From Krebs on Security: Massive "email bomb" attack enabled by not confirming subscriptions

Highlighted
Level 10 - Community Moderator

From Krebs on Security: Massive "email bomb" attack enabled by not confirming subscriptions

Brian Krebs, the widely-read cybersecurity reporter, wrote today about Massive Email Bombs Targeting .Gov Addresses​.

As Krebs notes in this must-read (IMO) article, the attacks -- not only against US .gov addresses, but a range of countries -- were possible because the majority of email newsletters don't send a link to the mailbox owner so they can confirm their intent to subscribe (e.g. they were not maliciously subscribed by someone else).

What should particularly trouble those who don't use confirmation links, or an equivalent method, is the reaction of the Spamhaus anti-spam service:

In two different posts published at wordtothewise.com, Spamhaus explained its reasoning for the listings [of newsletter operators], noting that a great many of the organizations operating the lists that were spammed in the attack did not bother to validate new signups by asking recipients to click a confirmation link in an email. In effect, Spamhaus reasoned, their lack of email validation caused them to behave in a spammy fashion.

In other words, Spamhaus listed the newsletter senders as spammers regardless of their intent to send to opt-in members only. Leaving out the confirmation step overrides otherwise good faith.

Tags (1)
2 REPLIES 2

Re: From Krebs on Security: Massive "email bomb" attack enabled by not confirming subscriptions

So are they looking for an open standard type method of double opt-in?

In other words, will a Marketo DIY approach satisfy spamhaus?

Highlighted
Level 10 - Community Moderator

Re: From Krebs on Security: Massive "email bomb" attack enabled by not confirming subscriptions

Any approach that prevents anonymous "subscription slamming" would be okay.

I shouldn't be able to sign someone else up for your newsletter if I can't access either their incoming email or some other form of separately vetted contact like phone/SMS.  Email confirmation link and a required Marketo Click Email activity is the most straightforward way, but if you had some way of knowing their phone number was really theirs (like, say, if Sales called their corporate main number) that would work too.