Recently we helped an organization who was under attack by an email bombing campaign. Imagine receiving 5,000 email messages an hour. There are so many messages, it is impossible to sift through the junk to find legitimate correspondence. If you are lucky, you can call your MSP for help. If not, we hope this brief article will help.
The first and most important message to anyone who is the target of an email bomb is this: Use caution! The email bombing may be a tactic to distract you from another threat. Such as:
- Email notifications about purchases made on a personal credit card or account.
- Email notification about a funds transfer on a corporate account.
- Someone who calls offering technical help, but really wants access to your system.
- Another attack going on elsewhere while IT is busy dealing with the email bomb.
It will be nearly impossible to delete the messages individually, so what can you do?
Spam Filters and Rules
The first thing to do is look for patterns in the messages that you can use to filter out the unwanted emails. Often attackers will use bots to sign you up for newsletters, which triggers a flood of email confirmations that look legitimate individually. In this case, you might filter for things like “Welcome to our newsletter,” “Your new account,” or “unsubscribe.”
In other cases, attackers may use fake email addresses that mimic trusted contacts. This makes it harder to identify the source of the attack and AI generated content will make filtering more difficult.
Many spam filters allow you to adjust settings. Moving to a more restrictive level of security may eliminate thousands of emails.
Safe Senders List
Within Outlook, you can configure the junk option to: “Safe Lists Only.” When you do this, the only mail that will be delivered to your inbox will be from addresses on your safe senders list. To add a large number of addresses, you’ll want to navigate to Junk Email Options / Safe Senders. Here you can easily add email addresses. You can also choose to permanently delete suspected junk email rather than sending it to your Junk Email folder. If you are using an advanced spam filter, you can follow a similar process. By doing this, the unwanted messages will be prevented from reaching you.
DNS
To protect against email-based threats like phishing and spam, organizations can implement three key anti-spam measures: SPF, DKIM, and DMARC. SPF checks if an email comes from an authorized server by matching the sender’s IP address to a list in the domain’s DNS records. DKIM adds a digital signature to emails to verify they haven’t been altered during transit. DMARC builds on SPF and DKIM by setting policies on how to handle emails that fail authentication and provides reporting on suspicious activity. Together, these protocols help prevent spoofing, improve email deliverability, and increase the security and trustworthiness of email communications.
Change Your Address
In severe cases where filtering does not work, you may be tempted to change your email address. Note that when you do this, your system will start sending Non-Delivery Reports (NDRs) back to the original senders. If the sources are widely distributed, the sending email services may not notice. Unfortunately, your service provider will. You may end up blocked for the volume of mail your deleted account is generating. These blocks typically last 24 hours. The attack will eventually wane and you’ll be able to restore the account, usually in a few days.
Follow Up
As soon as possible you’ll want to check for unusual activity on personal and corporate financial accounts. You will also want to audit corporate computer systems for any unauthorized activity. We recommend reporting email bombing incidents to your email provider and, depending on the severity, to law enforcement or a cyber incident response team. Reporting can help track the attack and prevent future attacks on other users.
The best defense for any attack is to have proper tools in place to protect your accounts. While an email bomb is mostly a nuisance, real threats can be prevented and detected with the right security tools. We recommend advanced spam filters, anti-malware software, and email security solutions. Which tools fit your environment will depend on your infrastructure and the services you use.
Reach out to our sales team to learn more about a set of tools that fits your technical environment and your tolerance for risk.