Email Marketing

What is list bombing and how can marketers protect themselves?

What Is List Bombing and How Can Marketers Protect Themselves?

There is perhaps nothing more upsetting for an email marketer than discovering they have been blocklisted. While blocklisting can happen for a number of reasons, one of the most frustrating ones is a list bombing attack.

What is list bombing?

List bombing is a cyber attack that uses bots to submit large numbers of (often legitimate) email addresses to email sign-up pages. In a large-scale attack bots can submit hundreds of email addresses to thousands of pages per minute. When this happens, the owners of the legitimate email addresses are bombarded with email subscription confirmations – sometimes at a rate of an email every couple of seconds – rendering their inboxes effectively useless and flooding the system. The brands and email service providers sending the confirmation emails may then be blocklisted and encounter significant deliverability issues that are difficult to solve.

How to tell if you have been list-bombed

If you are worried that you may have been list bombed, take the following steps:

  • Examine the email addresses that have been recently added to your database and look for a spike in the number of opt-ins.
  • If you have received many sign-ups within a short period of time, this uptick may not be the result of an amazing marketing campaign but a malicious attack – particularly if you have not had a large push for new subscribers within that timeframe.
  • If you suspect you were the victim of an attack, isolate the email addresses in question and avoid sending to those addresses until you can complete a thorough investigation and determine that they are legitimate subscription requests.

3 ways to protect yourself from list bombing

The good news for marketers is that you can implement protective measures to block list bombing attempts and prevent invalid email submissions. The following steps can help you avoid becoming a victim of a list bombing attack:


A CAPTCHA system uses a challenge-response test to verify that an email opt-in request is submitted by a human. CAPTCHA is an acronym for “Completely Automated Public Turing Test to Tell Computers and Humans Apart,” and is your key defense against bots because it prevents them from entering data into your forms. Adding a CAPTCHA system, like Google’s reCAPTCHA, to your email sign-up page can save you from a list bombing attack and the possibility of being flagged as spam or blocklisted.

Double Opt-In

Many marketers avoid double opt-ins (requiring users to confirm their new subscription request) because they are afraid it will slow conversions. While growing your email list is critical to the long-term profitability of your email marketing program, doing so at the expense of data quality can quickly derail your success. Marketers that send to problematic email addresses have considerably higher bounce rates and a higher likelihood of being blocked by ISPs, which can lead to a costly blocklisting. Asking new email subscribers to confirm their subscription will help you verify that new database entries are always legitimate. While double opt-in alone will not protect a brand from list bombing, CAPTCHA and double opt-in together can protect your database from abuse by cyber criminals.

Strategic form placement

Another way to protect your brand from list bombing is to be strategic about form placement. Avoid using pop-up subscription forms that appear before a visitor can even review the content. These forms disrupt the user experience and enable malware attacks which lead to bad email addresses making their way into your database. A smarter approach is to selectively place forms near content sections that provide incentives for users to joining your mailing program. Read this analysis of some of the best-in-class web registration programs from leading brands for more savvy tips on registration best practices.

List bombing is a serious headache for marketers and consumers alike. Collecting faulty email addresses (even accidentally) can cause serious on-going inboxing, blocklisting, and deliverability issues. But marketers can protect themselves from malicious list bombing attacks by taking a proactive approach to maintaining a clean database and having a healthy opt-in process that includes careful data verification.

Gurjit Sandhu
Marketing Manager

Gurjit Sandhu has been in digital and direct marketing for over 6 years, delivering marketing and event management solutions in both fast-paced corporate and entrepreneurial environments. Energized by strategic thinking and the power of marketing technology, she collaborates closely with cross functional teams at Data Axle to spearhead multi-channel communications that highlight product innovations.