Since this past Sunday, Spamhaus, one of the Internet's most powerful and widely used domain and IP blacklists, began putting several major businesses, marketers, and ESPs on their IP blacklist. The reason for these listings could be that these senders were victims of "list bombing.”
What is “list-bombing”?
“List bombing” refers to instances where email sign-up pages get abused or attacked by malicious parties, resulting in large a number of email addresses being opted into their email program. In most cases, the email sign-up pages that are attacked by "list bombers" boast very little, if any protective measures to prevent invalid email addresses from being entered into their mailing database, or they do not require users to verify their emails in order to complete the sign-up process.
To put this industry-wide blacklisting phenomenon into perspective, there has not been a time in the last several years that so many IPs from different ESPs have been collectively blacklisted. Many email and deliverability experts were initially puzzled by these listings since Spamhaus typically lists only senders who email to spam traps. When this happens, resolving the issue generally requires the sender to identify the following:
- Where the spam traps within their database are
- How they got into their mailing database
- What is being done to prevent new spam traps from making their way into that sender's mailing list
In most cases, senders can identify and remove spam traps within their database by reviewing the list of email addresses that the offending campaign was deployed to.
This "list bombing" issue is different because, in this case, legitimate email addresses were getting added to an email program via a standard opt-in channel. However, the legitimate owners of these email addresses were not the ones who were opting into brands’ email lists. Instead, nefarious attackers or malicious agents were doing the mass opt-ins.
These listings affirm Spamhaus’ commitment to their mission of protecting 3+ billion mailboxes from receiving spam. They have helped senders identify vulnerable opt-in pages that simply accept any email address without validation or an added layer of security such as requiring a Captcha, a confirmation email (double opt-in), or some other form of manual validation.