What is email bombing?

Email bombing, also known as email flooding or email spamming, is a malicious practice in which a large volume of emails is sent to a single email address or a mail server to overwhelm the recipient's inbox or cause disruption to the email service. These attacks happen when “a botnet (a single actor or group of actors) flood an e-mail address or server with hundreds to thousands of e-mail messages,” explains the HHS.

According to a publication by the Software Engineering Institute, “the messages will be large and constructed from meaningless data in an effort to consume additional system and network resources.” The publication explains that “the messages will be large and constructed from meaningless data in an effort to consume additional system and network resources.” It also notes that attackers may exploit multiple accounts at the target site, which “may be abused, increasing the denial of service impact.”

Understanding email bombing

An email bomb attack is a denial of service attack (DoS) against an email server. A DoS attack occurs when an attacker overwhelms a system, network, or service with excessive traffic or requests, preventing legitimate users from accessing it. Instead of stealing data directly, the goal is to disrupt normal operations by exhausting system resources.

Email bombing “allows attackers to bury legitimate transaction and security messages in an unsuspecting inbox by rendering the victim’s mailbox useless,” says the HHS. The goal is to disrupt communication, inconvenience the recipient, or potentially cause harm. The target finds it difficult or impossible to use their email account effectively due to the large volume of incoming messages. As HHS notes, “By overloading a victim’s inbox, attackers hope that a victim will miss important e-mails like account sign-in attempts, updates to contact information, financial transaction details, or online order confirmations.”

Related: How to survive an email bomb attack

Types of email bombing

Email bombing can take several forms depending on the attacker’s goal and the technical method used. A study published on ScienceDirect, SubStop: An analysis on subscription email bombing attack and machine learning based mitigation, identifies several common techniques used to carry out such attacks:

Mass mailing attacks

Mass mailing is one of the simplest forms of email bombing. In this method, attackers repeatedly send large numbers of identical emails to a victim’s address. The goal is to flood the inbox with thousands of duplicate messages, making it difficult for the recipient to identify legitimate communications.

Attackers often automate this process using scripts or bot networks that can generate large volumes of emails in a short time. Because each message may appear relatively normal, traditional spam filters may struggle to block them quickly enough when they arrive in large bursts. According to the article, “A mass mailing attack which is able to take down email servers are handled by the email providers by employing tarpitting or other sophisticated methods they can afford.”

ZIP bombing

ZIP bombing involves sending emails with compressed attachments that contain extremely large amounts of data when decompressed. These attachments may appear small initially but expand dramatically once opened or scanned.

While email servers typically inspect attachments to detect malicious content, thus making it easier to identify, ZIP bombs force the email system to expend significant processing power during this inspection. The article notes that “this attack places text files as zip attachments with millions and billions of characters and hence require the spamming filter to utilize a large amount of its processing power in detecting the spam emails.” As a result, the attack can consume server resources and slow down or disrupt email services.

Subscription bombing

Subscription bombing, also known as link-list email bombing, is the “most vicious form of an email bomb attack.” In this attack, the attacker signs the victim’s email address up for hundreds or even thousands of newsletters, mailing lists, and online services.

The victim then receives a flood of legitimate subscription confirmation emails and welcome messages from various organizations. Because these emails originate from real services, they often bypass spam filters and appear legitimate, making them difficult to block automatically.

In many cases, attackers use subscription bombing as a distraction. By overwhelming the inbox with legitimate-looking messages, they can hide important notifications, such as password reset alerts or fraudulent transaction confirmations, within the flood of emails.

How email bombing threatens HIPAA compliance

Health Insurance Portability and Accountability Act (HIPAA) regulations mandate the protection of patients' sensitive health information and require stringent security measures. Email bombing can jeopardize HIPAA compliance in several ways:

• Exposure of protected health information (PHI): Email bombing can lead to the unintended exposure of PHI, a direct violation of HIPAA regulations. When an email account is overwhelmed with spam messages, it becomes challenging to identify genuine patient-related emails, increasing the risk of PHI leakage.
• Email service disruption: Overloading an email account or server with an excessive volume of emails can lead to service disruptions, making it impossible for healthcare professionals to access critical patient information. This downtime can disrupt patient care and hinder HIPAA-mandated timely communication.
• Patient privacy concerns: Patients trust healthcare providers to safeguard their sensitive information. Email bombing incidents can erode patient trust and privacy concerns, potentially leading to HIPAA compliance breaches.

Read also: What are the consequences of not complying with HIPAA?

Preventing email bombing

Completely preventing email bombing attacks can be difficult, but organizations can reduce their impact and improve detection by implementing strong email infrastructure controls and monitoring systems. Guidance from the Software Engineering Institute at Carnegie Mellon University identifies practical measures organizations can use to limit the damage caused by these attacks.

Restrict inbound email traffic to dedicated servers

To prevent email bombing attacks, organizations can control how email enters an organization’s network. The guidance recommends configuring firewalls so that external email traffic is directed only to specific mail servers. As the article explains, organizations should ensure that “SMTP connections from outside the organization are only allowed to connect to designated mail exchangers or central mail hubs.” Limiting where email traffic can enter the network makes it easier to monitor incoming messages and apply filtering controls.

Use mailbox quotas to prevent system overload

Another effective measure is implementing mailbox size limits. According to the guidance, administrators should configure their systems so that “individual users cannot consume all available disk space.” By enforcing mailbox quotas, organizations can prevent a single email bombing attack from overwhelming the entire mail server or disrupting service for other users.

Improve monitoring and logging systems

Strong monitoring capabilities are also useful in detecting potential attacks early. The report recommends increasing logging and monitoring so administrators can identify abnormal email activity. Systems should be able to detect patterns such as large numbers of messages arriving from a single source within a short timeframe, allowing administrators to filter or discard suspicious emails more quickly.

Keep email infrastructure up-to-date.

Maintaining updated email software is another key defense. Regularly updating mail transfer agents and server software helps organizations address known vulnerabilities and improve security features that can identify unusual traffic patterns associated with email bombing attempts.

Encourage early reporting of unusual email activity

Employees should be encouraged to report unusual email activity, such as sudden surges of incoming messages, to IT teams immediately. Early detection can help administrators investigate the incident and apply filtering rules before the attack escalates.

How Paubox prevents email bombing attacks

Paubox’s inbound email security offers multiple layers of protection against email bombing, including:

• AI-driven anomaly detection to identify unusual email patterns
• Sender validation and reputation checks to authenticate domains and mail servers
• Advanced spam filtering that combines AI with traditional methods to classify and flag suspicious emails
• Quarantine management for isolating potential threats
• Customizable blocking rules with geofencing to prevent emails from specific domains or regions known for spam.

These features collectively aim to reduce the risk of inbox flooding from malicious emails.

Related: HIPAA Compliant Email: The Definitive Guide

FAQS

Can spam filters stop email bombing completely?

Spam filters can block many malicious messages, but they may not always detect subscription-based email bombing because the emails often come from legitimate services. For this reason, organizations should combine spam filtering with monitoring tools and email security platforms.

Why is email still a major cybersecurity risk?

Email remains one of the most widely used communication tools in organizations, making it a common target for attackers. Cybercriminals exploit email for phishing, malware distribution, account compromise, and attacks such as email bombing because it often provides a direct path to users.

How can IT teams respond quickly to an email bombing attack?

IT teams can respond by analyzing email headers, blocking suspicious domains or IP addresses, enabling temporary filtering rules, and monitoring incoming traffic. Quick action helps prevent the attack from overwhelming the entire email system.