I see a support ticket on this, sharing here for the broader community:
The best strategy against this it to create segments to isolate these profiles and keep your lists clean. Here is a recommended segment definition:
Definitions for unengaged and list bombing profiles are basically the same:
If someone can or cannot receive marketing > Person can receive email marketing AND
What someone has done > Person has Received Email is at least 3 in the last 180 days AND
What someone has done > Person has Opened Email 0 times over all time AND
What someone has done > Person has Clicked Email 0 times over all time AND
What someone has done > Person has Placed Order 0 times over all time
Once you create the segment you can remove the profiles from your account, or suppress them. It's important to note that not all email list bombing profiles are obtained through malicious means. Some individuals may simply collect email addresses from public sources without malicious intent. However, even legitimate email lists can be misused for spam purposes. You are correct they can come from your website and they usually inject data directly to your data base. They are part of your active profiles but not part of your lists. That is why they are tagged as "Never subscribed". However, all active profiles are billable. Klaviyo has a system in place to prevent list bombing called the List Bombing IP Management. The purpose of this system is to flag or block specific IP addresses that are making a large number of form submissions or subscribe API calls within a short period of time. If you are being list bombed, this system would block IP addresses with a large number of initial subscribe requests to protect your account from further profile subscriptions. Note that the IP blocking only occurs after the attack has already started to protect your your account from further harm. This method of list bombing mitigation cannot prevent an attack entirely.
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
Privacy Preference Center
Your Privacy
Strictly Necessary Cookies
Performance Cookies
Functional Cookies
Targeting Cookies
Site Analytics
Your Privacy
When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
Privacy Notice
Strictly Necessary Cookies
Always Active
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Functional Cookies
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Site Analytics
These cookies record your visit to our website, and are used to track your visit including information such as: web page interactions (clicks, hovers, focus, mouse movements, browsing, zooms and other interactions), referring web page/source through which you accessed the Sites, heatmaps and scrolls, screen resolution, ISP, and statistics associated with the interaction between device or browser and the Sites. If you are accessing our Services with a European IP address, you have been asked to consent to the use of these cookies (you are free to deny your consent).