Ongoing subscription attack

Brian Krebs posted a couple days ago about his experience with the subscription bomb over the weekend. He talks about just how bad it was over the weekend.

At approximately 9:00 a.m. ET on Saturday, KrebsOnSecurity’s inbox began filling up with new newsletter subscriptions. The emails came in at a rate of about one new message every 2-3 seconds. By the time I’d finished deleting and unsubscribing from the first page of requests, there would be another page or two of new newsletter-related emails. For most of the weekend until I got things under semi-control, my Gmail account was basically useless.

He also mentions this is something he’s been targeted with in the past.
This is malicious behavior on the part of the folks who are subscribing people. It is harassment.
I’m pleased at the number of ESPs and brands that are taking this seriously. We had a M3AAWG call this morning and much of the discussion was about how people are dealing with the issue. Some data is being shared here on the blog (signup IPs and stuff) and it’s very helpful.
If you are an ESP and you have data you want to share but don’t want to share it publicly contact me directly. The contact address works, I’m also on LinkedIn.
If you’re a recipient and you want some help cleaning up, feel free to contact me as well. I have some ideas of how we can help you and how you can help mitigate this for other people.
This isn’t a problem that’s going to just go away. We, as senders, cannot ignore the abuse. Now that this is out there we need to address it head on and protect both our brands, our network space and those unwilling recipients from being harassed through our services.
That does mean changes in behavior for all of us. Let’s not have the email space fall down on handling abuse like some of the social networking sites have.

Spamhaus comments on subscription attack
Gmail showing authentication results to endusers

Related Posts

Bounce handling is hard

Sometimes I find it hard to find a new topic to write about. I decide I’m going to write about X and then realize I did, often more than once. Other times I think I can blog about some issue only to realize that it’s too complex to handle in a quick post. There are concepts or issues that need background or I have to work a little harder to explain them.
One thing I haven’t blogged about before is bounce handling. That particular topic falls into the other category of posts that take a lot of time to write and need a significant amount of work to make sense. I was even joking with my fellow panel members at EEC a few months ago about how that’s a post that so needs to be written but I’m avoiding it because it’s so hard. There’s so much to be conceptualized and explained and I realize it’s not a blog post but multiple blog posts, or a white paper or even a book.
Bounce Rate words on a thermometer or gauge measuring the rate of abandonment as visitors or audience leaves your website or online page or resource
So let’s start with some simple definitions.  Those of you who work at ISPs are probably thinking of bounces in terms of accept than reject, that’s not exactly what I’m talking about here. I’m writing these for senders, who usually call rejects during the SMTP transaction bounces.

Read More

Spamhaus comments on subscription attack

Steve Linford, CEO of Spamhaus commented on my blog post about the current listings. I’m promoting it here as there is valuable information in it.

Read More

Politician sends spam, experiences consequences, news at 11

Over the weekend I’ve been seeing a number of over the top, hyperbolic blog posts about the Trump Campaign’s agency getting suspended from their ESP for spamming. Adestra suspended the Donald Trump campaign for “for committing some of the most egregious spamming in the history of the Internet in an effort to save his broke campaign.”
That quote about “most egregious spamming” is from some partisan website that is all about making Trump look bad.  I did actually laugh out loud reading most egregious. Let’s be real here. This incidence of spamming doesn’t even make it into the top 100 of the ones I know about. And it’s not like I’m particularly well up on who’s spamming what.
This really is business as usual in the email space and particularly the political email space. Political sender, be they special interest groups or politicians, are sloppy with permission and will send mail to any email address they get their hands on. I talked about this last week: Spam Filtering is Apolitical
spamVote
The Trump campaign isn’t the first political campaign to send spam.  It wasn’t huge news in 2012, but the Romney campaign was doing some bad stuff with their email marketing. They were working with snowshoe spammers. They were listed on the SBL. They got cut off by their ESP.
While Spamhaus doesn’t keep historic records, I found a post from 2012 on the “Mainsleaze” about the Romney campaign / supporters and their use of spam as a campaign tactic. In the comments on that post a representative of Spamhaus says, “Entirely too many political operatives and some of those who work with them at ESPs feel entitled to ignore the usual rules and send opt-out bulk email to anybody they wish.” This is true, and something I’ve repeatedly mentioned on this blog.

Read More