What is Mail Bombing?

Mail bombing is a type of Denial of Service (DoS) attack targeting email inboxes. In this attack, threat actors typically subscribe individual users to numerous legitimate services and trigger password reset requests across multiple platforms. This creates a continuous stream of new messages flooding into the victim's inbox, making it inaccessible. The duration of these attacks is highly variable - they can run for minutes, hours, or even continue for several days, causing extended periods of email disruption.

Be Advised: Hornetsecurity offers automatic Mail Bombing Protection to enhance your email security. However, it is important to note that this feature is currently powered by cloud-based technology, which means it is not yet available for customers using on-premises appliances. We understand the importance of this protection for all users, and we are actively working on developing a solution to extend this functionality to appliance customers in the near future. We appreciate your patience as we continue to improve our services.

Attacker motivations

Mail bombing attacks serve multiple purposes for attackers. First, they can be deployed as a traditional DoS attack to prevent specific targets from conducting their work by making their email inboxes unusable. Additionally, attackers may use mail bombing as a smokescreen when they have already compromised an account. By flooding the inbox with thousands of messages, they can effectively hide legitimate security alerts about password changes, email modifications, or suspicious login attempts until they have completed their malicious activities. This tactic makes it extremely difficult for victims to identify and respond to genuine security notifications in time.

Mail bombing attacks have been observed as part of Black Basta ransomware operations, where attackers combine email flooding with Microsoft Teams-based social engineering to trick users into granting system access. Exercise extreme caution with any IT support contacts during a mail bombing incident.

How does Hornetsecurity protect users from Mail Bombing?

Hornetsecurity operates an intelligent detection and protection system that:

1. Identifies notification patterns: Automatically detects various types of notification emails, including:
   • Newsletter subscriptions
   • Account registrations
   • Password reset requests
   • Security alerts
2. Threshold-Based Protection: Monitors the frequency of notification emails and activates protection when suspicious patterns are detected
3. Automated Quarantine: Once activated, the system automatically quarantines subsequent notification emails that match the attack pattern

Note: Protection may activate gradually as the system builds pattern recognition. Some emails may reach the inbox until the protection threshold is reached.

Identifying Mail Bombing Attacks in Email Live Tracking

Administrators can monitor mail bombing attacks through Email Live Tracking in the Control Panel. Quarantined emails from mail bombing attacks are marked with:

• Mail Type: Spam

• Reason: Mail Bombing

These identifiers help administrators quickly locate and review blocked messages related to mail bombing attacks.

Recommended Measures During the Attack

Infomail Filter

As protection mechanisms and pattern recognition are built up and improved incrementally, it is possible that emails may still reach users' mailboxes even when the filter is enabled. This is because the filter initially needs time to learn and adapt in order to reliably identify and block all unwanted or potentially dangerous messages.

To further minimize the impact of such unwanted emails, we strongly recommend ensuring that the informational email filter is enabled. In addition, the filter should be configured to "quarantine" emails. This will further reduce the number of incoming emails and lessen the impact on end users.

User Interaction

Mail bombing attacks are often combined with social engineering attacks, where an attacker impersonates IT support and contacts the user directly. We therefore recommend that administrators proactively reach out to the affected user to ensure that no interaction takes place with unauthorized third parties.

Mitigation Using Allow Lists

Organizations needing to ensure delivery from specific legitimate senders during mail bombing protection can add specific sender addresses or domains to the allow list in the Control Panel.

Control Panel Manual: About Deny & Allow Lists

Post-Attack Recovery and Newsletter Management

Following a mail bombing attack, victims typically face an ongoing influx of newsletters, as attackers often submit the victim's email address to hundreds of newsletter services. This creates a persistent issue that extends beyond the initial attack. To address this challenge, users have two strategic options:

Unsubscribe from newsletters:

Users can systematically unsubscribe from all newsletters they were involuntarily subscribed to during the attack. While effective, this process can be time-consuming due to the volume of subscriptions.

Automated Newsletter Management:

Users can leverage the Hornetsecurity Infomail Filter feature to automatically quarantine all newsletter communications. This solution allows users to:

• Automatically detecting and quarantining all newsletter communications
• Providing a centralized management interface for newsletter control
• Allowing users to selectively whitelist legitimate newsletters they wish to receive
• Ensuring business-critical communications remain unaffected
• Requiring minimal ongoing maintenance once configured

Control Panel Manual: Activating the Infomail Filter 

Summary

Mail bombing presents a significant threat to email availability and security. For Cloud Customers Hornetsecurity's protection system provides automated, intelligent defense against these attacks while maintaining business email continuity.