Understanding list bombing 

Last updated at:

You will learn 

Learn about list bombing attacks and how you can identify them to protect your email and SMS lists. List bombing attacks fill your account with fake profiles, and can harm your sender reputation, data, and more. 

What is list bombing?

List bombing is a malicious attack where the attacker exploits a signup form or checkout page by making a large number of fake submissions, filling the associated list with emails and phone numbers that have not consented or are invalid. While an increase in email subscribers may initially seem like a good thing for your brand, this is only true if all the new leads are legitimate.

If you send to fake profiles created through a list bombing attack, it can negatively impact your deliverability in the following ways: 

  • Higher hard bounce rates
  • Higher spam complaints
  • Lower open rates
  • Potentially hitting a spam trap
  • Addition to the Spamhaus Block List (SBL)

How to identify a list bombing attack 

The first indicator of list bombing is if you've experienced a sudden spike in new subscribers. This is particularly true if you haven't planned any list growth campaigns, so there is nothing to tie this spike to. If this happens, examine the recent email subscribers, looking out for the following trends: 

  • The emails all came in through a single point of entry (e.g., same signup form)
  • There was a specific timeframe in which the influx of emails was captured 
  • All the emails are from the same domain (e.g., all are from @phish.com)
  • The contacts have unconventional first and last names
  • All submissions are from the same IP source

How do you protect against list bombing?

Double opt-in 

Double opt-in is a process through which a new subscriber must confirm their subscription before being subscribed to a given list. It is the same for both email and SMS subscribers, and is on by default in Klaviyo.

When double opt-in is enabled, new subscribers will receive a confirmation message immediately after signing up. This message will prompt them to confirm their subscription. Only subscribers who confirm their subscription will be successfully added to the list, making it harder for malicious actors to list bomb. 

List bombing IP management

Klaviyo has a system in place to prevent list bombing called the List Bombing IP Management. The purpose of this system is to flag or block specific IP addresses that are making a large number of form submissions or subscribe API calls within a short period of time. If you are being list bombed, this system would block IP addresses with a large number of initial subscribe requests to protect your account from further profile subscriptions. 

Note that the IP blocking only occurs after the attack has already started to protect your your account from further harm. This method of list bombing mitigation cannot prevent an attack entirely.

Honeypot form field

This method requires a developer and access to the form’s HTML. If your forms are built through Klaviyo’s form editor, consider creating a custom legacy form.

Adding a “honeypot” field to a website’s form is a method you can implement to easily identify if you are being list bombed. If you are using a custom, non-Klaviyo form, you can place a hidden field that is invisible on the front-end. If the form is submitted with a value set for the honeypot field, you can attribute the submission to a bot rather than a human user. 

Make sure that your honeypot adds a custom property to Klaviyo that you do not plan on using anywhere else. This allows you to use the honeypot field’s custom property to identify profiles submitted by a bot with segmentation in Klaviyo: 



For instructions on how to create a honeypot field, we recommend reading the following resource:

What to do if you experience list bombing 

If you experience list bombing, the next thing you should do is clean out the profiles that were created. Based on the trends that you notice with the new subscriptions, take the data points and create a segment to help pull in all the emails that were submitted during the attack. 

Once the segment is created, suppress the profiles so they cannot receive any sends from you. 

If you have questions on building a segment that captures profiles created through a list bombing attack, reach out to our Support Team.

It is also best practice to re-enable double opt-in on your lists if you have fallen victim to a list bombing attack. Once a brand has been targeted, it is more likely that they'll be targeted again in the future. By securing your forms through double opt-in, you can prevent future attacks.

Additional resources 

Was this article helpful?
6 out of 7 found this helpful