Combatting Subscription Bombing: Lessons Learned and Solutions Implemented

Recently, we observed a peculiar trend on Suga, where new users signed up but remained inactive. Upon investigation, we discovered these accounts were part of a subscription bombing attack, where bots flood a victim's email with sign-ups to obscure critical emails, such as password resets. This tactic is subtle, with bots using real email addresses and random names, avoiding detection by mimicking human behavior.

Subscription bombing is not only a nuisance but a serious threat, as it allows attackers to bury important notifications under a deluge of spam, facilitating unauthorized access to sensitive accounts. We noticed the attack when unusual sign-up patterns and high activity on our forgot password page emerged, prompting a deeper look.

The attack's stealthy nature, with sign-ups spread across various global locations and times, evades typical rate-limiting defenses. Although our email reputation remained intact, the real victims were the email account holders overwhelmed by spam. This highlighted the importance of verifying email addresses before sending any communication.

To counteract this, we tightened our firewall rules and implemented Cloudflare Turnstile, a CAPTCHA alternative that seamlessly integrates with our authentication system. This effectively halted the bot activity. Additionally, we modified our email service to send only verification emails until the address is confirmed, minimizing potential spam.

Reflecting on this incident, we realized the need for proactive measures to prevent our platform from being exploited in such attacks. We have since improved our reporting systems to detect similar patterns earlier, ensuring our service remains secure and respectful of user privacy.