Email bombing: what you need to know
Email bombing, sometimes called "list linking" or "email cluster bombing," is a cyberattack that floods an inbox with thousands of emails, making it difficult for the victim to manage their messages. While this technique isn’t new, automation has made it cheaper, allowing attackers to misuse legitimate services at scale to overwhelm inboxes. This abuse of legitimate services makes email bombing hard to detect and even harder to block.
How email bombing works
Email bombing involves overwhelming a target’s inbox with an excessive number of email messages in a very short time. The emails often fall into two categories:
-
Legitimate newsletters: Attackers use automated tools to subscribe the victim to numerous newsletters or mailing lists. This results in an excessive amount of subscription confirmations or actual newsletters flooding the inbox. Because these emails come from legitimate services, they are difficult to distinguish from regular messages.
-
Mass email spamming: In another variant, attackers use compromised email servers to send thousands (or even millions) of spam emails directly to the target’s inbox. Depending on the type of (spam) content, this variant may be easier to distinguish from regular messages.
Smoke and noise
Email bombing is more than just an inconvenience—it’s often a smoke screen for other malicious activities. By burying important emails under a flood of messages, attackers can hide security alerts or transaction notifications. Criminals use this tactic to:
- Conceal fraud: Bury confirmation emails for unauthorized transactions.
- Distract victims: Prevent IT security personnel from seeing warnings or taking action on ongoing security breaches.
- Enable social engineering: Exploit the chaos, call up victims and impersonate IT staff to launch a secondary attack: install malware, steal credentials, etc.
Email bombing not only disrupts operations but also increases the risk of security breaches, including phishing attacks and ransomware.
How to solve email bombing
To protect against email bombing attacks, security teams can create specialized email filters to identify and block auto-generated emails.
Website administrators and CMS providers can limit registrations or requests from the same IP address.
Mitigations available for xorlab customers: To reduce the impact of email bombing attacks, xorlab introduced the Email Bombing Recipient Addresses List in Release 7.0.9. You can add targeted email addresses to this list for aggressive filtering of auto-generated emails.
Recommended actions
To protect your organization and users from email bombing:
- Educate your team: Teach employees how to recognize and report email bombing incidents.
- Set expectations: Clearly communicate to your organization how your team will handle reported cases.
- Emphasize security practices: Remind users that your security team will never ask them to click on links or download files from the internet.
- Work with your vendor: Report incidents to your email security vendor for analysis. If you’re a xorlab customer, you can reach out to our support team.
Our team will continue to provide guidance on to those affected by email bombing attacks and share detection techniques as they become available.
Staying ahead
xorlab lets security analysts see email threats before they land in the inbox. Using data from their organizational context, analysts can quickly create, test, and deploy dynamic security policies that catch tomorrow’s attacks. Take the interactive tour below to learn more.
Curious about how well your organization is protected against modern email attacks? Find out with xorlab's attack simulation and identify weaknesses quickly and easily.
Credits: Image created with DALL·E.