Signup form subscription bombing is worth avoiding

Signup form subscription bombing is worth avoiding

Signup form subscription bombing is worth avoiding

Subscription Bombing

Everyone who sends email even close to properly has a sign-up form, therefore, you should have all heard about subscription bombing by now and signup form subscription bombing is worth avoiding.

Just in case you haven’t, its when a spider, bot, virus etc. finds a form on a page and submits it, a lot. Like a ddos attack but with email addresses. Thousands an hour or even a minute, relentlessly.

I’ve recently been tracking hits on a form (which is protected), for about a month, that began in China before going to the Philippines, then Hong Kong and then back from the Philippines. Mainly using numbers at qq and repeating combinations of a short list of names for other fields.

Consequences of subscription bombing on your list

There are a few consequences for a list:

  • It fills up really quick and with rubbish.
  • You can’t send to it.
  • It’s a nightmare to clean.
  • If you have a welcome message and no double opt-in, you then send dozens of thousands of┬áthose that will never be opened.
  • If you have a double opt-in email, you’ll send dozens of thousands of them but at least only the humans will confirm.

This all sounds inconvenient, expensive and very complicated to recover from…

It then gets worse when Spamhaus blocklists your IP for not sufficiently protecting your sign-up form. Apparently you should know about this and want to protect it. Also your ISP probably has a Spamhaus listing in their Ts & Cs of things not to have so now your entire hosting package is on the line.

How does Spamhaus manage to find out? interesting question, however, it matters not; it’ll make you fix it quicker and you won’t do it again.


Spamhaus is the worst blocklist to be on and most people who get on a list, deserve to be there. It’s successful, popular and reliable for a reason. But sometimes, you’re unlucky. Ignorance is not an excuse, although it may be a reason but ignorance is cured by knowledge. Sometimes you can get punished twice, when the guilt and the consequences of the first problem, what you thought was the big problem is sinking in, you get called an idiot and kicked while you are down; Signup form subscription bombing is worth avoiding. Do your home work, otherwise you look lazy and contemptuous and that never goes down well.

How to avoid subscription bombing

Double-Opt-in and reCaptcha.

How to avoid signup form subscription bombing


As I’m sure you know, subscription bombing is not pretty and expensive. Having your form signed up to thousands of times in an hour by what is essentially a virus in a ddos attack is the worst. So here’s how to avoid signup form subscription bombing.

1. Double Opt-in

Also known as Confirmed Opt-in (COI): Someone signs up, send them an email with a link in it. If they click it they get in; if they don’t, they don’t, it’s as simple as that.

Well before subscription bombing was a thing, this was ‘best practice’. Listed in every ISP’s bulk sender guidelines; cited by every spam blocklist as proof of unsolicited email; often named the list killer by most B2B email marketers, the needless added barrier to that all so valuable foot in the door.

For the most part, only people who want to be on the list will click that link in the confirmation email they get after signing up. If you get unlucky, lazy or stupid and hit a trap with a COI, it’ll get you notified before blocklisted. ┬áSenders who are scared they’ll lose those people aren’t confident in their own brand and the exclusivity of their list.

2. reCaptcha

Google’s completely free and far prettier version of the captcha, where you have to tick a box and Google and will decide if you are a human or not. If it can’t decide it’ll ask you to click some pictures, just the ones with road signs in or house numbers etc.

Only a human would be able to get to those and match those images, like the original captcha but google does a little bit of checking first.

Also there is now an invisible version, so you don’t even have to tick a box. Its very new and the UX of it is yet to be accepted.

Just login with a google account, get the code and follow the instructions.