Summary / TL;DR: This article will show you how to block IPs reported for list-bombing.
...
List bombing refers to the practice of abusing and attacking email list sign-up pages by bombarding them with a large number of new email addresses at the same time. What appears to be a spike in signups is actually a cyber attack. This doesn't necessarily mean we are under attack – our forms and lists may only be a tool the attackers are using – but whether we're the intended victim or collateral damage, leaving our systems open poses a significant risk. Clients could have harmful data (ie, spam traps) injected into their lists, and domain/IP reputation could be damaged if there's suspicious traffic.
The best solution for list bombing is to place a hidden honeypot field and implement captcha on all forms. Some anti-spam/anti-abuse organizations are now flagging domains that have unprotected forms on their site(s). For clients who do not protect their forms with either a hidden field or captcha, we mitigate the problem by blocking list-bombers based on signup activity by IP. This is an imperfect solution, as it is reactive, not preventative.
This page explains the procedure for identifying, blocking and documenting IP addresses identified as list-bombers, based on the "Possible IP List Bombing" emails delivered to the deliverability@14west.us inbox.
This is the overall list of IPs blocked; with breakdowns sorted by date in the comments:
Jira Legacy | ||||||
---|---|---|---|---|---|---|
|
**The list-bombing alert email is sent by Momentum 4. This process will no longer apply if/when that server is decommissioned, and clients will need to be responsible for protecting their forms and lists with Captcha and confirmed opt-in.
...
How to Block IPs reported in the List Bombing email:
Open the List Bombing email
Look over the data provided for any red flags (see criteria below) and note any potential problem IPs
Click through all of the CleanTalk, StopForumSpam, and Project Honeypot links provided (even if the email says "Not blacklisted," it's possible the IP has been listed in the time between the alert and your response)
Make a list of all of the IPs that have been reported as spam or other malicious behavior on any of the three sites - these IPs must all be blocked and documented
Verify whether any of the potential problem IPs from Step 2 need to be added to the block list by confirming spam report status or suspicious data
Use Postman to block each IP address from adding new addresses to SignupApp2 (SUA2)
You will need access to the SUA2 environment, if you don't have correct permissions submit a ticket to IT
use SUA Endpoints > Exclusions > Add blacklisted IP code
Paste the IP address into the bar where highlighted
Click "Send"
Verify 200 OK response
You should see this:
If you see this, the IP has already been blocked (you probably duplicated it in your list by accident, eg noted the IP at first and copied again where it was blacklisted)
Repeat these steps for all IPs
Document the IPs you've blocked. *Note, for the time being that process is being handled on this DLV ticket:
agora publishingJira Legacy server
af0addc4System JIRA serverId
7667235c5e66-
3733ba38-
8fe334da-
a9af723b162a8e9f- 4e0fc8afad71 key DLV-3174 Paste the list of blocked IPs into a comment, so there's a timestamp for those IPs
- Paste the list of blocked IPs into the master blocklist in the body of the ticket
...
Criteria for blocking an IP address:
Blacklisted on any of the blacklists in the "Possible IP List Bombing" email; OR
A combination of the following:
High spam rate on Cleantalk – anything above 2-3% should raise a red flag.
IP is located in problematic regions (ie, SE Asia, Philippines, China, Russia, Eastern Europe)
High discrepancy
btwnbetween unique
emailsemail addresses and unique signups/attempts
- Apparent but unmarked bulk uploads in SUA2 (eg, dozens of signups within a second, patterns in uploads, etc)
...
The following addresses have been positively ID'd as legit sources of signups (to be whitelisted):
54.224.244.168 - vendor
161.47.117.248 - vendor
104.196.168.51 - FTM / Australia
35.189.61.7 - PPP / Australia
34.206.153.163 - investmentu
162.242.156.206 - zapier / agora financial
144.202.62.164 - oxf + mmp vendor
144.202.56.90 - mmp vendor
54.241.34.25 - AF vendor Unbounce
50.19.99.184 - AF vendor Unbounce
Zapier / OXF IPs:
3.220.115.188 - Zapier
3.220.22.251 - Zapier
52.1.205.184 - Zapier
52.6.229.193 - Zapier
52.6.82.82 - Zapier
54.85.112.125 - Zapier
...
Further reading on List Bombing:
Word to the Wise: Subscription Bombing, ESPs, and Spamhaus:
https://wordtothewise.com/2016/08/subscription-bombing-esps-spamhaus/Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs:
https://www.spamhaus.org/news/article/734/Mailing Lists -vs- Spam Lists:
https://www.spamhaus.org/whitepapers/mailinglists/Confirmed Opt In - A Rose by Any Name:
https://www.spamhaus.org/news/article/635Spamhaus Marketing FAQ:
https://www.spamhaus.org/faq/section/Marketing%20FAQs
Related:
...
Tip |
---|
Wrap upYou should now know how to block IPs reported for list-bombing. |
Info |
---|
Still need help? Deliverability is happy to help with blocklist mitigation, or any other delivery issues you encounter. To get further help please open a Support ticket. |
...
Note |
---|
Cannot find the article you’re looking for? Suggest a new article here! |