How to Survive an Email Bomb Attack

It is a Monday morning. You have grabbed your morning coffee, sat at your desk, and switched on your work computer. You open your work email only to find that you’ve been bombarded with countless of “Thank you for your subscription” emails in all different languages. But here’s the puzzling thing – you have never even signed up for any of them in the first place (and you should not use your work email to subscribe to these things in the first place)! What’s happening?!

Well, if this has happened to you before, then I am sad to tell you that you are a victim of email bombing.

Now, if your mind suddenly went blank or you are subconsciously scratching your head about what email bombing is, let me break it down for you.


What is email bombing?

An email bombing is an attack on your inbox that involves sending massive amounts of messages to your address. Hackers enable bots that use your email to sign up for subscriptions to online sites like foreign email newsletters that don’t require CAPTCHA answers or a two-step opt-in process. Each will send you a confirmation email asking to confirm your address. As these unwanted subscriptions are processed, the victim’s inbox gets bombarded with notification emails.

Another definition of the term “email bombing” can also refer to flooding an email server with too many emails in an attempt to overwhelm the email server and bring it down, but that’s not the goal here. I mean, it would be challenging to bring down modern email accounts that use Microsoft or Google’s email servers, anyway. Instead, the onslaught of messages is a distraction to hide the attacker’s true intentions.


Why is this happening to you?

An email bombing is often a distraction from the real damage used to flood your inbox, and bury any important or relevant emails about what’s going on in a mountain of useless emails. When they stop sending you wave after wave of email, it may be too late to undo the damage.

For instance, an attacker may have gained access to one of your accounts on an online shopping website like Amazon and ordered expensive products for itself. The email bombing floods your email inbox with irrelevant emails, burying the purchase and shipping confirmation emails so you won’t notice them. Other instances are if you own a domain, the attacker may be attempting to transfer it away; and if an attacker gained access to your bank account or an account on another financial service, they might be trying to hide confirmation emails for financial transactions as well.

However, an email bombing may also be used to gain control of your email address. If you have a coveted address—something straightforward with few symbols and a real name, for instance—the entire point may be to frustrate you until you abandon the address. Once you give up the email address, the attacker can take it over and use it for their purposes.


How to spot an email bomb?

Besides the incredible volume of emails that will arrive in one day, there are a few other indicators hidden within these suspicious emails:

  • The senders are different and hence likely coming from various free mail providers
  • The IP addresses are all different and often from many different countries
  • The content of the emails often contains some randomized words or gibberish
  • The emails don’t contain any links, graphics, or ads
  • The emails arrive at a furious rate and then suddenly stop. This is because hackers will deploy the bots and fire off the emails right before the real attack occurs. After completing their illegal activity, they’ll shut it down and move on to another mark

How to avoid being used for an attack

To avoid unwitting participation in an email bombing and prevent bots from using your service, implement CAPTCHA on your website’s subscription forms. And make sure to send opt-in emails to new subscribers to prevent unwanted emails.

Attackers compile lists of vulnerable websites and sometimes even advertise how often these lists are updated. Anyone can do a quick online search to find sellers and marketplaces that will email bomb a particular email address for a low fee.


So what do you do when you get email bombed?


#1: Lock down your accounts

If you find yourself as a victim of email bombing, the first thing to do is check and lock down your accounts. Log into any online shopping accounts, like Amazon, and check for recent orders. If you see an order that you didn’t place, contact the shopping website’s customer support immediately.


#2: Check your “archives”

You may want to take this a step further. On Amazon, it’s possible to “archive” orders and hide them from the normal order list. One Reddit user discovered an email from Amazon confirming an order for five graphics cards with a total value of $1000 buried in an onslaught of incoming email. When they went to cancel the order, they couldn’t find it. The attacker had archived the Amazon order, hoping that’d help it go undetected.

You can check for archived Amazon orders by going to Amazon’s Your Account page and clicking on “Archived Orders” under “Ordering and shopping preferences.”


#3: Remove all payment options from online sites

While you’re checking your shopping accounts, it would be wise to remove your payment options entirely. If the perpetrator is still waiting to break into your account and order something, they won’t be able to.


#4: Check your bank and credit card accounts for unusual activities

After you’ve checked any site you’ve provided payment information, double-check your bank and credit card accounts and look for any unusual activity. You should also contact your financial institutions and make them aware of the situation. They may be able to lock down your account and help you find any unusual activity. If you own any domains, you should contact your domain provider and ask for help locking down the domain so it can’t be transferred away.


#5: Change your passwords

If you discover an attacker has gained access to one of your websites, you should change your password on that website. Make sure you use strong, unique passwords for all your important online accounts. A password manager will help. If you can manage it, you should set up two-factor authentication for every site that offers it. This will ensure attackers can’t gain access to an account—even if they somehow get that account’s password.


#6: Secure your email

Now that you’ve secured your various accounts, it’s time to deal with your email. Here’s what you can do:

  • When an email bomb attack is in process, it’s essential to avoid mass deletion and use email rules to filter spam instead. And before deleting any emails, look for suspicious activity such as unauthorized withdrawals or purchase confirmation emails that may get buried in the onslaught
  • Inboxes that are critical to your organization should use failover services and notifications to protect against the deletion of important emails
  • A bulk mail filter can help stop subscription-based emails from landing in the inbox. Simply add the newsletters that you want to your approved senders list
  • Custom spam filters can also be used to block emails that contain words like “confirmation,” “subscription,” or “confirm.” You’ll need to double-check that any valid emails that contain these words aren’t also blocked
  • Make sure that online passwords are changed and that all of your organization’s online accounts are secured with multi-factor authentication
  • Ensure email delivery software is up-to-date, patched, and includes antivirus capabilities.
  • Employ “tarpitting” to block or slow traffic from a sending IP address if the traffic from that address exceeds a predefined threshold (e.g. greater than ten emails per minute)
  • Consider blocking file attachments used in email bomb attacks, such as .zip, .7zip, .exe, and .rar
  • Limit the maximum email attachment file size
  • Ensure out-of-office, bounce back, and other automatic messages are only sent once to prevent an endless loop of recurring automatic replies
  • Where possible, limit send permissions so that only internal and authorized users may send to distribution lists
  • Avoid posting plain text email addresses online as attackers are able to scrape web pages for email addresses to target them for spam campaigns

Want to improve your email security now? Click the green button below to contact us today!


eVantage Technology is a professional and trusted IT solutions provider, dedicated to providing exceptional service to companies in Singapore and across Asia.