List bombing: What does it mean and how to avoid it?

Recently, there’s some talk about list bombing. What does this actually mean?

While ISPs concentrate on attacks from a single IP (or IP range) or sending domain, listbombing uses various subscription forms for sending just a few mails from each.

Problem for the targeted address is, that a lot of mails are coming in in a small amount of time without consistent pattern – goal is to make the address unavailable for a specific time.

DOI doesn’t help here as well, because the DOI confirmation mail itself can be part of the attack and be used for it.

Only security mechanism that can help from sender side is anything, that complicates automatic usage of subscription forms like the famous “captchas“. Please insert them to your subscription process whenever possible!

The CSA recently published a recommendation, to place the following snippet on websites is order to be safe with GDPR:

Use of Google reCaptcha

To secure our contact form against unwanted usage, we use the Google Inc. service reCaptcha. This service enables the differentiation between input by a human, and abusive and automated input by a machine (Spambot). For this purpose, your IP address and, if necessary, further data required by Google Inc. for the service reCaptcha is transmitted to Google Inc. For this data, the different Privacy Policy from Google Inc. applies. These can be found at https://policies.google.com/privacy?hl=en

 

Verwendung von google reCaptcha

Zur Absicherung unseres Kontaktformulars gegen unerwünschte Verwendung nutzen wir den Dienst reCaptcha des Unternehmens Google Inc. Dieser Dienst ermöglicht die Unterscheidung, ob die Eingabe durch einen Menschen oder missbräuchlich und automatisiert durch eine Maschine (Spambot) erfolgt. Zu diesem Zweck werden Ihre IP-Adresse und gegebenenfalls weitere von Google Inc. für den Dienst reCaptcha benötigte Daten an Google Inc. übermittelt. Für diese Daten gelten die abweichenden Datenschutzbestimmungen von Google Inc. Diese finden Sie unter: https://www.google.com/intl/de/policies/privacy/.

Florian Vierke is Senior Deliverability Specialist with over seven years of experience in all areas of E-Mail Deliverability & Abuse Management. Florian is a member of MAAWG, certified senders alliance and competence group email and maintains a regular presence at conventions and fairs like Internet Security days, email expo or dmexco.

Tagged with: , , ,

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.