What is Mail Bombing?
Mail bombing is a type of Denial of Service (DoS) attack targeting email inboxes. In this attack, threat actors typically subscribe individual users to numerous legitimate services and trigger password reset requests across multiple platforms. This creates a continuous stream of new messages flooding into the victim's inbox, making it inaccessible. The duration of these attacks is highly variable - they can run for minutes, hours, or even continue for several days, causing extended periods of email disruption.
Attacker motivations
Mail bombing attacks serve multiple purposes for attackers. First, they can be deployed as a traditional DoS attack to prevent specific targets from conducting their work by making their email inboxes unusable. Additionally, attackers may use mail bombing as a smokescreen when they have already compromised an account. By flooding the inbox with thousands of messages, they can effectively hide legitimate security alerts about password changes, email modifications, or suspicious login attempts until they have completed their malicious activities. This tactic makes it extremely difficult for victims to identify and respond to genuine security notifications in time.
Warning - November 2024: Mail bombing attacks have been observed as part of Black Basta ransomware operations, where attackers combine email flooding with Microsoft Teams-based social engineering to trick users into granting system access. Exercise extreme caution with any IT support contacts during a mail bombing incident.
How does Hornetsecurity protect users from Mail Bombing?
Hornetsecurity operates an intelligent detection and protection system that:
-
Identifies notification patterns: Automatically detects various types of notification emails, including:
• Newsletter subscriptions
• Account registrations
• Password reset requests
• Security alerts - Threshold-Based Protection: Monitors the frequency of notification emails and activates protection when suspicious patterns are detected
- Automated Quarantine: Once activated, the system automatically quarantines subsequent notification emails that match the attack pattern
Note: Protection may activate gradually as the system builds pattern recognition. Some emails may reach the inbox until the protection threshold is reached.
Identifying Mail Bombing Attacks in Email Live Tracking
Administrators can monitor mail bombing attacks through Email Live Tracking in the Control Panel. Quarantined emails from mail bombing attacks are marked with:
• Mail Type: Spam
• Reason: Mail Bombing
These identifiers help administrators quickly locate and review blocked messages related to mail bombing attacks.
Mitigation Using Allow Lists
Organizations needing to ensure delivery from specific legitimate senders during mail bombing protection can add specific sender addresses or domains to the allow list in the Control Panel.
Control Panel Manual: About Deny & Allow Lists
Post-Attack Recovery and Newsletter Management
Following a mail bombing attack, victims typically face an ongoing influx of newsletters, as attackers often submit the victim's email address to hundreds of newsletter services. This creates a persistent issue that extends beyond the initial attack. To address this challenge, users have two strategic options:
Unsubscribe from newsletters:
Users can systematically unsubscribe from all newsletters they were involuntarily subscribed to during the attack. While effective, this process can be time-consuming due to the volume of subscriptions.
Automated Newsletter Management:
Users can leverage the Hornetsecurity Infomail Filter feature to automatically quarantine all newsletter communications. This solution allows users to:
- Automatically detecting and quarantining all newsletter communications
- Providing a centralized management interface for newsletter control
- Allowing users to selectively whitelist legitimate newsletters they wish to receive
- Ensuring business-critical communications remain unaffected
- Requiring minimal ongoing maintenance once configured
Control Panel Manual: Activating the Infomail Filter
Summary
Mail bombing presents a significant threat to email availability and security. Hornetsecurity's protection system provides automated, intelligent defense against these attacks while maintaining business email continuity.