How can I prevent list bombing ?

In the world of email marketing, protecting your contact list is crucial to ensure strong deliverability and maintain your sender reputation. However, a growing and often underestimated threat is disrupting this balance: list bombing. This type of attack, usually carried out by bots, floods your mailing list with unsolicited or invalid email addresses. The consequences can be severe — from plummeting open rates to your domain being blacklisted. In this article, we’ll explain what list bombing is, how to identify it, the impact it can have on your email campaigns, and most importantly, how to effectively protect yourself using the tools available on systeme.io.


I. What is list bombing?

List bombing is a malicious attack where bots exploit vulnerable subscription forms by making many fake opt-ins, filling your contact list with email addresses that have not consented to receive emails from you or are invalid.


II. How does list bombing affect you ?

List bombing is a serious issue that can severely affect your email deliverability in the following ways:

  • Hard bounces and/or spam complaints that negatively impact your sender’s reputation.
  • Lower open rates.
  • High probability of hitting spam traps.
  • Sender domain name might be blacklisted or face severe drops in reputation, resulting in email servers sending your emails to a spam box, or blocking your emails from reaching inboxes at all.

III. How to identify a list bombing attack ?

  • The first indicator is if you've experienced a sudden and unexpected spike in new subscribers.
  • All the email addresses came in through the same signup form.
  • The influx of emails was recorded during a specific timeframe.
  • An unusually high bounce and/or spam rate during that specific timeframe compared to the previous ones.
  • These contacts do not have real data, but more often they have randomly generated (gibberish) first and last names.

Important : If a large volume of recipients reject your marketing emails due to list bombing, systeme.io’s sending IP addresses may become blacklisted. To protect your sender's reputation and Systeme.io's autoresponder, email sending may be temporarily suspended until a remediation plan is communicated based on our team’s analysis and completed by the user.


How can I prevent list bombing ?

To prevent list bombing due to bot attacks, you must implement these two procedures :

1. reCAPTCHA:

Enabling reCAPTCHA prevents bots from subscribing to your forms and prevents abuse. ReCAPTCHA is a security tool that requires new opt-ins to perform a short task to verify that they are real people and not bots.

Learn more about : How to add a CAPTCHA

2. Double Opt-In:

Double opt-in is a process through which a new subscriber must confirm their subscription before being officially added to a given list.

This feature requires new contacts to verify their email subscription by clicking a link in a confirmation email. It will automatically exclude any unverified email addresses from your list. Increasing the quality of your list.

Learn more about : How to set up double opt-in


What to do if you have already been a victim of List Bombing?

1. The attack targeted one of your registration forms on systeme.io:

  • Identify which opt-in form is abused and the time frame of the attack.
  • Implement the described measures : reCAPTCHA and Double opt-in.
  • Identify the contacts that were added to your list by bots and remove them. It is very important to exclude these contacts from future emails for deliverability recovery. You can easily spot them since they have gibberish first and last names. (How to manually clean your email list).
  • You can at any time reach out to our team for analysis and assistance.

2. The attack targeted your inline or pop-up form, which has been integrated in your external page:

  • Identify which inline or pop-up form is abused and the time frame of the attack.
  • Access the external page where you have embedded this systeme.io form.
  • Delete the current form from your page.
  • Use the "Script" button instead of the "Embedded form" button to reintegrate the form with your external page. (How to create and integrate a form or a popup on your external site).

  • Implement the described measures : reCAPTCHA and Double opt-in.
  • Identify the contacts that were added to your list by bots and remove them.
  • Keep monitoring the form.

Notes :

  1. reCAPTCHA cannot be added to an integrated form using the "Embedded form" button. This is because an embedded form is a stripped HTML form that cannot be protected by Captcha natively. Therefore, you need to reintegrate your form using the "Script" button for the reCAPTCHA to work.
  2. If bots are still subscribing through your inline or pop-up form, it likely indicates that the embedded code has been overlooked or remains embedded in the code of one of your external pages. It must be identified and removed. Even if the form does not show on your external page, having the code in the page’s source code still allows bots to attack it.

Another simple alternative is to duplicate the inline or popup form in your systeme.io funnel, remove the original from your systeme.io account, and use the duplicate (this changes the URLs in the code) to prevent the old URLs from being attacked.

This way, the old form will no longer be effective. How to move, duplicate & delete a page from a sales funnel.

Afterward, you can reintegrate the new form using the "Script" button and implement the required procedures to secure your form.

At any time, you can reach out to our deliverability team, and our dedicated team will gladly analyze and assist you with every step.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.