Avoiding Subscription Bombs

by | Aug 7, 2023 | News, Security

If 10,000 emails suddenly flooded your inbox, what would you do?

Suddenly any real messages will be lost in the blitz of spam that’s overloading your screen.  It is hard enough to delete all those messages, let alone filter out the genuine ones from the flood.

This situation is called “subscription bombing”

 

 

We saw it for the first time a few weeks ago. It is a very targeted form of “DOS” (Denial of Service) attack.

The perpetrator sets up a bunch of bots to sign their victim up to every mailing list on the internet!  That means a tonne of “thank you for subscribing” emails, or “confirm your subscription” are unleashed.

Often this means that poor person is overwhelmed, and the bad actor can take advantage of this to undertake another, more malicious attack while the victim is distracted.

How do you manage a bomb?

Firstly, be less worried about the emails, and look for what else they are doing.  Make sure it isn’t a distraction from a more severe attack.

Turn up your spam filter, even at the cost of missing some genuine emails – an autoreply can help you manage the fallout of genuine senders.

Use the Outlook mail filter options, which fortunately get smarter all the time, albeit they are not infallible.

Protect your own mailing list from being abused.

One of the most effective approaches is to implement CAPTCHA on your signup forms. CAPTCHA, an acronym for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’, is a feature that helps distinguish a human user from a computer, thus preventing automated subscription attacks.

Another approach involves using double opt-in for your email subscriptions. This means that after a user signs up for your service, they must confirm their subscription through an email sent to their address. This extra step effectively deters bots from successfully subscribing.

Be Careful What You Click

When you see an email asking you to confirm your subscription, be sure to check the source of the email and make sure that it’s coming from a legitimate source. Never click on suspicious links or attachments within emails, as they could contain malicious scripts that are used for subscription bombing attacks.