Your sign up process is the beginning of your relationship with your users. However, sign up forms can also be used by malicious parties to send spam, with a tactic called “List Bombing”. List Bombing can pollute your user list and damage your deliverability. This can prevent your emails landing in your customers’ inboxes, and lead to spam complaints, or even being blocked from sending altogether.
What happens when you're list bombed?
List bombing occurs when a malicious party uses bots to sign up to your product hundreds or thousands of times. They use email addresses they don’t own and will often enter spam or phishing websites into the name field on your signup form. They are attempting to trick your platform into sharing their spam for them.
How list bombing affects you
When someone list bombs your site, not only do they corrupt your data, polluting your workspace with invalid users, but they also can severely damage your email deliverability.
If you have a welcome campaign set up for new users, messages can be triggered to the fake users that were created. This can result in bounces and spam complaints, or worse, spam folder placement or blocklisting for all of your email.
Combating a list bombing attack
If you notice you’ve been list bombed or we’ve reached out about it, don’t panic! For your Intercom workspace, simply remove those users from Intercom. You can filter for users that were created around the time of the list bombing and archive them. Users will generally have similar names or similar email domains. When you’re able to pinpoint the common denominator, simply remove all of the users that look similar. If you need help with this, reach out to our support team in the Messenger.
How can I prevent list bombing?
Use confirmed opt-in: A confirmed opt-in process sends an email with a unique link to new signups. Once they’ve clicked the link, you can verify that they are a real user who owns the address they’ve signed up with, and at that point, you can begin sending them welcome email. List bombers won’t be able to verify that address, and will be prevented from causing damage.
Implement a reCAPTCHA: reCAPTCHA utilizes technology to determine if a human is using your platform. It can require entering a series of numbers or checking a specific box to prove that the person signing up is a real person.
List bombing bots are generally unable to bypass a reCAPTCHA, which would prevent them from signing up.
List bombing can be a very damaging attack on your user base and deliverability, but once you’ve implemented protections against this, your app will be in a much safer place. 😄