BLOG
Ongoing subscription form abuse
Last week Spamhaus posted information on the ongoing subscription attacks. They provided a more information about them that was not make public previously, including some information about the volume of mail some targets received.
Today SendGrid also blogged about this, going into a little more detail about why senders should care about this. They also provided a number of suggestions for how to mitigate the risk of being part of an attack.
There are a couple of things I think it’s important for folks to realize.
This is the new normal
As Spamhaus states, there is some evidence that this may have been a test run for a new product selling mailbombing as a service. Even if it’s not, although I do agree with their assessment, this is something we need to address. Many online companies are struggling with how to stop being a conduit for abuse and harassment. These issues aren’t easy, but they’re there and we have to address them.
Spamhaus saw a direct attack yesterday and a number of ESPs woke up to new SBL listings this morning.
The damage is ongoing
ESPs and other relevant parties have stepped up to the plate to minimize the effect on victims. Despite this there are many addresses still receiving email at significant volumes. Certainly it’s not the hundreds per minute but addresses are permanently affected by this kind of abuse. Because of the targets, including WordPress installations, much of the mail isn’t coming through traditional ESPs.
This diverse sources make it difficult to block the mail, in the short term and the long term.
This is not about spam
This isn’t just about marketing mail. Again, a lot of the conduits for abuse are WordPress forms. Some of the conduits are online alert services. This is about online services being used as tools for harassment.
We need new tools
The problem with spam is a lot of people suffer a little bit of damage. This means most tools use volume of complaints as a primary metric. But with direct harassment like this, it’s a lot of damage for a small number of people. Until Spamhaus started listing ESPs, no one knew it was happening. This includes the ESP that sent 81,000 confirmation emails to 9 email addresses over the course of 2 weeks.
We need new strategies
COI isn’t a great solution for this. In fact, the 81,000 emails were all COI requests. Captchas are not idea for a number of reasons, including discouraging signups from actual customers. We, as an industry, are going to have to think of ways to fix this. Yes, right now COI and captcha are the only solutions we have. But that doesn’t mean they are the only solutions, they’re just the stop gap. I don’t think it’s a huge secret that I don’t like the subscription validation companies very much, but they have the opportunity here to really stop this kind of abuse. No, their current SMTP tickling and delivery testing isn’t going to catch this (and, in fact, will cause problems for smaller targets), but there are other strategies they can create to address this.
Overall, this is something that needs to be addressed to prevent significant damage to individuals. Subscription forms need to be secured better and high volume senders need to pay attention to their address lists. One thing that was discovered is that this is not new. Some ESPs found a single address on thousands of their lists added over months. Low level abuse was happening, we didn’t see it because we weren’t looking. Now, we know it’s there and we must act to fix it.
I agree that captchas aren’t a great solution, but they’re a good short-term band-aid. I disagree that COI isn’t good for this, but to get to why, I think we need to better understand the problem.
Without any data, I have a few questions:
1) How many mailing lists does the average person sign up for, and what’s the standard deviation?
2) At what frequency does someone sign up for mailing lists, what’s the standard deviation, and what’s the curve over time?
3) Given that ESPs now have at least a basic channel for sharing and mitigating existing victims, could that be extended to prospective victims?
I’m going to guess the answers are 1) something like 20ish, give or take 20ish, and with a long tail to the right, 2) every couple months, give or take every couple months, but with a big spike when a new email address is created and a massive dropoff after that, with some bumpiness when someone gets a new job or a new hobby or something, and 3) why the hell not?
Except I’m guessing, because I don’t have any data. But there’s people who don’t have to guess: the ESPs. There’s a few ESPs big enough to have enough data that they can provide real-world answers to those questions. It’s a big-data analytics problem.
Suppose there’s some number of subscription requests to the same address over some span of time, let’s say forty in a week? Whatever that number is, figured by real-world data, you stop sending COI confirmations after that. And when somebody hits that, the ESPs share the address with the others.
It’s not ideal, sure, but 100-odd COI requests per target is a lot more tractable problem than 9,000, innit? And yes, I know it doesn’t do shit for the compromised wordpress plugin end of the problem, but it at least mitigates the ESP end.
Is this workable? Why or why not?
I feel that if Spamhaus/Abuseat.org are going to blacklist IP addresses over this, and they seem to be, then they should provide ESP’s with at least some information about the email(s) that have lead to the blacklistings.
The current team at Abuseat.org appear to never provide any useful information about how to identify any of the offending emails. Surely some ESP’s can be trusted. There is also no way to contact Spamhaus, so communication is completely broken at the moment. How is an ESP supposed to give any feedback to them?
A number of ESPs have found relevant addresses by looking through all their customer lists. It’s pretty simple, if an address is on thousands of your lists, and it was signed up to all of them in a short period of time, then it’s very likely one of the problem addresses. ESPs are also sharing information with each other in order to identify which customers are affected.
Once it was clear that these listings were in response to actual abuse (i.e., that there was a direct ongoing abuse incident) many, many ESPs stepped up to the plate and started looking at their customers. Spamhaus hasn’t needed to tell ESPs more than what’s been made public here for many of them to take action.