Recently, there has been a resurgence of attacks on brand reputation in the email world. The attack is known as either “mail bombing” or “mail flooding.” This presents a threat to both consumers and brands alike. This form of attack has the potential to violate anti-spam and privacy legislation for blacklisting, false subscriptions and can result in an increase in spam folder placements for future commercial and transactional messages. Even a brand using confirmed opt-in is not immune to the impact mail bombing can have on their reputation.

Mail flooding happens for a few reasons. It could be done as a joke among friends. However, what starts as a joke often ends in a friend having to delete their email account. Sometimes it is done in an act of revenge against someone. Finally, it might be used as a distraction from other criminal activities. For example, if an attacker is trying to access accounts without the owner noticing, a mail bombing attack can drown out the password reset notifications and error messages.

It’s not only important to understand why it happens. Brands need to know how it happens. During a mail flooding attack, the attacker signs up one email address for hundreds of subscription forms. This results in a plethora of subscription notifications, confirmation messages, and transactional messages being sent to the victim’s inbox. These messages overwhelm their account and keep it from functioning for an extended period of time. An exponential impact can be made by utilizing hundreds of websites at the same time, making it hard for an individual company to see they are part of the problem.

There are a few ways a company can try to prevent a mail bombing attack. Combining these tactics will build a strong form that can withstand this type of abuse.

  • Rate Limits—Prevent a form from being submitted multiple times by the same IP address with a rate limit. This works when it is the same IP coming to the form repeatedly, but keep in mind sometimes the bot will change the IP address.
  • Captcha—Adding a Captcha can be beneficial, but you have to ensure it’s set up as part of the form submission evaluation. If not, then it’s rendered useless.
  • Validation Service—An address validation service might catch an attack. If you are using one or are thinking about getting one, ask them if this is something they can provide.
  • Set a Region—If your audience is limited to a specific region, limit the form to that region only. If an IP from outside the region attempts to fill out the form, it will not go through.
  • Take a Look at the Process— Examine how your form submits information. If you can limit the activity to just that page, it will make an impact. It is important to remove the ability for someone to map the form submission and then automate their way around the web page. Taking these measures can cause roadblocks to the submission process that will (most times) make the attacker move along.
  • Keep Track of Time—Develop a field to look at the time stamp or generated key for the page load. If the submission time is too short, it should be tossed. An automated form will be filled out too quickly. On average, a person needs a minute to fill out five fields. In comparison, a bot could take care of five forms in one second.
  • Change Names—Refrain from using standard codes for fields. Replace “firstname,” with “First_Banana.” This might seem foolish, but an attacker is relying on scripts that look for common field name variations. The new unusual names will not register, and your site visitors won’t see anything unusual from their end.
  • Trick the Bot—Include some blank fields in the form a bot would fill out, but an actual person would not see. For example, a visible email field and invisible email field. Bots will read the code of the invisible field, but humans will not be able to see it. If any form has both sections filled out, you can safely assume it is the work of a bot.
  • Use a Defined Message Header–Consider using the new standard (currently in draft), “A Message Header to Identify Subscription Form Mail.” A defined message header clarifying an email message sent in response to a web form submission can help the mail systems better recognize and mitigate the mail bomb.

What to Do if Your Forms Were Compromised

So, what does a brand do if their forms were used in a mail bombing attack? First, start by trying to identify when the submissions started. It could be weeks before you notice the attack, so the subscriptions could potentially be weeks old. Analyze the trend of your daily subscriptions over time to see if there is a big spike at any point. After you can pinpoint the timeframe of the attack, you can move forward. Here are a few tips for what to do next. 

  • Once the timeline is identified, separate all the users within it and withhold them from the program while you investigate the attack. You could consider removing the names and then sending a confirmation of consent to all the addresses that appear to be legitimate.
  • If you do find a way to identify the fake subscribers, section them out of your list.
  • Look for garbage data, or any data that seems to be machine-generated. See if any IP address is submitting the forms repeatedly.
  • While the code is being corrected, be sure to take the form offline.
  • After your investigation is complete, relaunch the website with a more secure version of the form.

There is no clear cut way to address a mail bombing attack, but what brands can do is begin to put these solutions into practice and be prepared to respond if an attack happens. The steps above can help to minimize the impact on your brand if it is unknowingly used in a mail bombing attack.