Beware the Email Bomb

I had a customer ask me yesterday, why is their ESP trying to force them to implement CAPTCHA on their signup forms? They're not spammers.

Well, unfortunately, it's usually because of stuff like this: As Webbula's Jenna Devinney explains, bad guys can easily find and script a bunch of pokes at a bunch of webforms, purely to wreak havoc. Maybe it's random. Maybe it is to annoy somebody they're mad at. But the net is, they go around signing up Joe Email User for 200 email lists and then Joe Email User starts receiving 200 emails a day that are all spam to him, and it makes him mad. It makes him hate the companies sending that mail, even though it wasn't really their fault. It makes him report all that mail as spam, and that'll harm the sender's IP and domain reputation.

Even worse, the bad guys sometimes script submissions to trigger mail to spamtrap addresses, trying to get senders blocked by Spamhaus, other blocklists, or ISPs.

So, I would do it -- I recommend that you do go ahead and implement a CAPTCHA. It's probably not hard and it's definitely becoming a best practice. And you're not alone. I implemented ReCAPTCHA on my own WombatMail signup forms, because some goober seemed to think it was fun to try submitting "abuse" and "network" addresses just to see if they could get me in trouble. (Sigh.) If I hadn't have done that, eventually I would have run into problems, too. Even with double opt-in. (Maybe there IS a case to be made for email verification after all, huh?)

Indeed, I've seen a lot of mostly-good senders get into trouble with Spamhaus over the past couple of years and I think this type of mailbombing/scriptbombing email form abuse is probably the reason why. If you can prevent it before it ends up causing a Spamhaus listing, do so! This truly is one of those scenarios where an ounce of prevention is worth MORE than a pound of cure. Having to re-confirm a list because of a Spamhaus listing is no fun and will decimate your marketing efforts. It's much less painful to add a bit more logic up front to keep the bots from submitting garbage to your forms, if you ask me.

Post a Comment