What is Email Bombing?

Email bombing is a form of denial of service attack that floods an inbox and mail server with messages. If enough messages are sent, the systems may be overloaded and they will stop working. Many Internet service providers (ISPs) regard email bombing as a violation of the terms of service and they will suspend accounts of people involved in such attacks.

There are several ways to coordinate an email bombing attack. One is to send large numbers of email directly, often using multiple accounts. Spreading the emails out over many accounts will also make it harder to pin down the source of the attack, and it will not tip off ISPs that flag high email volume from a single account. A virus can be written to hijack email accounts held by other people and use them to bomb the target.

Another option is so-called “list bombing,” where the subject is signed up for large numbers of mailing lists. Email bombers can also use tactics like displaying an email address on web pages in a format that is easy to bots to pick up, in the hopes that the target will be deluged in spam. Spam, however, may be filtered and held separately, making list bombing an appealing option because communications from mailing lists are usually sent right to the inbox.

The use of verification emails for mailing lists is designed to prevent abusive signups, but email bombing can involve workarounds. For example, the bomber can create a new email address for the signup, click the link in the confirmation email, and then set up the account to forward to the target. The target will receive the communications from the mailing list and will not be able to unsubscribe because the mailings are not being sent directly through the organization.

This type of attack can be a nuisance on a low level, but it can also become a serious problem. If email bombing is targeted at a professional or work email, someone might not be able to access emails for work. If the server gets overloaded or the inbox is full, legitimate emails sent to the target may be refused, and the target will not be able to send emails out. It can also become a security issue if the email bombing includes emails with embedded viruses, malware, or spyware and the sender accidentally opens these.

There are a variety of techniques that can be used to address email bombing. Maintaining multiple email addresses for different activities can help. Protections on the server can include temporary suspensions of accounts that appear to be targets of email bombs while the situation is addressed.