This post is also available in: English (UK)
Imagine this scenario: an attacker uses an automated program, or bot, to fill out your email marketing subscription form with another person’s email address (or thousands of times with different addresses), and your automated marketing campaign sends email to recipients that didn’t actually subscribe. That’s not great for you, but imagine what happens to the email recipients if the bot does this to tens of thousands of email marketing forms: the recipients’ inboxes are suddenly flooded with marketing email from legitimate businesses, and not typical spam that might get blocked or go to junk. Their inbox is now useless until the barrage of email subsides.
So an attacker has ruined someone’s inbox for a few weeks (or more likely, forever) – what’s the point? List bombing is at minimum an effective distraction and usually part of something bigger: the real goal is to hamper an individual’s ability to deal with another crisis, such as a government official or an IT security professional fending off an active attack on their system, or really anyone just trying to do their job.
How list bombing can affect you
Even if you aren’t the target of the attack, if your marketing automation is hijacked and used as a tool to perform the attack, you’ll receive collateral damage. In addition to being implicated as part of the specific attack, sending email to recipients that didn’t actually subscribe will generate spam complaints, hard bounces, and spam trap hits (depending on what email addresses the bot submits to your form) which hurts your sender reputation, email deliverability, and in turn, your bottom line. Recipient email networks won’t offer forgiveness just because you didn’t orchestrate the attack, and they’ll still hold you accountable because you didn’t take steps to prevent your marketing automation from being hijacked. The other major impact is database pollution: Having thousands of bogus addresses in your database with no easy way to identify them is not a problem you want to deal with.
How to protect your marketing automation
To prevent your marketing automation from becoming a tool for list bombing, you’ll need to employ the following tactics in tandem:
- Captcha – We’ve all been frustrated by a Captcha puzzle before, but we survived, and unfortunately disliking them doesn’t negate the real need to use them. Using Captcha on your subscription forms will effectively defend against most bots, and at the very least it can keep your landing pages from becoming an easy target. Captcha isn’t perfect though, and like most things related to security, it’s a cat and mouse game. Someone is always enticed by the challenge of creating a bot that can solve Captchas, so you’ll need an additional layer of security in place.
- Email Confirmation (AKA Double Opt-In or Confirmed Opt-In) – Send a subscription confirmation request anytime a recipient subscribes, and don’t send any more marketing email if they don’t confirm. This way, you can at least limit the damage done from any bad addresses that get into your automation process: If you do happen to send to a spam trap, you’ll only send to it once. As a side effect, email confirmation also limits reputation damage from other (non-bot) sources of high risk email addresses
This is currently the most effective method, and you’ll see it recommended by deliverability experts, recipient networks, and anti-abuse organizations alike. If you find yourself weighing out the downsides of Captcha and email confirmation to try to decide if you really need to implement them, consider this: The time, effort and money you put into email marketing is wasted if you can’t reach the inbox. These practices, along with other industry standard best practices for inbox placement, are all designed to maximize email deliverability for your recipients that have the biggest potential to convert. It just doesn’t make sense to miss an opportunity to engage with your most valuable leads: real people that are actively interested in your product or service.