Threat actors have recently increased attempts to take email servers offline by overloading the servers with thousands of email messages (known as “email bombing”). This attack is similar to a Denial of Service (DOS) attack, where hundreds of thousands of devices all send traffic to a website, resulting in the website becoming inaccessible to legitimate traffic. In this case, far fewer “attacker” devices are required, as each email message puts load onto the email server at a much higher level than a web-traffic request would, resulting in the email server becoming non-responsive and leaving legitimate users unable to send and receive mail. If you suspect that your email system is experiencing email bombing (often indicated by most if not all users unable to send or receive email from any device on any internet connection), contact your Managed Service Provider or IT Team immediately.
Technical detail and additional information
What is the threat?
Email bombing, in general, is a type of attack that is achieved by sending large numbers of messages to a recipient’s inbox in order to overflow the mailbox and overwhelm the server where the email address resides. In many cases this attack can be broadened to send overwhelming levels of messages to multiple mailboxes – especially if the target or the attack is a company or organization instead of a particular person. In many respects, this form of attack resembles the much more often seen Denial of Service (DOS) attack where large numbers of devices send fake traffic to a website, rendering it unable to accept or handle legitimate traffic. Email bombing attacks can be delivered by using many large email messages or an even larger number of small messages, requiring far fewer devices to take an active role in the attack to achieve the intended outcome. Typically, the email messages are meaningless; but they may contain malware in attachments or links to attack sites to add additional threat to the overall attack.
Why is this noteworthy?
Email bombing has not been anywhere near as popular as standard or distributed DOS attacks to date. The recent and noticeable rise in email bombing could indicate that threat actors are actively targeting individuals and organizations by disrupting vital business practices through stopping the flow of email. There are many email-bombing tools and services that are available via the Internet and the Dark Web, making this attack possible even if a threat actor does not hold the knowledge to undertake this form of attack themselves. For as little as ten dollars or less, an email-bombing campaign can very easily be initiated against an attacker’s target of choice.
What is the exposure or risk?
The primary impact of email bombing is denial of access to email systems, particularly during critical business periods such as the holiday season for retail businesses. This can easily lead to loss of revenue through disruption of business processes, and loss of reputation as customers cannot effectively use email to communicate with the company. Email bombing attacks against government agencies can result in a loss of services to municipalities and national governments; and attacks against hospitals and healthcare providers could disrupt patient care. As email containing malicious links may be delivered, and altered messages may contain malicious information, email bombing can pose simultaneous internal and external threats.
What are the recommendations?
- Use email filters that are based on the logic of filtering identical messages that are received within a specified short span of time.
- Configure your email server to block messages beyond a certain size, including any attachments that exceed a certain size.
- Do not compound or expand the potential problem by interacting with, forwarding, or replying to spammed email. This includes not interacting with email – such as avoiding clicking on unsubscribe links – unless the sender has been confirmed to be legitimate.
- Implement and utilize Domain-Based Message Authentication Reporting and Conformance (DMARC) to validate the trustworthiness of email and protect domains from being used for email spoofing, phishing scams, and other cybercrimes. While this technology identifies your organization to other email servers; the more organizations who adopt this technology, the less chance that threat actors can masquerade as legitimate senders.
- Ensure out-of-office, bounce back, and other automatic messages are only sent once to prevent an endless loop of recurring automatic replies. If such automated messages are not required for business objectives, avoid using them completely.
- Where possible, limit send permissions so that only internal and authorized users may send to distribution lists.
- Avoid posting plain text email addresses online as malicious actors are able to scrape webpages for email addresses allowing them to target those addresses for email bombing and spam. While it is not possible to do this for all email addresses due to how modern communication works, companies can limit which addresses are posted online to limit the number of addresses that are obtainable.
During an attack:
- If an inbox is overloaded, avoid mass deleting emails during the attack; and instead using email rules to filter spam.
- Ensure critical inboxes use failover services and notification options to safeguard against automated deletion and/or hitting mail storage limits.
- Notify the email service provider (the IT team, Managed Service Provider, Office365, Gmail, etc.) if one or more users cannot send and receive mail from multiple internet connections and on multiple devices or if one or more users begins receiving very large numbers of emails that do not pertain to business purposes or any unusually large messages that are not related to business purposes.
For more in-depth information about the recommendations, please visit the following links:
For more information, please contact our Security Operations Center.