Have You Been a Victim of Email Bombing?

Have You Been a Victim of Email Bombing?


Is your inbox suddenly overflowing with all kinds of subscription emails you never signed up for, making it extremely difficult for you to find messages from important senders? If so, it's likely that you've become a victim of an email bombing attack.

Understanding Email Bombing Attacks

Cybercriminals are constantly improving their techniques to stay one step ahead of cybersecurity professionals. Ever since email emerged as a dominant communication channel, malicious attackers have been exploiting it for various nefarious purposes.

The best-known email threat today is phishing, a social engineering attack that takes advantage of the impersonal nature of email communication to trick human victims into revealing sensitive information or acting against their own best interest using fraudulent messages. According to the 2020 Verizon Data Breach Investigations Report, phishing is responsible for nearly one-fourth of data breaches. Phishing is so popular, in fact, that it somewhat overshadows other dangerous email attacks, including email bombing.

The idea behind email bombing is simple: flood the victim's inbox with a deluge of messages to make the inbox unusable. Sometimes, email bombing is performed as an act of vengeance. In such cases, the attacker's ultimate goal is to harass the victim, making their life more difficult. In other cases, however, email bombing is used as a distraction from a more serious cybercrime, such as account hacking and subsequent fraudulent purchases.

Attackers know that any online purchase they make using stolen account credentials automatically triggers an order confirmation message. If the victim notices the confirmation message soon enough and realizes that something isn't right, they may be able to cancel the purchase and stop further abuse of the stolen credentials by changing their password.

To prevent that from happening, attackers write simple scripts that take as input email addresses, which they then automatically sign up for legitimate newsletters and all kinds of other subscription emails. This method of executing a Distributed Denial of Service attack (DDoS) is far more efficient than direct spamming because it's less likely to trigger spam filters. Attackers can even purchase email bombing as a service on the dark web, with prices being as low as tens of dollars for thousands of messages.

Email bombing attacks wouldn't be so easy to pull off if it wasn't for the fact that many websites don't verify new subscriptions in any way, such as by requiring new subscribers to click a confirmation link sent in an introductory email message. Those that do sometimes send multiple confirmation reminders, which are also useful ammunition for an email bombing attack.

Responding to an Email Bombing Attack


It's only natural to start deleting unwanted emails to restore your inbox to its former state. However, manually deleting subscription emails one by one is like fighting the wind—new emails will just keep arriving.

Instead, it's much better to partially close the gate to your inbox by creating custom email rules to filter incoming messages based on keywords like "subscription" or "confirmation" or "sign-up." Since email filters can't really tell a legitimate message from an illegitimate one, you should configure them to only archive matching emails rather than deleting them right away.

When the initial avalanche of emails is brought under control, the next step is to check unread emails for purchase and withdrawal confirmation and other signs of suspicious activity. Even if you don't find any indications that one or more of your online accounts have been compromised, you should still manually check the recent activity on all websites where your payment card information is stored.

We also recommend you change your passwords, making sure that each new password is sufficiently strong and completely unique. While you're at it, you should also enable two-factor authentication on all accounts that support it to add an extra layer of protection in addition to your password.

If you discover that email bombing has been used to hide fraudulent purchases and other illegal activity, don't hesitate to contact your financial institutions so they can help you protect your accounts. Of course, make sure to also inform local law enforcement.

To prevent future email bombing attacks, it's best to work with an experienced provider of IT security services to implement additional email security policies and controls. These may include everything from purposefully slowing down email transmissions (a technique called email tarpitting) or implementing a machine learning-based spam filter.


Email bombing is a productivity-decimating email attack whose true purpose sometimes becomes apparent only when it's already too late to act. That's why all organizations that rely on email should proactively prepare for it, and we at BCA can strengthen your email defenses and educate your employees to ensure that email will always remain a useful business tool for you. Contact us for more information.