If you suddenly start to receive an unusual amount of junk email, by the hundreds or thousands, or a massive amount of subscription email confirmations, you are probably the victim of Email Bombing a.k.a. Subscription Bombing.  The perpetrator is using this technique in an effort to try to hide their real goal.

What Is Email Bombing?

Email bombing is an attack on your inbox that involves sending massive amounts of messages to your email address. Sometimes these messages are complete gibberish, more often they are confirmation emails for newsletters and other subscriptions. The attacker uses a script to search the internet for forums and newsletters and then signs up for an account with your email address. Each will send you a confirmation email asking to confirm your address.

Why do they do this?

When we think of email we often think about email delivering malware or scams this is something altogether different. There may be several different answers to why criminals do this. The reason may be as simple as an attempt to overwhelm your email server by filling up your email quota or consuming so many processes that it acts like DoS Attack. However, the primary reason is to distract you by burying important email in your inbox, emails such as purchase confirmations, bank transactions, or account access alerts to name a few.

How do they do it?

They use a technique called Mailbait. Mailbait was originally a for-hire service whose sole purpose is to fill up an email inbox by sending a massive amount of spam. It automatically subscribes you to hundreds, if not thousands of online mailing lists. Its original intent was for “testing purposes”, however, this has been abused and improved by criminals for nefarious reasons.

Why your email account?

They are using your email account because it is associated with something they have access to. Things such as your bank account, though they may already have your debit/credit card number.  They will try to gain access to your website or online store, or your account to an online store such as Amazon or Ebay. The email bombing floods your email inbox with irrelevant emails, burying the purchase, and shipping confirmation emails so you won’t notice them. If they have access to your domain Registrar they may be attempting to transfer your domain away.

By flooding your inbox, the email bombing serves as a distraction from the real damage, burying any relevant emails about what’s going on in a mountain of useless emails, hoping in your frustration you will simply delete them. When they stop sending you wave after wave of email, it may be too late and the damage may already be done.

What to Do When You Get Email Bombed?

If you find yourself the victim of email bombing, the first thing to do is check and lock down your accounts. Start with your bank – login to see if there has been any unexpected activity and call them immediately. They will be able to lock down your account and help you find and prevent any additional unusual activity.

Next log into any shopping accounts, like Amazon, and check for recent orders. If you see an order that you didn’t place, contact the shopping website’s customer support immediately. While you’re checking your shopping accounts, it would be wise to remove your payment options entirely. If the perpetrator is still waiting to break into your account and order something, they won’t be able to.

If you own any domains, you should contact your domain provider and ask for help locking down the domain so it can’t be transferred away.

If you discover an attacker has gained access to one of your websites, you should change your password on that website. Make sure you use strong, unique passwords for all your important online accounts. A password manager will help we recommend LastPass. If you can manage it, you should set up two-factor authentication for every site that offers it. This will ensure attackers can’t gain access to an account—even if they somehow get that account’s password.

Contact your email service provider, they will be able to help you mitigate some percentage of the email onslaught.

Can I stop the attack or should I wait it out?

Ultimately, there’s nothing you can do to stop the attack completely. It may end within 24 hours or you may be in for a long haul. While email bombings sometimes trail off after a day, they can go on as long the perpetrator wants or has the resources for, though if you stop their access they tend to move right on. It may be a good idea to contact anyone that you are awaiting an important email from, make them aware of what’s going on, and provide another way to contact you. Eventually, either your attacker will get what they want or realize you’ve taken the steps to prevent them from succeeding and move on to an easier target.