Recently, there’s some talk about list bombing. What does this actually mean?
While ISPs concentrate on attacks from a single IP (or IP range) or sending domain, listbombing uses various subscription forms for sending just a few mails from each.
Problem for the targeted address is, that a lot of mails are coming in in a small amount of time without consistent pattern – goal is to make the address unavailable for a specific time.
DOI doesn’t help here as well, because the DOI confirmation mail itself can be part of the attack and be used for it.
Only security mechanism that can help from sender side is anything, that complicates automatic usage of subscription forms like the famous “captchas“. Please insert them to your subscription process whenever possible!
The CSA recently published a recommendation, to place the following snippet on websites is order to be safe with GDPR:
Use of Google reCaptcha
To secure our contact form against unwanted usage, we use the Google Inc. service reCaptcha. This service enables the differentiation between input by a human, and abusive and automated input by a machine (Spambot). For this purpose, your IP address and, if necessary, further data required by Google Inc. for the service reCaptcha is transmitted to Google Inc. For this data, the different Privacy Policy from Google Inc. applies. These can be found at https://policies.google.com/privacy?hl=en.
Verwendung von google reCaptcha
Zur Absicherung unseres Kontaktformulars gegen unerwünschte Verwendung nutzen wir den Dienst reCaptcha des Unternehmens Google Inc. Dieser Dienst ermöglicht die Unterscheidung, ob die Eingabe durch einen Menschen oder missbräuchlich und automatisiert durch eine Maschine (Spambot) erfolgt. Zu diesem Zweck werden Ihre IP-Adresse und gegebenenfalls weitere von Google Inc. für den Dienst reCaptcha benötigte Daten an Google Inc. übermittelt. Für diese Daten gelten die abweichenden Datenschutzbestimmungen von Google Inc. Diese finden Sie unter: https://www.google.com/intl/de/policies/privacy/.