Thought Leadership

How “List-Bombing” Led to Recent Spamhaus Blacklistings

Spamhaus Blacklistings

Since this past Sunday, Spamhaus, one of the Internet's most powerful and widely used domain and IP blacklists, began putting several major businesses, marketers, and ESPs on their IP blacklist. The reason for these listings could be that these senders were victims of "list bombing.”  


What is “list-bombing”?

“List bombing” refers to instances where email sign-up pages get abused or attacked by malicious parties, resulting in large a number of email addresses being opted into their email program. In most cases, the email sign-up pages that are attacked by "list bombers" boast very little, if any protective measures to prevent invalid email addresses from being entered into their mailing database, or they do not require users to verify their emails in order to complete the sign-up process. 

To put this industry-wide blacklisting phenomenon into perspective, there has not been a time in the last several years that so many IPs from different ESPs have been collectively blacklisted. Many email and deliverability experts were initially puzzled by these listings since Spamhaus typically lists only senders who email to spam traps.  When this happens, resolving the issue generally requires the sender to identify the following:

  • Where the spam traps within their database are
  • How they got into their mailing database
  • What is being done to prevent new spam traps from making their way into that sender's mailing list

In most cases, senders can identify and remove spam traps within their database by reviewing the list of email addresses that the offending campaign was deployed to.  

This "list bombing" issue is different because, in this case, legitimate email addresses were getting added to an email program via a standard opt-in channel.  However, the legitimate owners of these email addresses were not the ones who were opting into brands’ email lists. Instead, nefarious attackers or malicious agents were doing the mass opt-ins. 

These listings affirm Spamhaus’ commitment to their mission of protecting 3+ billion mailboxes from receiving spam. They have helped senders identify vulnerable opt-in pages that simply accept any email address without validation or an added layer of security such as requiring a Captcha, a confirmation email (double opt-in), or some other form of manual validation.   

How can marketers find out if they’re affected?

Senders and marketers who are concerned that their programs may be at risk should investigate email addresses that have recently been added to their email programs.  Senders should look for spikes in number of opt-ins that occurred within a very short period and watch out for opt-in activity from emails addressees that contain .GOV, .MIL, or other reserved domain spaces.  If discovered, those addresses should be isolated and set aside until an investigation can be completed to determine their legitimacy. 

Tips to avoid getting "list-bombed”

Many marketers I work with are hesitant to implement additional steps to verify incoming email addresses for fear of discouraging conversions. However, marketers should note that while growing an email list is critical to the long-term profitability of their email marketing program, doing so at the expense of data quality can quickly derail success. Marketers that send to problematic email addresses have considerably higher bounce rates and higher likelihood of their program getting blocked by ISPs, potentially leading to a costly Spamhaus blacklisting. 

To avoid the possibility of these deliverability issues, here are 2 tips to consider:

  1. Verify new database entries: Verifying email addresses in web registration forms can be implemented either automatically (real-time email verification) or manually (captcha, checkbox selection). Marketers should test different email validation steps to find out which would work best, without significantly decreasing conversion rates. 
  2. Be more strategic about form placements: I’ve observed more and more websites inundated with sign-up forms. One such example is the use of pop-up subscription forms that show up immediately, even before a site visitor can review the site’s content. This not only disrupts the user experience, but also tends to provide easy access for malware attacks that often lead to bad email addresses making their way into an email list. Marketers should instead selectively place forms near content sections that provide incentives for sign-up so users can clearly see the value of joining a mailing list.


At the end of day, this latest blacklisting incident further emphasizes the importance of taking a proactive approach to maintaining a clean database. By periodically checking the accuracy of their data and ensuring a clean opt-in process, marketers can avoid populating their list with faulty records that cause on-going blacklisting and deliverability issues.  

Author Bio

Intelligence Products Team

Our Intelligence Products team helps transform brands into true insights driven businesses by linking insights and continuous learning, empowering them to make better, smarter, and faster decisions. The team shares their insights and observations in a number of thought leadership resources including whitepapers, on-demand webinars, and Ask The Expert series of Q&As. Be sure to visit our resource page to get the latest best practices and use cases from the team.