Since this past Sunday, Spamhaus, one of the Internet's most powerful and widely used domain and IP blacklists, began putting several major businesses, marketers, and ESPs on their IP blacklist. The reason for these listings could be that these senders were victims of "list bombing.”
“List bombing” refers to instances where email sign-up pages get abused or attacked by malicious parties, resulting in large a number of email addresses being opted into their email program. In most cases, the email sign-up pages that are attacked by "list bombers" boast very little, if any protective measures to prevent invalid email addresses from being entered into their mailing database, or they do not require users to verify their emails in order to complete the sign-up process.
To put this industry-wide blacklisting phenomenon into perspective, there has not been a time in the last several years that so many IPs from different ESPs have been collectively blacklisted. Many email and deliverability experts were initially puzzled by these listings since Spamhaus typically lists only senders who email to spam traps. When this happens, resolving the issue generally requires the sender to identify the following:
In most cases, senders can identify and remove spam traps within their database by reviewing the list of email addresses that the offending campaign was deployed to.
This "list bombing" issue is different because, in this case, legitimate email addresses were getting added to an email program via a standard opt-in channel. However, the legitimate owners of these email addresses were not the ones who were opting into brands’ email lists. Instead, nefarious attackers or malicious agents were doing the mass opt-ins.
These listings affirm Spamhaus’ commitment to their mission of protecting 3+ billion mailboxes from receiving spam. They have helped senders identify vulnerable opt-in pages that simply accept any email address without validation or an added layer of security such as requiring a Captcha, a confirmation email (double opt-in), or some other form of manual validation.
Senders and marketers who are concerned that their programs may be at risk should investigate email addresses that have recently been added to their email programs. Senders should look for spikes in number of opt-ins that occurred within a very short period and watch out for opt-in activity from emails addressees that contain .GOV, .MIL, or other reserved domain spaces. If discovered, those addresses should be isolated and set aside until an investigation can be completed to determine their legitimacy.
Many marketers I work with are hesitant to implement additional steps to verify incoming email addresses for fear of discouraging conversions. However, marketers should note that while growing an email list is critical to the long-term profitability of their email marketing program, doing so at the expense of data quality can quickly derail success. Marketers that send to problematic email addresses have considerably higher bounce rates and higher likelihood of their program getting blocked by ISPs, potentially leading to a costly Spamhaus blacklisting.
To avoid the possibility of these deliverability issues, here are 2 tips to consider:
At the end of day, this latest blacklisting incident further emphasizes the importance of taking a proactive approach to maintaining a clean database. By periodically checking the accuracy of their data and ensuring a clean opt-in process, marketers can avoid populating their list with faulty records that cause on-going blacklisting and deliverability issues.