Category: List Health & Deliverability

If you run a newsletter, you’ve probably noticed signups appearing in your subscriber list with email addresses that look subtly wrong. Names you don’t recognise. Local-parts with strange dot patterns like k.en.d.ra.lr@gmail.com. All marked as “direct” with no referer, no UTM, no obvious traffic source.

These aren’t your audience. Your site is being used as a relay in an attack on someone else’s inbox. The technical name is subscription bombing (also called list bombing or mail bombing), and once you know what to look for, you’ll see it on almost every newsletter signup form on the open web.

What subscription bombing actually is

An attacker picks a victim — usually one specific email address. They run a bot that visits thousands of unrelated websites that accept newsletter signups and submits the victim’s email to every one of them.

Within ten minutes, the victim’s inbox fills with two hundred legitimate-looking welcome emails from newsletters they never signed up for. Travel sites, ecommerce stores, hobby blogs, university mailing lists, charity newsletters. Each individual email is innocuous. The pile is the point.

Your site isn’t being attacked. Your site is being used as a small, expendable cog in an attack on someone you’ve never met.

Why attackers do this

The motive is almost always to hide a single critical email from the victim:

• Credit card fraud cover. The attacker just made a $2,000 purchase on the victim’s stolen card. The bank will send a fraud-alert email within minutes. If that alert is buried under 300 newsletter confirmations, the victim might not see it until after the cancellation window closes.
• Account recovery. The attacker is trying to take over the victim’s email or banking account. Password-reset confirmations and 2FA codes get buried in the same way.
• Harassment. Less common, but bombings are sometimes used to make a target’s inbox unusable for days.

There are services that openly sell this. “1,000-site mail bomb, $30.” They use rented botnets so the requests come from thousands of residential IPs — no single source to block.

How to spot it on your own list

Two patterns are diagnostic:

The dotted-Gmail trick

Gmail ignores dots in the local-part of an address. kendralr@gmail.com, k.endralr@gmail.com, and k.en.d.ra.lr@gmail.com all deliver to the same inbox. Each site’s database stores them as distinct addresses (so per-site dedup doesn’t catch the second signup), but the victim receives every email.

If you see several Gmail signups in the same short window with unusual dot patterns, those are almost certainly bot signups. Real humans don’t sprinkle random dots through their own email when filling out a form.

Missing referer, missing UTM, sub-minute conversion

Bots that target your endpoint directly never load the form page first. They POST straight to the subscribe endpoint with just {email}. As a result:

• No Referer header.
• No utm_source on the landing URL.
• No first-touch attribution cookie.
• “First seen” and “subscribed” timestamps within seconds of each other.

A real visitor might land via Facebook, browse for a few minutes, then sign up. Their attribution captures something. Bots leave nothing.

Layered defences that actually work

No single check stops subscription bombing. The pattern is layered defences, each catching a slightly different bot class:

1. Honeypot field. A hidden input field that real humans never see. Bots that scrape the form HTML and fill every input get caught. Cheap, transparent, zero UX impact. Useless against bots that POST straight to the endpoint without loading the form.
2. Per-IP rate limit. N submissions per IP per hour. Catches bursty single-IP attacks. Useless against distributed botnets across thousands of residential IPs.
3. MX-record check. Reject signups whose email domain has no MX (mail exchanger) record. Catches typos and made-up domains. Cheap — one DNS lookup. Useless against Gmail-based attacks.
4. Disposable-domain blocklist. Reject signups from known throwaway services (mailinator, guerrillamail, yopmail, etc.). Useless against real-domain attacks but kills another bot class.
5. Gmail dot-normalization. Strip dots from the local-part of Gmail addresses before storing. If kendralr@gmail.com already exists, the second variant gets rejected as a duplicate. Catches dot-trick attacks on a single site (though not across multiple sites).
6. Cloudflare Turnstile. Invisible CAPTCHA. By far the most effective single layer — it makes bot signups dramatically more expensive to attempt. Some UX cost: real users with strict privacy extensions occasionally fail it.
7. Double opt-in. Send a confirmation email; only add the subscriber once they click. The standard ESP defence. It doesn’t prevent the bomb (you still send one email) but it stops the victim from being added to your ongoing list, which protects your sender reputation downstream.

Each layer should silently accept-and-drop suspicious signups — return HTTP 200, never reveal which check tripped. If your endpoint says “rate limited” or “honeypot detected,” attackers immediately adapt.

What One Two Three Send does out of the box

As of version 2.0.20, the free plugin’s /wp-json/otts/v1/subscribe endpoint runs four layers automatically:

• Honeypot on the form (hidden website input — already in earlier versions).
• Per-IP rate limit — 10 submissions per IP per hour by default, filterable via otts_subscribe_rate_limit_per_hour.
• MX-record validation on the email domain.
• Disposable-domain blocklist of ~30 common throwaway services, filterable via otts_subscribe_disposable_domains.

