What is “list bombing”?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine waking up to 500 confirmation emails from mailing lists you never signed up for. Your inbox is buried. Somewhere in that flood is a real notification about a suspicious bank transaction, but you'll never find it in time. That's list bombing, and it's not an accident.
List bombing (sometimes called a subscription bomb) is when an attacker submits your email address to hundreds of mailing lists at once, using automated bots to fill out sign-up forms across the web. Every one of those lists then sends you a confirmation email, a welcome email, or both. None of this is illegal from the sending side, because each individual sender is doing nothing wrong.
Attackers use it for a few reasons. The most common is distraction. If someone's about to drain your bank account or make an unauthorized purchase, flooding your inbox first means you're less likely to spot the alert email in time. The second use is harassment, plain and simple: making your inbox unusable. And sometimes it's aimed at damaging the reputation of legitimate senders when victims mark those emails as spam.
If you're a sender, the fix is double opt-in. Requiring subscribers to confirm their address before you add them to your list stops bombed addresses from ending up on your list in the first place. Adding CAPTCHA to your sign-up form and rate-limiting submissions from a single IP address helps too. If you skip these steps, you become an unwitting tool in someone else's attack.
If you're the victim, the immediate priority is finding any real alerts (bank, payment processor, account security) before unsubscribing from anything. Filter by "confirm your subscription" or "welcome to" and start there. Services like Gmail and Outlook both let you set filters to auto-archive or delete incoming waves while you sort things out. Then, use the unsubscribe links in each email individually. It's tedious, but mass-unsubscribe tools that require granting inbox access can introduce their own risks (of course, that's not what you want on top of everything else).
If you think this is happening to you right now and something financial is at stake, check your bank and payment accounts first. Don't let the noise win.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.