How to Survive an Email Bomb Attack
by Rick Kuwahara CMO of Paubox
Bombarded by thousands of unsolicited subscription confirmation emails in your inbox? Your organization may be experiencing an email bomb attack.
This type of attack is difficult to defend against because the attacker uses automated bots to subscribe a victim’s email address to multiple lists per second, including forums and message boards, newsletters, retail mailing lists, and other everyday communications.
Beyond the initial strike, a steady and annoying stream of unwanted emails can keep arriving even years after the attack.
To add insult to injury, other attackers will add the victim to additional spam, phishing, and malware lists.
What is an email bomb?
An email bomb is a denial of service attack (DDoS) against an email server, designed to make email accounts unusable or cause network downtime. Email bombs started in the late 1990s with high-profile cases such as the cyber attack on Langley Air Force Base in Virginia.
Historically, journalists have found themselves the target of email bombing campaigns in retribution for critical stories. Anyone can be a victim though, including government officials, policymakers, emergency coordinators, healthcare providers, and many others.
Today’s email bombs are more sophisticated and can overwhelm most spam filters. This can devastate employees’ email inboxes and disrupt an organization’s ability to communicate.
How an email bomb works
To initiate an email bomb, an attacker uses simple scripts that submit the victim’s email address to thousands of subscription registration forms on unprotected websites (such as those without CAPTCHA or opt-in email). Since these are benign websites they are categorized by spam filters as legitimate, safe messages.
Email bombing may be used to hide important notices about account activity from victims in order to make fraudulent online transactions. Spamming the inbox distracts from the real damage that’s going on behind the scenes.
Attackers have been known to gain access to online shopping accounts and purchase expensive products, make fraudulent transactions on victims’ financial accounts, and harass domain owners into abandoning their email addresses by rendering them useless.
How to prepare for email bomb attacks
An email bomb attack is almost impossible to prevent because any user with a valid email address can spam any other valid email address. However, there are important ways your organization can prepare for an attack.
The Center for Internet Security (CIS) recommends following the guidelines below:
- Ensure email delivery software is up-to-date, patched, and includes antivirus capabilities.
- Employ “tarpitting” to block or slow traffic from a sending IP address if the traffic from that address exceeds a predefined threshold (e.g. greater than ten emails per minute).
- Consider blocking file attachments used in email bomb attacks, such as .zip, .7zip, .exe, and .rar.
- Limit the maximum email attachment file size.
- Ensure out-of-office, bounce back, and other automatic messages are only sent once to prevent an endless loop of recurring automatic replies.
- Where possible, limit send permissions so that only internal and authorized users may send to distribution lists.
- Avoid posting plain text email addresses online as attackers are able to scrape web pages for email addresses to target them for spam campaigns.
What to do during an email bombing
When an email bomb attack is in process, it’s essential to avoid mass deletion and use email rules to filter spam instead.
Inboxes that are critical to your organization should use failover services and notifications to protect against the deletion of important emails.
A bulk mail filter can help stop subscription-based emails from landing in the inbox. Simply add the newsletters that you want to your Approved Senders list.
Custom spam filters can also be used to block emails that contain words like “confirmation”, “subscription” or “confirm”. You’ll need to double-check that any valid emails that contain these words aren’t also blocked.
Make sure that online passwords are changed and that all of your organization’s online accounts are secured with multi-factor authentication.
Before deleting any emails, look for suspicious activity such as unauthorized withdrawals or purchase confirmation emails that may get buried in the onslaught.
Recently, it has been reported that attackers have even used the “archive” feature of Amazon to hide fraudulent purchases.
How to avoid being used for an attack
To avoid unwitting participation in an email bombing and prevent bots from using your service, implement CAPTCHA on your website’s subscription forms. And make sure to send opt-in emails to new subscribers to prevent unwanted emails.
Attackers compile lists of vulnerable websites and sometimes even advertise how often these lists are updated. Anyone can do a quick online search to find sellers and marketplaces that will email bomb a particular email address for a reasonable fee.
Some of the best ways to enhance your organization’s email security are through working with an inbound security and email encryption provider and instituting employee cybersecurity training to safeguard your organization’s data.
HITRUST CSF certified third-party services like Paubox Inbound Security can block email threats before they reach your organization’s inbox with advanced features like patent-pending ExecProtect.