How can I prevent list bombing?

In the world of email marketing, protecting your contact list is crucial to ensure strong deliverability and maintain your sender reputation. However, a growing and often underestimated threat is disrupting this balance: list bombing. This type of attack, usually carried out by bots, floods your mailing list with unsolicited or invalid email addresses. The consequences can be severe — from plummeting open rates to your domain being blacklisted. In this article, we’ll explain what list bombing is, how to identify it, the impact it can have on your email campaigns, and most importantly, how to effectively protect yourself using the tools available on systeme.io.

I. What is list bombing?

List bombing is a malicious attack where bots exploit vulnerable subscription forms by submitting thousands of fake opt-ins, filling your contact list with email addresses that have not consented to receive emails from you or are invalid.

II. How does list bombing affect you?

List bombing is a serious issue that can severely affect your email deliverability in the following ways:

  • Hard bounces and/or spam complaints that negatively impact your sender’s reputation.
  • Lower open rates.
  • High probability of hitting spam traps.
  • Sender domain name might be blacklisted or face severe drops in reputation, resulting in email servers sending your emails to a spam folder, or blocking your emails from reaching inboxes entirely.

III. How to identify a list bombing attack?

  • The first indicator is a sudden, unexpected spike in new subscribers.
  • All the email addresses came in through the same signup form.
  • The influx of emails occurred during a specific, short timeframe.
  • An unusually high bounce and/or spam rate during that specific timeframe compared to the previous ones.
  • These contacts do not contain real data; they often feature randomly generated (gibberish) first and last names.

Important: If a large volume of recipients rejects your marketing emails due to list bombing, systeme.io’s sending IP addresses may become blacklisted. To protect your sender's reputation and systeme.io's autoresponder, email sending may be temporarily suspended. It will only be reinstated after you complete a remediation plan provided by our team.

How can I prevent list bombing?

To prevent list bombing due to bot attacks, you must implement these two procedures:

1. reCAPTCHA:

Enabling reCAPTCHA prevents bots from subscribing to your forms and prevents abuse. ReCAPTCHA is a security tool that requires subscribers to perform a short task to verify that they are real people and not bots.

Learn more about: How to add a CAPTCHA

2. Double Opt-In:

Double opt-in is a process through which a new subscriber must confirm their subscription before being officially added to a given list.

This feature requires new contacts to verify their email subscription by clicking a link in a confirmation email. It automatically excludes unverified email addresses, thereby increasing the quality of your list.

Learn more about: How to set up double opt-in

What to do if you have already been a victim of List Bombing?

1. The attack targeted one of your registration forms on systeme.io:

  • Identify which opt-in form was targeted and the timeframe of the attack.
  • Implement the described measures: reCAPTCHA and Double opt-in.
  • Identify the contacts that were added to your list by bots and remove them. It is crucial to exclude these contacts from future emails for deliverability recovery. You can easily spot them since they have gibberish first and last names. (How to manually clean your email list).
  • You can reach out to our team at any time for analysis and assistance.

2. The attack targeted your inline or popup form,which is embedded on an external page:

  • Identify which inline or pop-up form is abused and the time frame of the attack.
  • Access the external page where you have embedded this systeme.io form.
  • Delete the current form from your page.
  • Use the Script button instead of the Embedded form button to re-embed the form on your external page. (How to create and integrate a form or a popup on your external site).

  • Implement the described measures: reCAPTCHA and Double opt-in.
  • Identify the contacts that were added to your list by bots and remove them.
  • Keep monitoring the form.

Notes:

  1. ReCAPTCHA will not work on forms added via the 'Embedded form'. This is because an embedded form is a stripped HTML form that cannot be protected by Captcha natively. Therefore, you need to update your form using the Script option for the reCAPTCHA to work.
  2. If bots are still subscribing through your inline or pop-up form, it likely indicates that the embedded code has been overlooked or remains embedded in the code of one of your external pages. It must be identified and removed. Even if the form does not show on your external page, having the code in the page’s source code still allows bots to attack it.

Another simple alternative is to duplicate the inline or popup form in your systeme.io funnel, remove the original from your systeme.io account, and use the duplicate (this changes the URLs in the code) to prevent the old URLs from being attacked.

This way, the old form will no longer be effective. How to move, duplicate & delete a page from a sales funnel.

Afterward, embed the new form using the Script button and implement the required procedures to secure your form.

At any time, you can reach out to our deliverability team, and our dedicated team will gladly analyze the situation and guide you through every step.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.