Imagine that your post-subscription Email Welcome Series is experiencing a major decline in click-through rates and revenue per email compared to a few months ago.
You check the setup of the scenario. It does not contain any issues.
You validate the tracking of trigger events. It also does not contain any issues.
You validate the Jinja code in the creatives themselves - once again, it also does not contain any issues!
You make sure to hard-test the scenario - the emails send fine, also with no issues!
After double-checking all of the above again, you come to the conclusion that there is no technical issue with the Welcome Series. Perhaps the email creative is experiencing fatigue? No way the numbers can decline this fast!
Then, you realize you are getting a lot of email sign-ups that look like this.
So, you double-check the year-over-year (YoY) numbers for the number of delivered Welcome Series emails and realize you are sending 10-15 times more this year. The increase corresponds strongly with a major decline in CTR%, as shown in the two anonymized graphs below.
If you find yourself in this situation, you are probably being email list bombed.
In this article, we will cover what List Bombing is, its negative impact, what you can do to prepare, and what to do when it happens.
List Bombing
List bombing is a form of cyber attack where hundreds of bots are used to submit an email address in online forms automatically. https://knowledge.hubspot.com/marketing-email/remediate-list-bombing
Decline of Email Engagement Metrics
Such an attack significantly increases the number of send-outs and thus affects your overall send-outs, as well as those of automations affected, such as the Welcome Series. Additionally, this can lead to increased hard bounces for emails that are not genuine or spam complaints for emails that were sent without the recipient's knowledge, which negatively impacts your email domain’s sender reputation.
Leads to Negative Domain Impact
Sending emails to “inactive” email addresses at a much higher rate will result in lower open rates and click rates. Cumulatively and over time, ESPs will notice higher send volumes and lower engagement on your email domain, which will impact its overall reputation. If it happens for long enough, the domain reputation will be lowered.
The below is a screenshot example from Google Postmaster which provides feedback on your email domain reputation for ‘@gmail accounts. It is probably the most accessible of such tools on the market right now and is for Free.
Learn how to set it up and how to interpret its dashboards here: https://learn.microsoft.com/en-us/dynamics365/customer-insights/journeys/google-postmaster
Four Things You Can Do
1. Identifying the Source
The most important thing you should do if this happens to your e-shop is to identify which sign-up consent sources in your e-shop are being attacked.
Is it the Footer?
Is it the checkout?
Does it occur when customers register for an account?
Or is it when they sign in for an account?
What about the request to be notified when a product returns from stock?
For this purpose, it is best practice to have a custom “signup_source” event attribute in your subscription or consent events that indicates where the email originated. This will require your team to map out where all the signup sources come from and for each of those touchpoints to contain a unique identifiable name for the touchpoint in the “signup_source” attribute to email signups to each touchpoint.
If you can reliably identify the sources of all your consents, you will have a much easier time diagnosing which parts of the site are being affected.
2. Identifying & Filtering out the List Bombers
The second most important thing you need to focus on, if you are experiencing such an attack, is to examine the list of bombers. This is important so you can find a logic to filter them out in your newsletter send-outs and automated email scenarios. If you are able to filter them out, even if the attack persists, it will limit its negative impact.
How to identify the list bombers? Examine the emails from the time and source of the spike. Since it is likely the attack list will produce a lot more emails than you are normally collecting per day / week - try to identify the spike on a timeseries of your signup events to see when it started. Examine 4-5 users who appear to be from the suspicious source and timeframe.
Do the list bombers share any characteristics that can be used to filter them out? ,
Mind that, the precise logical definition of the list attacked will depend on the project.
Even if you are not being list bombed, it is best practice to filter out any emails that do not match the REGEXP on this website https://emailregex.com/index.html. It filters for string logic, all valid emails should.
For example, it checks that the email contains ‘@’ and a ‘.’ that neither of these symbols is the first or last value, that they are not next to each other, etc because each valid email needs to contain those symbols.
3. Anomaly Notifications
One preventive solution we recommend to our clients is setting up anomaly notifications for automated email campaigns. We believe there are three useful alerts to set up.
Build a report that tracks an automated campaign’s weekly deliveries. At the end of each day, compare the day’s deliveries to the average of the last 7 days. If it is more than 50% of the avg. of the last 7 days’ value, then send a notification. This would pick up any sudden increases in volumes as well as spikes resulting from marketing events like Black Friday / Sales / Going Viral.
Build a report that tracks an automated campaign’s hourly deliveries. If no emails are sent within 3-5 hours (depending on the velocity), send a notification. This would alert the team when the automated campaign stops working for whatever reason.
Build a report that tracks the daily errors of an automated campaign as a percentage of its daily deliveries. If the percentage reaches 2-4% (the threshold depends significantly on automation and the client), then send a notification. This would alert the team if the automated campaign starts to error out excessively for any reason.
When an anomaly notification is triggered, it does not necessarily mean that something is wrong. When it triggers, an assigned team member should
verify if something indeed went wrong
if something went indeed wrong - diagnose the root cause & estimate its scale, document the issue
and raise it with the rest of the team.
Thanks to such notifications, issues like list bombing or if automations stop working can be identified and diagnosed as they occur, limiting their damage.
Because notifications can potentially be “SPAM-y,” it is also important to calibrate the sensitivity of the alert logic. If it fires too often, then it is “too sensitive” and needs to be adjusted. It is also possible that it does not fire often enough, even if there are anomalies to spot. In that case, it is not sensitive enough and needs to be adjusted.
4. CAPTCHA
The most comprehensive solution for preventing list bombing is to implement a CAPTCHA check on the sources where suspicious signups are originating.
By requiring users to complete a CAPTCHA before submitting their information, it becomes significantly more difficult for automated systems or malicious actors to flood a system with fake signups.
However, while this method should effectively filter out bots, it can also introduce friction for legitimate users. As a result, the additional step may discourage some individuals from completing the signup process, potentially leading to a decrease in the number of shared emails or phone numbers by legitimate users.
To set it up on your website, it would require the application of a chosen CAPTCHA provider on your sign-up touchpoints. This is not something we have a lot of experience with ourselves.
Here is a link to a Google’s reCAPTCHA solution: https://developers.google.com/recaptcha/intro.
Share & Subscribe!
We hope you found this post useful. Please subscribe below for more posts about marketing operations in e-commerce!