Spamhaus and email bombing marketing update

As many folks within the email eco-system probably know by now, Spamhaus, an organization known for compiling several widely used anti-spam lists, has been extremely active this week. Over the past week, Spamhaus has listed a number of potentially hazardous IP addresses used by some of the world’s largest email service providers due to the way their newsletters signups are set up. According to most of the listings, Spamhaus has stated:

Unfortunately, the said newsletter service is not verifying the email address of new subscribers. Due to this, the service can be easily abused to “listbomb” internet users.

Problem resolution
The newsletter service needs to clean up their email address list and ensure that bulk emails are only being sent to recipients who have verifiably subscribed to their bulk email service.

In addition, the newsletter service should take appropriate actions to prevent further abuse of their service:

a) Implementing CAPTCHA to prevent automated subscriptions
b) Implementing Confirmed Opt In (COI) to prevent abusers from adding random email addresses to the newsletter service that are not owned by the subscriber

For the most part these listings should not directly impact marketers’ current ability to send their campaigns and reach their customers as they are listed as “warnings” within the Spamhaus system. What is important to understand is that these types of listings will likely continue to happen as Spamhaus has seen a dramatic increase in malicious use of newsletter sign-ups to “email bomb” various addresses, especially government (.gov) domains.

While we understand that implementing CAPTCHA, or COI into any marketing system is not something that can be done quickly, Experian Marketing Services has recommended that our clients begin to investigate how they can potentially implement this process into their newsletter sign-ups. By asking customers to simply perform the CAPTCHA check, it will not only protect marketers from adding addresses from automated signup systems, but will also reduce the possibility of being listed with Spamhaus for these types of issues in the future.

Some additional resources:

Massive Email Bombs Target .Gov Addresses

Subscription bombing, ESPs and Spamhaus, August 15, 2016 by laura in Best Practices

Comment on the latter blog post on WordtotheWise.com from the CEO of Spamhaus:

Excellent well summarized article Laura.

No, we’ve not changed SBL policy to require COI. It’s something we very strongly advise but we cannot make a requirement. We’ll have to consider it if list-bombing of this magnitude cannot be kept in check by list managers.

This incident involved a large number of government addresses belonging to various countries being subscribed to very large numbers of lists in a very short space of time by scripts run by the attacker(s). Most of the lists hit by the attack used COI and therefore only sent confirmation requests and did not subscribe any addresses. The attack undoubtedly also hit lists which used Captcha in addition to COI and thus did not even proceed to COI (those list admins deserve some sort of community ‘hi 5’ award, since one can imagine how hard it is to convince one’s management to implement COI let alone put Captcha in front of it).

The issue is the badly-run ‘open’ lists which happily subscribed every address without any consent verification and which now continue as participants in the list-bombing of government addresses. These we are trying to address with SBL listings to prompt resolution by the Senders. As you noticed, most of these particular incident listings are for IPs ending “.0/32” which does not cause any mail issue to the Sender and is deliberately used where we have a good relationship with the Sender and know they will act quickly on the alert.

Steve Linford
Chief Executive
The Spamhaus Project