4/5★
Subscription Bombing: Your Sign-up Form is a Weapon
security attack-vector bot-detectionWhat is Subscription Bombing?
An attack where bots sign up a victim's email address across hundreds or thousands of websites to flood their inbox with noise, making it impossible to find legitimate security alerts (password resets, bank notifications).
Key Insights
- Silent attack: Only 1-2 sign-ups per hour - designed to be invisible
- Bot typing pattern: Characters entered one at a time with uniform randomness (flat distribution), unlike human burst typing
- Country/time mismatch: Bot traffic had zero correlation between country and time of day
- Attack chain: Sign up → Wait ~60s → Request password reset → Victim gets 3 emails in under a minute
- Real-world impact: Attackers use this noise to reset bank passwords, make purchases, or sign up for credit cards in victim's name
Defense: Every sign-up form that allows any email without verification is a potential weapon. Implement email verification before sending welcome emails, and monitor for anomalous sign-up patterns.
Detection Patterns
- Garbage names with valid email addresses (e.g., "PfVQXvYTXjwSbEeJBjXYy" → real@email.com)
- Unusually high forgot-password page views coinciding with unusual sign-ups
- Typing behavior: flat distribution of delays vs. human burst patterns
- Country/timezone mismatch in traffic