Company Blog Support
Rochelle Yoshida
Updated

Contents

    Back to Top

    List Bombing

     

    About List Bombing

    Since late April 2017, it's been the new cool thing for hackers to attack email service providers by automating submissions to our forms, resulting in hundreds of thousands of bogus contacts being added across many accounts.

    This is called List Bombing, and the supposed goal is to hurt email deliverability by making us all send emails to bad addresses. It's not a very friendly thing to do.

    It behooves us all to remove those names from our lists as much as possible. Of course, the bad guys tried hard to blend in, and they seem to be a pretty sophisticated bunch. Cloaks of Invisibility, the whole shebang. That has made it pretty challenging to separate wheat from chaff, as it were.

    We have taken several measures to block future bogus additions to your list, and we have now largely (though not completely) stemmed the tide.

    Our most stringent anti-list bombing measures are employed when custom HTML forms are disabled. This is an option that allows us to implement behind-the-scenes, secret methods that are very effective. Some accounts will need to keep custom HTML forms enabled for compatibility with other platforms such as LeadPages or website themes that strip out our JavaScript. 

    Here are the two methods you can use.  

    Form Security Option: Disable Custom HTML Forms

    In response to spammers, list bombers, and bot submissions, ONTRAPORT employs a number of secret protection measures to stop the bad guys in their tracks. When a potential opt in is identified as bad the data is not added to the Contacts database at all, and no indication is given to the spammer that they have failed in their attempt. This prevents them from submitting the form millions of times trying to find the right combination of values. This enhanced security is enabled on all new accounts and available to all existing accounts.

    Why don't we force it to be enabled on all accounts? Enabling this option may break:

    • Any form installed on LeadPages, ClickFunnels or any SaaS platform that strips out or interferes with our JavaScript
    • Any form installed on a website if that site also includes a plugin, theme, or server configuration that prevents our JavaScript from communicating with the ONTRAPORT servers (common with some security plugins and specialty web hosts)
    • Any form presented to a prospect who is using a text-based browser such as Lynx or is using a JavaScript blocker such as NoScript.

    Because the form submission does not return an error page to the spammer, list bomber or bot, a valid prospect will not know that their opt in has failed. You will have no record in your account that the attempt was made. If you decide to turn this option on, please re-test your existing forms to make sure a valid Contact Record is made.

    Turning this feature On will have two immediate results:

    1. Legacy Smart Forms will no longer have the HTML Version form code available on the Publish screen.
    2. The enhanced form security processes will be enabled for all future submissions to your account from all existing and future Smart Forms, ONTRAforms and Smart Form blocks in ONTRApages.

    Unless the existing embedded forms are installed on a service that blocks our JavaScript, they will continue to work even if they were installed using the HTML Version form code. Retest your forms after turning this feature On.

    Turning this feature Off will make the HTML Version code available in Legacy Smart Forms and the enhanced form security processes will not be active. Spammers, list bombers and bots will still be able to get past our regular protection measures and submit bad contact information you will have to prune manually.

    How to Enable Form Security:

    1. Click the profile icon in the top right of your account and select Administration
    2. Click the Security tab
    3. Slide the toggle under Disable Custom HTML Forms to On

    Set Disable Custom HTML Forms to ON to enable the enhanced form security processes 

    Other Methods if You Need Custom HTML Forms
    1. Use ONTRAforms/ONTRApage form blocks (e.g. Javascript-based forms)

      Wherever possible, use our ONTRAforms or ONTRApage form blocks.

      If you use Legacy Smart Forms, avoid using the HTML version - they’re much more prone to list bombing. Instead, use the Javascript snippet, lightbox or iframe-based versions instead.

      If you must use Legacy Smart Form HTML versions, add captcha when possible. If you're using an integration that requires you to use the Legacy Smart Form HTML version, enable captcha or bot prevention in that app. 

    2. Review your contacts. 

      Our engineers have identified four groups of contacts that may or may not be in your account, and they've automatically created these groups for you. If you don't see these Group names, that means your account is in the clear (or you have enabled the Form Security Option listed above and have disabled custom HTML forms).

      If you see these groups in your account, here's what they mean.

      1. Group name: OP Engineering says: Bad Contact - Contacts we KNOW are bad and they’ve have been opted out from bulk mail. You can confidently delete these contacts. We'll automatically delete these for you in a week or two. 

      2. Group name: OP Engineering says: Contact Unverified - Contacts we can’t confirm are bad. They most likely came from Legacy Smart Forms using the HTML version (or similar integration) or because Javascript wasn’t enabled in the contact’s web browser. These contacts have NOT been opted out.

      3. Group name: OP Engineering says: Suspect Email - Contacts we suspect are bad because the email addresses in these contacts exist on known spam lists. They have NOT been opted out because we're not 100% sure so we want you to make the call on whether to delete or not. We suggest deleting these contacts.

      4. Group name: OP Engineering says: Suspect IP Address - Contacts we suspect are bad because the IP addresses in these contacts are known as suspicious due to past IP's used in list bombing attacks. They have NOT been opted out because we're not 100% sure so we want you to make the call on whether to delete or not. You're going to have to make the call here.

      We will continue adding contacts to these groups if more contacts are found to fit these criteria.

      list_bombing.png

     

    Articles in this section

    Created - Updated
    Have more questions? Submit a request

    Comments

    Powered by Zendesk