Subscription Bombing: Email under Attack

Last year I added a newsletter sign-up form to a small publisher's website. Within a few days, it was involved in a subscription bombing attack. (Surprising since traffic is quite low.) Since we required confirmations (double opt-in), the newsletter list wasn't polluted, but victims were sent confirmation emails. We added a very simple filter on the form (simpler than the captcha recommended in the article) and that was sufficient to kill the attack. Economically, it doesn't seem the attacker wanted to spend time debugging why form submissions were being rejected.

I’ve used something like this to test new email server rules. I expected to only get requests to confirm subscription, but many lists just added me without confirmation. I reported every one of them that added me without confirmation as spam to their upstream providers.

Is it practical to report spam in 2026? Probably not. But it scratches an itch when I’m bored, perhaps similarly to how playing video games does for many people.

This happened to me a few times. You just suddenly start receiving lots of emails. Most of them are newsletter confirmation emails.

Very annoying, but nothing worse happened at the time. I assume they just trigger this right before trying to hack any of your accounts, but it doesn’t mean they’ll have success.

I remember when I got hit by this about a year and a half ago. I'm still getting newsletters from it. The sites quickly unsubscribe you, but I doubt I've seen the bottom of it. Fortunately mail otherwise arrived and it was straightforward to filter the ailas they chose to attack, which wasn't attached to many accounts I cared about.