Skip to content
Tech News
← Back to articles

Subscription bombing and how to mitigate it

2026-04-02 | original
read original get Spam Filter for Email → more articles
Why This Matters

Subscription bombing poses a significant threat to both consumers and the tech industry by flooding inboxes with unwanted emails, which can mask malicious activities like account takeovers and fraud. Recognizing and mitigating this attack vector is crucial for protecting user security and maintaining trust in SaaS platforms. Implementing effective defenses can prevent attackers from exploiting open sign-up forms and safeguard sensitive information.

Key Takeaways

A couple of weeks ago, we noticed something odd on Suga. New users were signing up but not doing anything, they weren’t creating an org, a project, or a deployment, they just left an account sitting there. Most new users interact with the product pretty quickly, and we report on activity stats to try and understand blockers, so even a small spike in completely inactive accounts stood out.

Then we looked at the names of the new users and they were entries like PfVQXvYTXjwSbEeJBjXYy and xXzMafkbPLjOaGgDaOGZjLx .

We checked Resend (our email service) and could see welcome emails going out and being delivered to these accounts. They were real email addresses, with garbage names… something was off.

What is subscription bombing?

Subscription bombing is an attack where someone uses bots to sign up a victim’s email address across hundreds or thousands of websites. The goal isn’t to access those accounts on those websites, it’s to flood the victim’s inbox with so much noise that they can’t find the emails that actually matter.

While the victim is drowning in “Welcome to SaaS Product!” and “Verify your email for Newsletter You Never Asked For”, the attacker is doing something else. They’re resetting the victim’s bank password, making purchases on their accounts, or signing up for credit cards in their name. The real security alerts and confirmation emails get buried by the noise.

The people running these attacks are stealing money and impersonating real people or businesses. Every sign-up form on the internet that lets you enter any email address without verification is a tool they can exploit.

How we spotted it

It started on March 12 with a single unusual sign-up, then over the next two days we saw another 2-3 per day, which was low enough to be noise. Honestly, our first thought was that someone was pen testing our service. That’s pretty common, something we’ve experience with other products and, when it comes with responsible disclosures, something we appreciate, so it didn’t ring any alarm bells.

By March 14 we had 6 sign-ups matching the pattern, and we noticed something else in PostHog. There was unusually high page views and interactions on the forgot password page. The combination of activities was enough to make us take a closer look.

... continue reading

Explore topics: resend subscription bombing email security saas bots
Related:
The Claude Code Leak
Robots Could Help Humans Find Resources on the Moon and Mars
Maybe It's Not Worth Being an AI Doomer Anymore
The Download: gig workers training humanoids, and better AI benchmarks
The gig workers who are training humanoid robots at home

© 2026 GoKawiil

About | Editorial Policy | Contact