What is a mail bomb?
A mail bomb is a form of a denial-of-service (DoS) attack designed to overwhelm an inbox or inhibit a server by sending a massive number of emails to a specific person or system. The aim is to fill up the recipient's disk space on the server or overload a server to stop it from functioning.
Also known as email bombs and letter bombs, mail bombs inconvenience not only the intended target but everyone who uses the server. When a server is unresponsive, it can degrade network performance and potentially lead to downtime.
Mail bomb attacks are usually initiated -- intentionally or unintentionally -- by a botnet, a single actor or a group of actors. The damage caused by a mail bomb can range from a minor inconvenience to a total disruption of services. Mail bomb attacks can last for several hours if no effort is made to filter, mitigate or block the attacking traffic.
What are the different types of mail bomb attacks?
There are many forms of mails bombs. These are the most common tactics used by threat actors:
- Attachment. An attachment attack occurs when multiple emails with large attachments are sent. They are designed to overload server storage space quickly and render it unresponsive.
- List linking. A list linking attack is a tactic used by threat actors to sign up targeted emails to multiple email subscription services. The goal is to flood email addresses indirectly with subscribed content. This is possible because many subscription services do not require verification. If they did, the verification emails could be used as a list linking mail bomb attack. It is difficult to defend against list linking attacks because the traffic originates from legitimate sources.
- Mass mailing. Mass mailing is a type of mail bomb that is not always intentional. For example, instead of clicking on one email address, a user may accidentally select all and mistakenly send the email to hundreds or thousands of targeted email addresses.
- Intentional mass mail bombs are often initiated by using botnets or malicious scripts. For example, threat actors can automate the filling of online forms with the target email address as the requesting/return address.
- Reply all. When a user responds by clicking Reply All to an extensive list of email addresses instead of just the original sender, inboxes are flooded with emails. Automated replies, such as out-of-office messages, often compound these emails. Often, reply-all mail bombs are accidental rather than an email bomb attack. However, threat actors can spoof email addresses and related automatic replies and direct them to spoofed addresses.
- Zip bomb. A zip bomb, also known as a decompression bomb or zip of death attack, is a large and compressed archive file sent to an email address that, when decompressed, consumes available server resources and impacts server performance.
In the past, mail bombs were used to punish internet users who were egregious violators of netiquette -- for example, people using email for undesired advertising or spam. Today, senders of mail bombs expose themselves to reciprocal mail bombs or legal action.
How do you defend against mail bombs?
To defend against or prevent mail bombs, organizations must enforce security policies that address user behavior and technical processes.
For example, users should avoid using work email addresses to subscribe to non-work-related services. Additionally, users should limit their online exposure to direct email addresses by using contact forms that do not expose email addresses.
See also: risk mitigation, acceptable use policy, corporate email policy, most important email security protocols and common types of malware attacks and how to prevent them.