you run a mailing list or an email marketing program, implement double opt-in and CAPTCHA today, to avoid the huge deliverability woes that come with a Spamhaus blacklisting.

Want to learn more about this email subscription bombing problem? You can read more about it over at the Return Path blog.
Post a Comment