What is “list bombing”?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine waking up to 500 confirmation emails from mailing lists you never signed up for. Your inbox is buried. Somewhere in that flood is a real notification about a suspicious bank transaction, but you'll never find it in time. That's list bombing, and it's not an accident.

List bombing (sometimes called a subscription bomb) is when an attacker submits your email address to hundreds of mailing lists at once, using automated bots to fill out sign-up forms across the web. Every one of those lists then sends you a confirmation email, a welcome email, or both. None of this is illegal from the sending side, because each individual sender is doing nothing wrong.

Attackers use it for a few reasons. The most common is distraction. If someone's about to drain your bank account or make an unauthorized purchase, flooding your inbox first means you're less likely to spot the alert email in time. The second use is harassment, plain and simple: making your inbox unusable. And sometimes it's aimed at damaging the reputation of legitimate senders when victims mark those emails as spam.

If you're a sender, the fix is double opt-in. Requiring subscribers to confirm their address before you add them to your list stops bombed addresses from ending up on your list in the first place. Adding CAPTCHA to your sign-up form and rate-limiting submissions from a single IP address helps too. If you skip these steps, you become an unwitting tool in someone else's attack.

If you're the victim, the immediate priority is finding any real alerts (bank, payment processor, account security) before unsubscribing from anything. Filter by "confirm your subscription" or "welcome to" and start there. Services like Gmail and Outlook both let you set filters to auto-archive or delete incoming waves while you sort things out. Then, use the unsubscribe links in each email individually. It's tedious, but mass-unsubscribe tools that require granting inbox access can introduce their own risks (of course, that's not what you want on top of everything else).

If you think this is happening to you right now and something financial is at stake, check your bank and payment accounts first. Don't let the noise win.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Not sure where to start? Describe your situation and get a ranked action list.

You're helping someone who just got hit by a list bombing attack or a sender who wants to protect their sign-up form from being used in one. Based on their situation, give ranked, practical advice. Ask for these details first: 1. Are you the victim (inbox flooded) or the sender (your form may have been used)? 2. If victim: roughly how many emails, and do you suspect fraud is also happening? 3. If sender: do you currently use single or double opt-in? 4. What email client or platform are you using? Then give a ranked list of: - Immediate actions to take (in order of urgency) - Defensive measures going forward - Any warning signs to watch for

Edit the yellow boxes, then send to the AI of your choice.