Hi @s0lid, 

I see a support ticket on this, sharing here for the broader community:

The best strategy against this it to create segments to isolate these profiles and keep your lists clean. Here is a recommended segment definition: 

Definitions for unengaged and list bombing  profiles are basically the same:

• If someone can or cannot receive marketing > Person can receive email marketing AND
• What someone has done > Person has Received Email is at least 3 in the last 180 days AND
• What someone has done > Person has Opened Email 0 times over all time AND
• What someone has done > Person has Clicked Email 0 times over all time AND
• What someone has done > Person has Placed Order 0 times over all time

Once you create the segment you can remove the profiles from your account, or suppress them.  It's important to note that not all email list bombing profiles are obtained through malicious means. Some individuals may simply collect email addresses from public sources without malicious intent. However, even legitimate email lists can be misused for spam purposes. You are correct they can come from your website and they usually inject data directly to your data base. They are part of your active profiles but not part of your lists. That is why they are tagged as "Never subscribed". However, all active profiles are billable. Klaviyo has a system in place to prevent list bombing called the List Bombing IP Management. The purpose of this system is to flag or block specific IP addresses that are making a large number of form submissions or subscribe API calls within a short period of time. If you are being list bombed, this system would block IP addresses with a large number of initial subscribe requests to protect your account from further profile subscriptions.  Note that the IP blocking only occurs after the attack has already started to protect your your account from further harm. This method of list bombing mitigation cannot prevent an attack entirely.

You can find more information in our resources:

• List Bombing
• Unengaged profiles

I hope this helps!

~Chloe

Hello @s0lid Klaviyo forms does not support custom validations. 

There are only 2 options

• Write a custom JavaScript function to check if the email input uses + 
• Create a segment of customer who are using + in email and then suppress them. The drawback is that you will have data in Klaviyo

Hey @Maxbuzz, thanks for answering, does this mean I’m going to create my own opt-in form and use Klaviyo API to write the data?

Hello @s0lid No, you can use the existing form but you will have to write some code for existing form to accept emails without + symbol.