From Krebs on Security: Massive "email bomb" attack enabled by not confirming subscriptions

Discussion created by sanford.whiteman on Aug 18, 2016
Latest reply on Aug 18, 2016 by sanford.whiteman

Brian Krebs, the widely-read cybersecurity reporter, wrote today about Massive Email Bombs Targeting .Gov Addresses.


As Krebs notes in this must-read (IMO) article, the attacks -- not only against US .gov addresses, but a range of countries -- were possible because the majority of email newsletters don't send a link to the mailbox owner so they can confirm their intent to subscribe (e.g. they were not maliciously subscribed by someone else).


What should particularly trouble those who don't use confirmation links, or an equivalent method, is the reaction of the Spamhaus anti-spam service:


In two different posts published at, Spamhaus explained its reasoning for the listings [of newsletter operators], noting that a great many of the organizations operating the lists that were spammed in the attack did not bother to validate new signups by asking recipients to click a confirmation link in an email. In effect, Spamhaus reasoned, their lack of email validation caused them to behave in a spammy fashion.


In other words, Spamhaus listed the newsletter senders as spammers regardless of their intent to send to opt-in members only. Leaving out the confirmation step overrides otherwise good faith.