Spamhaus and subscription bombing

Spamhaus released a blog post today discussing the recent subscription bombing: Subscription bombing COI captcha and the next generation of mail bombs.
As I mentioned in my initial posts, this abusive behavior goes beyond spamming. This is using email to harass individuals. Spamhaus even mentions a potential service that can be used to do these kinds of mailbombing.
Things folks need to know is that this is not just about ESPs and commercial mail. One of the big targets was WordPress admin forms. As Spamhaus says:

[T]he onus of stopping this kind of attack is not only on ESPs or mailing list owners. It is on everyone that has any sort of web-based signup that results in an email being sent: somebody clearly spent a great deal of time assembling URLs of mailing lists, and of account sign up pages, and has written a script to submit addresses to them at speed. We suspect that this was a test run for a tool that will will soon be offered for sale in the ‘Underground Economy’: Mail-bombing as a Service – MaaS.

With more and more abuse happening, every one who runs a service online needs to be cognizant of the abuse potential. Moreover even paths that have been around and haven’t been exploited may be exploited in the future.
We need to protect ourselves by making services that are difficult, if not impossible, to use as abuse vectors.

Related Posts

Dealing with complaints

There are a lot of people who abuse online services and use online services to abuse and harass other people. But handling complaints and handling the abuse are often afterthoughts for many new companies. They don’t think about how to accept and process complaints until they show up. Nor do they think about how bad people can abuse a system before hand.
But dealing with complaints is important and can be complicated. I’ve written many a complaint handling process document over the years, but even I was impressed with the Facebook flowchart that’s been passed around recently.

In the email space, though, all too many companies just shrug off complaints. They don’t really pay attention to what recipients are saying and treat complaints merely as unsubscribe requests. Their whole goal is to keep complaints below the threshold that gets them blocked at ISPs. To be fair, this isn’t as true with ESPs as it is with direct senders, many ESPs pay a lot of attention to complaints and will, in fact, initiate an investigation into a customer’s practice on a report from a trusted complainant.
There are a lot of legitimate email senders out there who value quantity over quality when it comes to complaints. But that doesn’t mean their lists are good or clean or they won’t see delivery problems or SBL listings at some point.

Read More

Mandrill changes

Last week Mandrill announced that they were discontinuing their free services and all customers would be required to have a corresponding paid Mailchimp account.

Read More

The 10 worst …

Spamhaus gave a bunch of us a preview of their new “Top 10 worst” (or should that be bottom 10?) lists at M3AAWG. These lists have now been released to the public.
sh_logo1
The categories they’re measuring are:

Read More