How to survive an email bomb attack

Featured image

Share this article

Email bomb with DoS image
Updated 9/7/22

Bombarded by thousands of unsolicited subscription confirmation emails in your inbox? Your organization may be experiencing an email bomb attack. Read on to learn how to survive an email bomb attack.

How to survive an email bomb attack

This type of email attack is difficult to defend against because the attacker uses automated bots to subscribe a victim’s email address to multiple lists per second, including forums and message boards, newsletters, retail mailing lists, and other everyday communications.   How to survive an email bomb attack is a special concern for sectors that are experiencing drastic spikes in ransomware attacks, like healthcare. 

Beyond the initial strike, a steady and annoying stream of unwanted emails can keep arriving even years after the attack. To add insult to injury, other attackers will add the victim to additional spam, phishing, and malware lists.  For sectors such as healthcare especially, it is critical to keep email HIPAA compliant and secure. 

Additional Reading: HIPAA Compliant Email: The Definitive Guide

What is an email bomb?

An email bomb is a denial of service attack (DoS) against an email server, designed to make email accounts unusable or cause network downtime. Email bombs started in the late 1990s with high-profile cases such as the cyber attack on Langley Air Force Base in Virginia. 

Historically, journalists have found themselves the target of email bombing campaigns in retribution for critical stories. Anyone can be a victim though, including government officials, policymakers, emergency coordinators, healthcare providers, and many others.    

Today’s email bombs are more sophisticated and can overwhelm most spam filters. This can devastate employees’ email inboxes and disrupt an organization’s ability to communicate.

How an email bomb works

To initiate an email bomb, an attacker uses simple scripts that submit the victim’s email address to thousands of subscription registration forms on unprotected websites (such as those without CAPTCHA or opt-in email). Since these are benign websites they are categorized by spam filters as legitimate, safe messages.  

What are the dangers of email bombs?

Email bombing may be used to hide important notices about account activity from victims in order to make fraudulent online transactions. Spamming the inbox distracts from the real damage that’s going on behind the scenes. 

Attackers have been known to gain access to online shopping accounts and purchase expensive products, make fraudulent transactions on victims’ financial accounts, and harass domain owners into abandoning their email addresses by rendering them useless.      

7 steps to prepare for email bomb attacks

An email bomb attack is almost impossible to prevent because any user with a valid email address can spam any other valid email address. However, there are important ways your organization can prepare for an attack.

The Center for Internet Security (CIS) recommends following the guidelines below:

  1. Ensure email delivery software is up-to-date, patched, and includes antivirus capabilities
  2. Employ “tarpitting” to block or slow traffic from a sending IP address if the traffic from that address exceeds a predefined threshold (e.g. greater than ten emails per minute)
  3. Consider blocking file attachments used in email bomb attacks, such as .zip, .7zip, .exe, and .rar
  4. Limit the maximum email attachment file size
  5. Ensure out-of-office, bounce back, and other automatic messages are only sent once to prevent an endless loop of recurring automatic replies
  6. Where possible, limit send permissions so that only internal and authorized users may send to distribution lists
  7. Avoid posting plain text email addresses online as attackers are able to scrape web pages for email addresses to target them for spam campaigns

6 steps to take during an email bombing

When an email bomb attack is in process, it’s essential to:

  1. Avoid mass deletion and use email rules to filter spam instead
  2. Inboxes that are critical to your organization should use failover services and notifications to protect against the deletion of important emails 
  3. Use a bulk mail filter to help stop subscription-based emails from landing in the inbox. Simply add the newsletters that you want to your approved senders list. 
  4. Use custom spam filters to help block emails that contain words like “confirmation,” “subscription,” or “confirm.” You’ll need to double-check that any valid emails that contain these words aren’t also blocked
  5. Make sure that online passwords are changed and that all of your organization’s online accounts are secured with multi-factor authentication.
  6. Before deleting any emails, look for suspicious activity such as unauthorized withdrawals or purchase confirmation emails that may get buried in the onslaught

Avoid being used for an email bomb attack in three simple steps

To avoid unwitting participation in an email bombing and prevent bots from using your service take the following three steps:

  1. Implement CAPTCHA on your website’s subscription forms
  2. Make sure to send opt-in emails to new subscribers to prevent unwanted emails
  3. Ensure you have strong inbound email security in place

You don’t want to be on an email bomb attacker’s “good” list

Attackers compile lists of vulnerable websites and sometimes even advertise how often these lists are updated. Anyone can do a quick online search to find sellers and marketplaces that will email bomb a particular email address for a low fee.

HIPAA compliant email and email bombs

Some of the best ways to enhance your organization’s email security are through working with an inbound security and email encryption provider and instituting employee cybersecurity training to safeguard your organization’s data. 

Third-party services like Paubox Email Suite Plus  block email threats before they reach your organization’s inbox with advanced features like patented ExecProtect.  And, for healthcare, that means that 100% of your outgoing email is secured by Paubox as well. 

Try Paubox Email Suite Plus for FREE today.

HITRUST CSF certified
4.9/5.0 on the G2 Grid
Paubox secures 70 million HIPAA compliant emails every month.

Author Photo

About the author

Rick Kuwahara

Rick Kuwahara is COO and Chief Compliancy Officer for Paubox.

Read more by Rick Kuwahara

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022