Have you heard of Email List Bombing?
Email List Bombing and what can you do about it
Imagine the Welcome Series in your e-commerce is experiencing a major decline in click through rates and revenue per email compared to a few months ago.
You check the set up of the scenario. It does not contain any issues.
You validate the trigger events. It also does not contain any issues.
You validate the jinja in the creatives themselves - once again, it also does not contain any issues!
You make sure to hard test the scenario - the emails send fine also with no issues!
After double-checking all of the above again, you come to the conclusion there is no technical issue with the Welcome Series. Perhaps the email creative is experiencing fatigue? No way the numbers can decline this fast! Then, you realize you are getting a lot of email sign ups that look like this.
So you double check YoY numbers for the delivered of the Welcome Series and you realize you are sending 10-15x times more Welcome Series emails, and that increase correlates almost directly with a major decline in CTR%.
If you find yourself in this situation, you are probably being email list bombed.
In this article we will cover what List Bombing is , its negative impact and what you can do about it to prepare and what to do when it happens.
List Bombing
“List bombing is a form of cyber attack where bots are used to submit an email address on hundreds of forms simultaneously. This action is usually done to obscure a hacking attempt or other nefarious behavior.” https://knowledge.hubspot.com/marketing-email/remediate-list-bombing
Decline of Email Engagement Metrics
Such an attack significantly increases the number of send outs and thus affecting your overall send outs as well as that of automations affected like the Welcome Series. Additionally, this can lead to increased hard bounces for emails that are not real or spam complaints for emails that were used without their knowledge - that negatively impact your email sender reputation.
Leads to Negative Domain Impact
Much higher send outs to “inactive” email addresses will result in lower open rates and clicked rates. Cumulatively and over time ESPs will notice higher sends and lower engagement impacting domain reputation overall if it happens for long enough, the domain reputation will be lowered.
The below is a screenshot example from Google Postmaster which provides feedback on your email domain reputation for ‘@gmail accounts. It is probably the most accessible of such tools on the market right now and is for Free.
Learn how to set it up and how to interpret its dashboards here: https://learn.microsoft.com/en-us/dynamics365/customer-insights/journeys/google-postmaster
Four Things You Can Do
1. Identifying the Source
The most important thing you should do if this happens to your e-commerce is to identify which sign up consent sources in your e-shop are being attacked.
Is it the Footer?
Is it the checkout?
Does it occur when customers register?
Or is it when they sign in for an account?
What about the request to be notified when a product returns from stock?
For this purpose it is best practice to have a custom “import_source” event attribute in your consent events that tells you where the consent came from. This will require for your team to have it mapped out where all the sign up sources come from. Additionally, it will require for each custom event tracking in those touchpoints to contain the special attribute to distinguish the source of the consent.
If you can reliable identify the sources of all your consents, you will have a much easier time dealing with this kind of attack.
2. Identifying & Filtering out the List Bombers
The second most important thing you need to focus on, if you are experiencing such an attack is to examine the list bombers. This is important so you can filter them out in your newsletter send outs and automated email scenarios. If you are able to filter them out, even if the attack persists, it will stop the negative impact
How to go about identifying the list bombers? Examine 4-5 users who appear to be suspicious.
Try to identify the spike over time to see when it started. Do the list bombers share any characteristics that can be used to filter them out? Since it is likely the attack list will produce a lot more emails than you are normally collecting per day / week , examine the source of the spike.
Mind that, the precise logical definition of the list attacked will depend from project to project.
Even if you are not being list bombed, it is best practice filter out any emails that do not match the REGEXP on this website https://emailregex.com/index.html It filters for string logic all valid emails should. The regular expressions checks that the string contains ‘@’ a ‘.’ that neither of these symbols are first or last values, that they are not next to each other, etc.
3. Anomaly Notifications
One preventive solution we recommend to our clients is setting up anomaly notifications for automated email campaigns. We believe there are two useful alerts to set up.
Build a report that tracks an automated campaign’s weekly deliveries. At the end of each each compare the week’s delivered compared to the last. If it is more then 50% of the last week’s value, then send a notification. This would pick up any sudden increases in volumes as well as spikes resulting from marketing events like Black Friday / Sales / Going Viral.
Build a report that track an automated campaigns hourly deliveries. If there are no emails sent within 3-5 hours (depending on velocity), then send a notification. This would alert the team when the automated campaign stops working for whatever reason.
Build a report that tracks an automated campaign daily errors as a % of the daily deliveries. If the % reaches 2-4% (depending on automation / client), then send a notification. This would alert the team if the automated campaign starts erroring out too much for any reason.
When an anomaly notification fires, it does not necessarily mean something is wrong. Ideally there should be a process in place where it is clear which team is responsible for “owning” such notifications. When it fires the team would check if something indeed went wrong. Thanks to such notifications issues like list bombing or if automations stop working can be addressed a lot sooner.
Because notifications can potentially be “SPAM-y” it is also important to calibrate the sensitivity of the alert logic. If it fires too often - then it is “too sensitive” and needs to be adjusted. It is also possible it does not fire often enough - even if there are anomalies to spot → in that case it is not sensitive enough and needs to be adjusted.
4. CAPTCHA
The most comprehensive solution for list bombing is to apply on the identified sources of signups.
However, applying a CAPTCHA to a signup is likely to lower the number of shared emails or phone numbers.
To set it up on your website it would require the application of a chosen CAPTCHA provider on your sign up touchpoints. Here is a link to a Google’s reCAPTCHA solution: https://developers.google.com/recaptcha/intro.
Share & Subscribe!
We hope you found this post useful. Please subscribe below for more posts about marketing operations in e-commerce!