Spamhaus and subscription bombing

Spamhaus released a blog post today discussing the recent subscription bombing: Subscription bombing COI captcha and the next generation of mail bombs.
As I mentioned in my initial posts, this abusive behavior goes beyond spamming. This is using email to harass individuals. Spamhaus even mentions a potential service that can be used to do these kinds of mailbombing.
Things folks need to know is that this is not just about ESPs and commercial mail. One of the big targets was WordPress admin forms. As Spamhaus says:

[T]he onus of stopping this kind of attack is not only on ESPs or mailing list owners. It is on everyone that has any sort of web-based signup that results in an email being sent: somebody clearly spent a great deal of time assembling URLs of mailing lists, and of account sign up pages, and has written a script to submit addresses to them at speed. We suspect that this was a test run for a tool that will will soon be offered for sale in the ‘Underground Economy’: Mail-bombing as a Service – MaaS.

With more and more abuse happening, every one who runs a service online needs to be cognizant of the abuse potential. Moreover even paths that have been around and haven’t been exploited may be exploited in the future.
We need to protect ourselves by making services that are difficult, if not impossible, to use as abuse vectors.

Mail Client Improvements
Ongoing subscription form abuse

Related Posts

Spamhaus and Gmail

Today’s been chock full of phone calls and dealing with clients, but I did happen to notice a bunch of people having small herds of cows because Spamhaus listed www.gmail.com on the SBL.
“SPAMHAUS BLOCKS GOOGLE!!!” the headlines scream.
My own opinion is that Google doesn’t do enough to police their network and their users, and that a SBL listing isn’t exactly a false positive or Spamhaus overreaching. In this case, though, the headlines and the original article didn’t actually get the story right.
Spamhaus blocked a range of IP addresses that are owned by Google that included the IP for www.gmail.com. This range of IP addresses did not include the gmail outgoing mailservers.
Spamhaus says

Read More

Spamhaus comments on subscription attack

Steve Linford, CEO of Spamhaus commented on my blog post about the current listings. I’m promoting it here as there is valuable information in it.

Read More

Abuse, triage and data sharing

The recent subscription bombs have started me thinking about how online organizations handle abuse, or don’t as the case may be. Deciding what to address is all about severity. More severe incidents are handled first. Triage is critical, there’s never really enough time or resources to investigate abuse.
biohazardmail
What makes an event severe? The answer is more complicated that one might think. Some of the things that ISP folks look at while triaging incoming complaints include:

Read More