Email attacks: is your inbox flooded?

Is your inbox filling up with thousands of messages more than usual? Perhaps unsolicited subscription confirmation requests, or maybe simple text-only messages about nothing very much?

Whatever the contents of the messages, be aware that this isn’t just a nuisance (which it certainly is) but that you may be under attack. These thousands of emails are a distraction, filling up your inbox with nonsense in the hope that any email alerting you to the real attack will be missed.

For example, if the attacker has got into one of your online accounts, they are able to change the delivery address and order thousands of pounds worth of goods on your account. To hide the evidence, being the order confirmation or the shipping email, they will fill up your inbox with countless emails, pushing the evidence of their attack much lower in your inbox, and making it unlikely that you’ll see it.

Other versions of this attack include attackers setting up a cascade of reply-all messages (that snowball as out-of-office replies multiply across the network), or multiple emails with very large attachments (that fill up the available space).

This is known as email flooding, or as an email bomb attack, and can make your email service unusable for a while because of the sheer quantity of email.

Reducing the risk of an attack

Like other denial of service attacks, it’s not easy to reduce the risk.

Avoid putting an obvious email address in clear text on your website if you can. While you do want your customers to be able to contact you, attackers trawl the web fishing for email addresses (typically, they are looking for an @ symbol, or the mailto: code).

Unfortunately, even if you avoid putting your email address on your website, email addresses such as hello@, info@, sales@, support@ and so on are very easy to guess, and for small businesses in particular, these may all be forwarded to the same inbox.

So, since you can’t easily reduce the risk, it’s important that you are prepared for an attack.

Preparing for a potential attack

The advice for preparing for an email flood is fairly standard advice, and it’s all about making it as hard as possible for the attacker to succeed.

  • Set up your email so that it:
    • Blocks or slows down mail from an IP address, if too many emails from that IP are received in a short space of time.
    • Limits the maximum email attachment file size.
    • Ensures automatic replies (such as ‘out-of-office’) are only sent once per person, to avoid an endless loop of messages.
    • It will alert you to any problems.

Your email provider will often already be doing this on your behalf. This should reduce the deluge of incoming emails, but not eliminate it.

  • Make sure your domain names are locked down, so that they can’t easily be transferred away from your ownership. You can talk to your domain name provider about how to do this, but it is often just a simple tick-box in your domain name account. This will reduce the risk that the attacker will steal your domain name.
  • Make sure that all your accounts, personal and business, are protected with multi-factor authentication wherever possible. This will reduce the risk that the attacker can buy something using one of your accounts.

I’m under attack right now

Your first instinct will probably be to start the mass deletion of emails. However, you might easily delete the one email you really need to see—the one the attackers are trying to hide.

Instead, filter your mails so that all emails that, for instance contain the word ‘subscription’ are filtered out of your inbox into a temporary location. How to do this will depend on the email service you are using.

Review all emails carefully for any indication of an unexpected transaction, or other activity that may have happened while your inbox was filling up with unwanted email. If you see something unusual, act on it immediately—call your bank, or the supplier, or whatever other organisation was involved unwittingly in this unwanted transaction.

Review your most important accounts urgently to check for unexpected transactions, and change the passwords to your online accounts.

Could my site be used to attack someone else?

Many websites invite people to fill out a form, such as a newsletter subscription form.

This kind of form will usually trigger an automatic reply asking them to confirm that they want to be subscribed.

An email bomb attacker may use this to their advantage, by entering the email address that they wish to attack into many newsletter subscription forms. This won’t be done by hand—they’ll have written code to enable this to happen automatically in many places more or less simultaneously.

To avoid your website ending up on their list of subscription forms that enable this attack, consider putting some validation on your site. This will check that visitors filling out your forms are human and not a bot. Be aware, however, that some validation tools can make your site inaccessible for some people.

Unfortunately, if you do end up suffering an email attack, there’s not much you can do other than wait it out while you look for the fraud that the attackers are trying to conceal. The flood of emails will ebb away eventually.

If you’d like some help or advice on how to secure your business, please contact the Click and Protect team via the contact form or call us on 0113 733 6230.