What is subscription bombing and how do you prevent it?

Subscription bombing

Subscription bombing is an increasingly common phenomenon, and any organization that uses forms on its website can fall victim to it.

In this article, we will answer the following questions: what is subscription bombing, what is the damage to your organization, and how can you prevent or limit it?


What is subscription bombing?

Subscription bombing is a spam method that exploits an existing infrastructure with an established reputation. Malicious scripts of spammers scan the web, looking for unprotected forms on websites. A form is then automatically filled with email addresses by a script and the consumer is thereby "signed up" to receive mail.

Subscription bombing is successful because forms usually activate transactional emails. These are emails with a non-commercial purpose, such as notifications about registration, setting changes, purchases, or invoices.

These emails often have a better reputation, are sent with higher priority, and therefore have a better chance of ending up in the recipient's inbox.

Subscription bombing is carried out for the following reasons:

  • As a distraction for a hacking attempt: if a consumer is signed up for all kinds of newsletters at once, they will receive a "bomb" of emails. This distracts the recipient from important emails (invoices, setting changes, etc.), allowing hackers to make purchases or have free rein for other fraudulent activities.
  • Out of revenge: to harass someone, for fun, or for other malicious reasons.
  • For sending spam: fields on your form can be filled with spam texts and phishing websites, which are then inadvertently used to personalize your (automatic) emails.


Three parties are affected

In addition to the consumer, organisations and ESPs (Tripolis, Spotler, or other colleagues) are also affected. If your organisation has not secured your forms on the website well enough, you may unintentionally send one or more emails.

This can result in damage to the reputation and brand image for both the ESP and the organisation that sends the email. Below, we further explain how this works.


How do you recognize subscription bombing?

As an organisation, you suddenly receive many "false" sign-ups for your (email) marketing automation lists. The following points give a good indication of this:

  • Addresses are more often received at non-regular times.
  • Random characters are entered in contact fields (such as first name).
  • There are multiple sign-ups with variations of the same email address. For example, Gmail will send this to the same email address regardless of where the dot is located, causing the email address to be spammed even more.

  • Suddenly, there are domains in your list that do not fall within your target audience. If your target audience is Dutch, you hardly expect addresses from American internet providers, such as @comcast.net or @aol.com.


What damage does my organization suffer?

Subscription bombing causes different types of damage to your organization:

  • Damage to your brand image: recipients are harassed with unwanted (opt-in) emails from your organization, which does not benefit your name.
  • Reputation damage: because you send many (opt-in) emails that should not have been sent, you will experience hard bounces, unsubscribes, spam trap hits, and spam complaints. If your sent emails are marked as spam, this can cause significant reputational damage to your sending domain and your ESP's domain as a whole. This will also cause your emails to land in the spam folder the next time.

Note: even if the email is not marked as spam by the recipient, you will still suffer reputational damage.

If you send many emails that are never opened, large email clients such as Gmail or Outlook will see you as less trustworthy than domains from which emails are sent that are opened. In the worst case, you may even be blocked.


How to prevent damage from subscription bombing?

You can prevent damage from subscription bombing in several ways:

  • Secure your forms with a CAPTCHA.
  • Place the form on a different link than on the homepage; forms are usually targeted via the homepage and are less easily discoverable on a different link. Alternatively, you can use a landing page with a form (Webpower's landing pages also have a reCAPTCHA option that you can enable).
  • Add an (extra) hidden field. A hidden field is an underwater field that is invisible to humans. If this field is filled in, it is likely that a spam bot has been active.

In addition, we also recommend a double opt-in. Because the recipient must first confirm that he/she has signed up for this mailing list (and he/she does not do this with subscription bombing), you prevent automatic follow-up emails from being sent from your list to the victim if confirmation is not received. There is some argument that an opt-in email is part of the problem because it immediately "pollutes" the recipient's inbox. However, this does not outweigh the damage caused if subscription bombing goes unnoticed for a long time and contacts continue to receive unwanted emails from you.


What should you do if your forms are being abused?

Contact us and start (re)securing your forms. The Tripolis deliverability team will also immediately alert you to subscription bombing. Our team of experts continuously monitors the shipments of our customers to ensure the highest possible deliverability.

After subscription bombing, we can perform the following actions with you:

  • Disable the subscription plug-in
  • Pause flows and automation
  • Immediately remove fake addresses from your database. Don't be too cautious and remove too many addresses rather than too few. You can do this best with the Bulk Remove option in Webpower
  • Request to secure your form with a CAPTCHA

Once the appropriate steps are taken to protect your forms from subscription bombing and your databases are cleaned, you can resume sending your emails.