BLOG

Ongoing subscription attack

Brian Krebs posted a couple days ago about his experience with the subscription bomb over the weekend. He talks about just how bad it was over the weekend.

At approximately 9:00 a.m. ET on Saturday, KrebsOnSecurity’s inbox began filling up with new newsletter subscriptions. The emails came in at a rate of about one new message every 2-3 seconds. By the time I’d finished deleting and unsubscribing from the first page of requests, there would be another page or two of new newsletter-related emails. For most of the weekend until I got things under semi-control, my Gmail account was basically useless.

He also mentions this is something he’s been targeted with in the past.

This is malicious behavior on the part of the folks who are subscribing people. It is harassment.

I’m pleased at the number of ESPs and brands that are taking this seriously. We had a M3AAWG call this morning and much of the discussion was about how people are dealing with the issue. Some data is being shared here on the blog (signup IPs and stuff) and it’s very helpful.

If you are an ESP and you have data you want to share but don’t want to share it publicly contact me directly. The contact address works, I’m also on LinkedIn.

If you’re a recipient and you want some help cleaning up, feel free to contact me as well. I have some ideas of how we can help you and how you can help mitigate this for other people.

This isn’t a problem that’s going to just go away. We, as senders, cannot ignore the abuse. Now that this is out there we need to address it head on and protect both our brands, our network space and those unwilling recipients from being harassed through our services.

That does mean changes in behavior for all of us. Let’s not have the email space fall down on handling abuse like some of the social networking sites have.

6 comments

  1. Dave says

    If only there were some technical step a list operator could take to ensure they don’t participate as part of the problem.

    Some way to… I don’t know… Confirm whether a recipient has opted in?

    That would be neat.

    1. laura says

      In this case that’s not helping. The volume of COI mail is enough to render mailboxes useless.

  2. Moliverability says

    Part of the solution is getting clients to understand and get them to take action.

  3. Steve Linford says

    Spamhaus was also hit this morning by the same subscription attack, but the volume was very small (~1000 emails) and therefore simple to delete.

    Of note it was not all composed of list subscription responses, half consisted of account signups at WordPress sites (“here’s your username and password”), all of which came with a very handy “X-Mailer: PHPMailer” header making filtering them to the Trash automatic.

    Somebody has obviously spent a lot of time assembling urls of mailing lists and account signup pages and written a script to submit addresses to them. Subscription list owners and owners of sites which email signup confirmations might hope that it was simply a teenage miscreant with too much time on his hands, but my guess is this is someone testing an ’email bombing’ product likely to be soon for sale in Darknet supermarkets. A product that would be rendered useless if subscription list owners and sites which email signup confirmations put a simple and free Captcha on address input forms.

  4. Ara Bulbulian says

    Sign-up forms with ‘smart’ logic to determine whether to display a CAPTCHA check based on the email and/or IP source. Say you had a threshold of 10 sign-ups per email address over an hour and this was exceed (service check) then the CAPTCHA form would be displayed / enforced. Of course you would need back end data to make this type of a service check a reality.

  5. Elizabeth McCarthy says

    I just got bombed with someone using my gmail. It’s really frightening to know someone would use my gmail to sign up for hundreds of subscriptions. What do I do to prevent this? How can I find out who it is?

Comment:

Your email address will not be published. Required fields are marked *

Archives