It’s not just businesses that are being attacked – it’s anyone with an email account. Especially true if your passwords have been compromised.

Bombarded by thousands of unsolicited subscription confirmation emails in your inbox? You may be experiencing an email bomb attack.

Unfortunately, this type of attack is difficult to defend against because the attacker uses automated bots to subscribe a victim’s email address to multiple lists per second, including forums and message boards, newsletters, retail mailing lists, and other everyday communications.

Beyond the initial strike, a steady and annoying stream of unwanted emails can keep arriving even years after the attack. To add insult to injury, other attackers will add the victim to additional spam, phishing, and malware lists.

What is an email bomb?
An email bomb is a denial of service attack (DoS) against an email server, designed to make email accounts unusable or cause network downtime. Email bombs started in the late 1990s with high-profile cases such as the cyber attack on Langley Air Force Base in Virginia.

Historically, journalists have found themselves the target of email bombing campaigns in retribution for critical stories. Anyone can be a victim though, including government officials, policymakers, emergency coordinators, healthcare providers, and consumers like you and me.

Today’s email bombs are more sophisticated and can overwhelm most spam filters. This can devastate email inboxes and disrupt our ability to communicate.

How an email bomb works
To initiate an email bomb, an attacker uses simple scripts that submit the victim’s email address to thousands of subscription registration forms on unprotected websites (such as those without CAPTCHA or opt-in email). These are benign websites they are categorized by spam filters as legitimate, safe messages.

Email bombing may be used to hide important notices about account activity from victims in order to make fraudulent online transactions. Spamming the inbox distracts from the real damage that’s going on behind the scenes.

Attackers have been known to gain access to online shopping accounts like Amazon and purchase expensive products, make fraudulent transactions on victims’ financial accounts. There’s really no effective way to “clean up” an email address after this type of targeted attack. The best option might just be to create a new email address and abandon the attacked email account all together.

How to prepare for email bomb attacks
An email bomb attack is almost impossible to prevent because any user with a valid email address can spam any other valid email address. However, there are important ways your or your company can prepare for an attack.

The Center for Internet Security (CIS) recommends following the guidelines below:
Ensure email delivery software is up-to-date, patched, and includes antivirus capabilities.

Employ “tarpitting” to block or slow traffic from a sending IP address if the traffic from that address exceeds a predefined threshold (e.g. greater than ten emails per minute).

Consider blocking file attachments used in email bomb attacks, such as .zip, .7zip, .exe, and .rar.

Limit the maximum email attachment file size.

Ensure out-of-office, bounce back, and other automatic messages are only sent once to prevent an endless loop of recurring automatic replies. If you use Microsoft Outlook, this is the default.

Where possible, limit send permissions so that only internal and authorized users may send to distribution lists.

Avoid posting plain text email addresses online as attackers are able to scrape web pages for email addresses to target them for spam campaigns. Using spaces between letters to change the address are NOT effective – for instance, posting an email address like this:  help at actsmartit com is easily figured out by the programs scraping online information.

What to do during an email bombing
When an email bomb attack is in process, it’s essential to avoid mass deletion and use email rules to filter spam instead.

Inboxes that are critical to your organization should use failover services and notifications to protect against the deletion of important emails.

A bulk mail filter can help stop subscription-based emails from landing in the inbox. Simply add the newsletters that you want to your approved senders list.

Custom spam filters can also be used to block emails that contain words like “confirmation,” “subscription,” or “confirm.” You’ll need to double-check that any valid emails that contain these words aren’t also blocked.

Make sure that online passwords are different from each other AND that they are changed on a regular basis. A better control is to secure all of your online accounts with multi-factor authentication. Yes it’s another step, but the additional security protection 2fa affords us is well worth the time invested.

Before deleting any emails, look for suspicious activity such as unauthorized withdrawals or purchase confirmation emails that may get buried in the onslaught. This is why hackers use this method of attack. People get frustrated with all the “spam” emails and decide to simply delete them all. That also deletes the emails that could identify the scammers motives and allow you to contact the online companies the attacker has accessed and get the accounts secured.

Recently, it has been reported that attackers have even used Amazon’s archive feature to hide fraudulent purchases.

 

How to avoid being used for an attack
To avoid unwitting participation in an email bombing and prevent bots, website owners and developers need to implement CAPTCHA on their website’s subscription forms. And make sure to send opt-in emails to new subscribers to prevent unwanted emails.

Attackers compile lists of vulnerable websites and sometimes even advertise how often these lists are updated. Anyone can do a quick online search to find sellers and marketplaces that will email bomb a particular email address for a low fee. Always remember, these types of attacks are a very profitable “business” for online attackers.

Conclusion
Some of the best ways to enhance your email security, as a business, are through working with an inbound security and email encryption provider and instituting employee cybersecurity training to safeguard your organization’s data and always enable and enforce multi-factor authentication for everyone.

As a consumer, If you’re not changing your email password on a regular basis or worse yet – you’re using that same password for online shopping or banking, it’s time to get back to basics. Change your email and online passwords on a regular basis and enable multi-factor authentication everywhere you can.

To check if your email password has been found on the dark web:
https://haveibeenpwned.com/

Many of today’s credit card providers offer some level of monitoring your critical online information – check your credit card providers website for additional information.