All four layers silently accept-and-drop — bots can’t fingerprint which check rejected them.

The Subscribers admin page now has a Delete button on every row for cleaning up signups that slip through. Two new admin-only REST endpoints (DELETE /wp-json/otts/v1/subscriber/{id} and POST /wp-json/otts/v1/subscriber/delete-by-email) let you script bulk cleanups if you need to delete dozens of bot signups at once.

If your site is being bombed heavily, Cloudflare Turnstile in front of your signup form is the next step. It’s free, integrates in a few lines of JS, and stops the overwhelming majority of attacks that get past the layers above. Double opt-in is the layer after that.

One thing worth keeping in mind

If you see fifty bot signups appear in your list, your first reaction will probably be annoyance about list-hygiene. The bigger picture is that fifty real people — strangers, somewhere — just had their inboxes flooded as cover for a fraud or account-recovery attack. Tightening up your form isn’t just protecting your sender reputation. It’s removing one of the small relays that subscription-bombing services rent out by the thousand.

Every site that adds a honeypot, a rate limit, or a Turnstile widget makes that business model a little less profitable. That’s worth doing.

Most newsletter operators treat bounce reports like error logs: something vaguely unpleasant to ignore until a platform forces you to look. But your bounce rate isn’t background noise. It’s the clearest signal you’ll get about list quality, and if you’re not acting on it immediately, you’re gambling with your sender reputation.

Here’s what actually matters: every hard bounce is a landmine you’ve just stepped on. Every soft bounce is a warning light. And the way you respond to both determines whether ESPs see you as a professional operator or a spammer who doesn’t care where mail goes.

Hard bounces are non-negotiable

A hard bounce means the address doesn’t exist, never existed, or has been permanently disabled. Sending to it again won’t work. Sending to it repeatedly will get you blocklisted.

The correct behavior is automatic and immediate: remove the address. No grace period. No second chances. No “maybe it was a temporary DNS issue” wishful thinking.

Why? Because continuing to mail hard bounces tells receiving servers one of two things about you: either you’re harvesting addresses without permission, or you don’t care enough to maintain basic list hygiene. Both look identical to a spam operation.

Most platforms auto-suppress hard bounces. If yours doesn’t, you need a better platform or a manual process you run weekly at minimum. This isn’t optional maintenance. It’s the baseline cost of staying in the inbox.

Soft bounces need a policy, not a reflex

Soft bounces are trickier. The mailbox exists, but something prevented delivery: inbox full, server temporarily down, message too large, content flagged by a filter.

The temptation is to retry forever. Don’t.

After three to five consecutive soft bounces, the address should be suppressed. The exact number depends on your send frequency, but the principle holds: if someone’s mailbox has been full for a month, or their server has rejected you five times in a row, they’re either gone or their setup is incompatible with your mail.

Continuing to send harms you more than it helps them. Mailbox providers track your bounce rates over time. A slow accumulation of soft bounces signals poor list management just as clearly as hard bounces do, it just takes longer to trigger consequences.

What your bounce rate actually tells you

A healthy list bounces at well under 2%. If you’re consistently above that, you’ve got a sourcing problem, not a delivery problem.

Common causes: imported lists from old systems where addresses weren’t validated, signup forms without confirmation, third-party lead magnets that didn’t scrub entries, or viral growth that pulled in throwaway addresses.

If your bounce rate spikes suddenly, it’s usually one of three things: a bad import, a compromised form, or a technical issue with how your sending domain is configured. All three require immediate action. A sustained spike will destroy your sender reputation faster than almost anything else you can do.

The fix starts with understanding where bad addresses enter your system. If you’re seeing hard bounces on brand-new signups, your form validation is broken or missing. If bounces cluster around imports, you need a stricter cleaning process before upload. If they’re random and creeping upward, you’ve likely got organic decay, which means your content isn’t reaching people anymore and they’ve moved on.

Build the workflow now

This doesn’t require expensive tools. It requires a weekly routine: pull your bounce report, segment hard from soft, remove hards immediately, flag softs that have hit your threshold, and investigate any anomalies.

Most importantly, track your bounce rate as a core metric alongside opens and clicks. If it trends upward over months, your list is rotting and your acquisition pipeline needs an audit.

Your bounce rate is diagnostic. It won’t tell you what to write or when to send, but it will tell you whether your list is real, whether your sources are clean, and whether you’re maintaining the infrastructure reputation that keeps you in the inbox.

If you’re serious about keeping your newsletter out of the spam folder, subscribe to One Two Three Send for the operational details other newsletters won’t cover.

Ignore your bounces long enough and you won’t need to worry about subject lines or preview text. You’ll be sending to no one.