Ongoing subscription form abuse

Last week Spamhaus posted information on the ongoing subscription attacks. They provided a more information about them that was not make public previously, including some information about the volume of mail some targets received.
Today SendGrid also blogged about this, going into a little more detail about why senders should care about this. They also provided a number of suggestions for how to mitigate the risk of being part of an attack.
Many abstract images on the theme of computers, Internet and high technology.
There are a couple of things I think it’s important for folks to realize.

This is the new normal

As Spamhaus states, there is some evidence that this may have been a test run for a new product selling mailbombing as a service. Even if it’s not, although I do agree with their assessment, this is something we need to address. Many online companies are struggling with how to stop being a conduit for abuse and harassment. These issues aren’t easy, but they’re there and we have to address them.
Spamhaus saw a direct attack yesterday and a number of ESPs woke up to new SBL listings this morning.

The damage is ongoing

ESPs and other relevant parties have stepped up to the plate to minimize the effect on victims. Despite this there are many addresses still receiving email at significant volumes. Certainly it’s not the hundreds per minute but addresses are permanently affected by this kind of abuse. Because of the targets, including WordPress installations, much of the mail isn’t coming through traditional ESPs.
This diverse sources make it difficult to block the mail, in the short term and the long term.

This is not about spam

This isn’t just about marketing mail. Again, a lot of the conduits for abuse are WordPress forms. Some of the conduits are online alert services. This is about online services being used as tools for harassment.

We need new tools

The problem with spam is a lot of people suffer a little bit of damage. This means most tools use volume of complaints as a primary metric. But with direct harassment like this, it’s a lot of damage for a small number of people. Until Spamhaus started listing ESPs, no one knew it was happening. This includes the ESP that sent 81,000 confirmation emails to 9 email addresses over the course of 2 weeks.

We need new strategies

COI isn’t a great solution for this. In fact, the 81,000 emails were all COI requests. Captchas are not idea for a number of reasons, including discouraging signups from actual customers. We, as an industry, are going to have to think of ways to fix this. Yes, right now COI and captcha are the only solutions we have. But that doesn’t mean they are the only solutions, they’re just the stop gap. I don’t think it’s a huge secret that I don’t like the subscription validation companies very much, but they have the opportunity here to really stop this kind of abuse. No, their current SMTP tickling and delivery testing isn’t going to catch this (and, in fact, will cause problems for smaller targets), but there are other strategies they can create to address this.
Overall, this is something that needs to be addressed to prevent significant damage to individuals. Subscription forms need to be secured better and high volume senders need to pay attention to their address lists. One thing that was discovered is that this is not new. Some ESPs found a single address on thousands of their lists added over months. Low level abuse was happening, we didn’t see it because we weren’t looking. Now, we know it’s there and we must act to fix it.

Spamhaus and subscription bombing
Upcoming events

Related Posts

Gathering data at subscription time

I recently received a survey from my Congressional Representative. She wanted to know what I wanted her to focus on in the coming year. I decided to go ahead and answer the survey, as I have some rather strong opinions on some of the stuff happening in Congress these days.
The email itself was pretty unremarkable, although quite well done. I was as much interested in answering the survey because it’s one of the few emails I’ve seen with an embedded survey.

Read More

Open subscription forms going away?

A few weeks ago, I got a call from a potential client. He was all angry and yelling because his ESP had kicked him off for spamming. “Only one person complained!! Do you know him? His name is Name. And I have signup data for him! He opted in! How can they kick me off for one complaint where I have opt-in data? Now they’re talking Spamhaus listings, Spamhaus can’t list me! I have opt-in data and IP addresses and everything.”
We talked briefly but decided that my involvement in this was not beneficial to either party. Not only do I know the complainant personally, I’ve also consulted with the ESP in question specifically to help them sort out their Spamhaus listings. I also know that if you run an open subscription form you are at risk for being a conduit for abuse.
This abuse is generally low level. A person might sign up someone else’s address in an effort to harass them. This is a problem for the victim, but doesn’t often result in any consequences for the sender. Last week’s SBL listings were a response to subscription abuse happening on a large scale.

Read More

Harvesting and forging email addresses

For the contact address on our website, Steve has set up a rotating set of addresses. This is to minimize the amount of spam we have to deal with coming from address harvesters. This has worked quite well. In fact it works so well I didn’t expect that publishing an email address for taking reader questions would generate a lot of spam.
Boy, was I wrong. That address has been on the website less than a month and I’m already getting lots of spam to it. Most of it is business related spam, but there’s a couple things that make me think that someone has been signing that address up to mailing lists.
One is the confirmation email I received from Yelp. I don’t actually believe Yelp harvested my address and tried to create me an email account. I was happy when I got the first mail from Yelp. It said “click here to confirm your account.” Yay! Yelp is actually using confirmations so I just have to ignore the mail and that will all go away.
At least I was happy about it, until I started getting Yelp newsletters to that address.
Yelp gets half a star for attempting to do COI, but loses half for sending newsletters to people who didn’t confirm their account.
I really didn’t believe that people would grab a clearly tagged address off the blog and subscribe it to mailing lists or networking sites. I simply didn’t believe this happened anymore. I know forge subscribing used to be common, but it does appear that someone forge signed me up for a Yelp account. Clearly there are more dumb idiots out there than I thought.
Of course, it’s not just malicious people signing the address up to lists. There are also spammers harvesting directly off the website.
I did expect that there would be some harvesting going on and that I would get spam to the address. I am very surprised at the volume and type of spam, though. I’m getting a lot of chinese language spam, a lot of “join our business organization” spam and mail claiming I subscribed to receive their offers.
Surprisingly, much of the spam to this address violates CAN SPAM in some way shape or form. And I can prove harvesting, which would net treble damages if I had the time or inclination to sue.
It’s been an interesting experience, putting an unfiltered address on the website. Unfortunately, I am at risk of losing your questions because of the amount of spam coming in. I don’t think I’ve missed any, yet, but losing real mail is always a risk when an address gets a lot of spam – whether or not the recipient runs filters.
I’m still pondering solutions, but for now the questions address will remain as it is.

Read More