Welcome to the Oracle Modern Marketing Blog:
The latest in marketing strategy, technology, and innovation.

Spamhaus Risk and the Future of Email Acquisition

Email address acquisition is the life blood of any growing email marketing program. So anytime someone proposes a change to acquisition practices, smart marketers get worried. Over the years, so many things have changed in email marketing, except the web-based email signup form has skated along mostly unchanged from the early days. 

It has long been the industry standard practice to have online email signup forms without any real security on the form itself.  However, the days of the unsecured email signup form may be numbered.

During the second half of 2016, we started seeing a new wave of scripted, fraudulent email signups to legitimate, popular email lists.  Spamhaus took notice, and began blacklisting well known, popular brands.

Innocent Victims

The email marketing teams at these brands hadn’t done anything wrong. They hadn’t changed anything, and they themselves were innocent victims of this fraudulent behavior. So then why did Spamhaus penalized them so harshly? They did this because it’s Spamhaus’ job to detect and help prevent the delivery of unwanted email.  The top inbox providers like Gmail rely on Spamhaus to help them protect the inboxes of their customers, the email inbox users.

While email marketing teams hadn’t done anything wrong according to industry standard practice, they did fail at one thing. They contributed to the problem of unwanted email, by not securing the signup forms they use online.

Although fraudulent use of signup forms is not new, recent activity suggests its gone mainstream. Spamhaus has speculated this first wave may have been a test run of a new “mail bombing as a service”, and cautions there may be more of this type of activity in the future. Fraudulent use of email signup forms is certainly on the rise, and we as an industry need to be ready for the next wave of fraudsters and copycats.

So what’s a marketer to do? Don’t despair, there are measures you can take that provide a level of protection, while keeping your email program open for business.

How to Mitigate Your Risk

Spamhaus has recommended implementing both CAPTCHA and COI (Confirmed Opt-In) to defend against fraudulent attacks. However, Spamhaus has acknowledged that COI alone is not sufficient – many of the lists that were victimized had already been using COI.

What steps you take to mitigate your risk is ultimately up to you and/or your service provider. There are technical and business conditions that may make certain measures difficult to implement, at least in the short-term. You need to find the balance of risk and reward that is right for your business.

One thing is clear: Doing nothing to protect your business from this new threat is not a good idea. We must all face this new reality, whether we like it or not. We sincerely hope marketers will seriously consider this warning from Spamhaus, and implement protections against fraudulent signups. Consider implementing COI if it works for your business. Also consider the several other ideas listed below.

Implement Protective Measures

There is no one perfect measure to defend against fraudulent signups and the risk of a Spamhaus listing. There are several methods that can be effective and better when used in combination. Seriously consider implementing the following solutions:

  1. Add a CAPTCHA to all web-based email signup forms. This is an effective deterrent to scripted bot signups. Consider adding Google’s free reCAPTCHA, which is less intrusive yet still effective.   
  2. Implement COI – Confirmed Opt-In, where you send a confirmation email message to all new signups. Only those addresses that ‘click to confirm’ are added to a sender’s list with a deliverable, opt-in status. While COI confirmation rates have increased over the years, there may be an impact on list growth. Senders must weigh the risk/reward for deliverability health and list growth. 
  3. Add a hidden form field to all web-based signup forms. This can be another effective deterrent to automated scripted bot signups. Add a form field that is not visible to humans, but a scripted bot will think is a required field. Reject any submission containing a value in the hidden field.
  4. Track the source of signups closely. Capture the IP address of the device being used to fill out the email signup form. Quarantine new signups and suppress sign ups from blacklisted IPs.
  5. New Registant, non-responder rule. Implement business rules to limit the number of emails sent to new registrants that have not yet opened or clicked. This measure won’t stop fraudulent signups, but it will limit your risk of incurring a Spamhaus listing. It will also limit the amount of email you send to a subscription bombing victim. Until a new signup opens or clicks, one cannot be sure the address is associated with a valid subscriber, and it may be a spam trap. 
  6. Implement an alerting system for spikes in the number of email registrations from your registration pages. Identify your registration averages for a given time frame, and then set an alert to trigger when the average is significantly exceeded.  Investigate, and quarantine suspicious looking signups.
  7. Apply overall segmentation criteria to limit the volume of email you send to unengaged subscribers.  Real spam traps don’t open or click, so sending less email to non-responders will reduce the changes you’re mailing to a spam trap address.

Implementing one or a combination of these measures in addition to any protections already in place will increase your defenses against these types of attacks. If you have not been listed in the most recent string of incidents, you’re among the lucky senders who bots have not exploited.

However, as these bots become more sophisticated, and malicious actors continue to perpetrate these attacks, your risk of a Spamhaus listings grows.

Does all this make your brain hurt? 

Consider a paid consulting engagement with your ESP.  Most ESPs have deliverability experts on staff. These experts will work with you to provide guidance and strategic direction on how to reduce your risk of a Spamhaus listing, as well as how to optimize inbox placement rates on an ongoing basis. They will help you determine the best protective measures for your business, and how these are effective in helping you mitigate risk while still growing your business.  

Modern Marketers must orchestrate and deliver marketing messages that are relevant to individual preferences and behavior. Getting email delivered to the inbox is critical to this process. Download Email Deliverability: Guide For Modern Marketers to find out how to achieve email deliverability that really delivers. 

Join the discussion

Comments ( 2 )
  • Daniel Deneweth Tuesday, March 14, 2017
    Google just launched Invisible reCAPTCHA. This is a great new way to secure your web-based forms. Human users will be let through without seeing the "I'm not a robot" checkbox, while suspicious ones and bots still have to solve the challenges. https://www.google.com/recaptcha/intro/invisible.html
  • Grant Wilson Tuesday, July 18, 2017
    Great tips to follow :)
    since security is first thing that every marketing company is concerned about.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.