Of all the ways that people can make a pain in the neck of themselves, you can add a new one to the list: list bombing, also known as lead bombing, mail bombing, or mail flooding.
Anyone who collects marketing leads online using an autoresponder form is vulnerable to list bombing. This article explores how it works, and what you can do to prevent it from happening to you.
Understanding list bombing
As the name implies, list bombing is an automated hacking attack on a list or lead gathering channel. In these attacks, bots are used to submit an email address to hundreds of copies of your form – or lots of different forms – at the same time. The email address is generally legitimate, but is likely stolen or “scraped” from public sources such as social media accounts.
Why does list bombing happen in the first place? Here are three reasons:
- It can be used to spread spam, particularly when the bomber inserts a spam URL into the name field of your form, so that it gets sent by autoresponder to the unsuspecting email address.
- It is a tactic that cybercriminals use to divert attention from a hacking attack.
- It can simply be a way to cause trouble for the email address used, the site being bombed or both, in a way that is similar to a distributed denial of service (DDoS) attack.
List bombing normally has two victims: the firm whose lead forms are being “bombed,” and the unsuspecting email address used in the attack. This has multiple impacts:
- Because the forms are submitted simultaneously, the legitimate email address will be bombarded with a large amount of emails – potentially overloaded the email server and certainly making a mess of a user’s inbox.
- The email owner and/or their email server will have hard bounces, and the attack can lead to a large number of spam complaints.
- The email sender risks their sender reputation as well as potentially have their sending IP blacklisted, not to mention the negative impact on the business’ reputation.
In all of these cases, list bombing is a disruptive event that takes advantage of legitimate marketing channels to cause harm. Now, let’s look at some of the things you can do to mitigate the risk.
Preventing list bombing
Some of the strategies you can use to prevent a list bombing attack involve building structural safeguards into your lead acquisition process. These include implementing things like Google’s reCAPTCHA technology to prevent bots from using your forms, or a double opt-in process to prevent automatic registration for future emails. Some other creative suggestions include requiring people to navigate to your form, or limiting geographic locations that are allowed to respond.
With the proper business logic, some of our services can also help detect and prevent list bombing, while improving your overall data hygiene. These include:
IP address validation:
Our DOTS IP Validation product can be used to engineer safeguards into incoming form signups, such as:
- Detecting the IP address and determining if the traffic is coming from known hacker hotspots.
- With logic, flagging multiple submissions that are coming from a single IP and/or proxy, you can deploy strategies like requiring responses to CAPTCHA challenges and/or asking for double opt-in on high-risk submissions.
- Comparing the geographic location of an IP address to the physical address provided on the form, if collected – and then flagging mismatches for further processing.
- Determining if the IP address is a known proxy and, if so, requiring secondary security steps to validate the submission.
While this should not be used as a standalone technique, because the email addresses used in list bombing attacks are usually legitimate, our DOTS Email Validation product can supplement your efforts by flagging known bad email addresses that may have been used in previous list bombing attacks. Our email databases are constantly updated to ensure we have the most up-to-date data available.
Malicious users and hackers continue to find ways to attack and abuse businesses through online channels, and marketing forms are unfortunately no exception. However, with the right technology, you can stay one step ahead of them and protect the integrity of your demand generation process. If you would like to learn more about our services, their benefits, and how they can help prevent list bombing, please feel free to reach out to us.