An email bomb is a form of Internet abuse which is perpetrated through the sending of massive volumes of email to a specific email address with the goal of overflowing the mailbox and overwhelming the mail server hosting the address, making it into some form of denial of service attack.
Email bombing is often done from a single system in which one user sends hundreds or thousands of messages to another user. In order to send the messages quickly, the email bomber may use a script to automate the process. By sending emails with a script, it is possible to send several thousand messages per minute.
If performed successfully, an email bomb will leave the recipient with a pile of email messages in his or her inbox. It may also max out the recipient’s email quota, preventing the user from receiving new email messages. The result is a frustrating situation where the user has to manually delete the messages. If the recipient’s email client or webmail system does not allow the user to select all the unwanted messages at once, this process can take a long time to complete.
Many people around the world communicate through emails. Be it any email service provider like Gmail or Outlook or Rediffmail, every email address is allotted fixed amount of space. For example, if a person is using Gmail, then he/she is allotted 15 GB of space to send or receive emails.
In email bombing, a person can use a script or any software which is available on the Internet and enter the targeted email address. When the script or the code is activated, many emails are sent from a particular email address to the targeted email address. The targeted email address starts receiving hundreds of emails due to which the storage of that email address is occupied. Once the storage is full, no new mails can be received on that email address
Methods of Email Bombing:
There are three methods of email bombing: Mass mailing, List linking and ZIP bombing.
Mass mailing consists of sending numerous duplicate mails to the same email address. These types of mail bombs are simple to design but their extreme simplicity means they can be easily detected by spam filters. Email-bombing using mass mailing is also commonly performed as a DDoS attack by employing the use of “zombie” botnets; hierarchical networks of computers compromised by malware and under the attacker’s control. Similar to their use in spamming, the attacker instructs the botnet to send out millions or even billions of emails, but unlike normal botnet spamming, the emails are all addressed to only one or a few addresses the attacker wishes to flood. This form of email bombing is similar in purpose to other DDoS flooding attacks. As the targets are frequently the dedicated hosts handling website and email accounts of a business, this type of attack can be just as devastating to both services of the host.
This type of attack is more difficult to defend against than a simple mass-mailing bomb because of the multiple source addresses and the possibility of each zombie computer sending a different message or employing stealth techniques to defeat spam filters.
List linking, also known as “email cluster bomb”, means signing a particular email address up to several email list subscriptions. The victim then has to unsubscribe from these unwanted services manually. The attack can be carried out automatically with simple scripts: this is easy, almost impossible to trace back to the perpetrator, and potentially very destructive. A massive attack of this kind targeting .gov email addresses was observed in August 2016.
In order to prevent this type of bombing, most email subscription services send a confirmation email to a person’s inbox when that email is used to register for a subscription. However, even the confirmation emails contribute to the attack. A better defence would prevent Web sites from being exploited without abandoning subscription forms. After a subscription form is filled out, the Web site would dynamically create a mailto link to itself. A legitimate user would then send a message to validate the request without receiving any email from the Web site. While the sender’s email could be spoofed, the sender’s SMTP IP address cannot. The list manager can therefore verify that the email in the form request matches the originating SMTP server in the validation message.
A ZIP bomb is a variant of mail-bombing. After most commercial mail servers began checking mail with anti-virus software and filtering certain malicious file types, EXE, RAR, Zip, 7-Zip, mail server software was then configured to unpack archives and check their contents as well. A new idea to combat this solution was composing a “bomb” consisting of an enormous text file, containing, for example, only the letter z repeating millions of times. Such a file compresses into a relatively small archive, but its unpacking (especially by early versions of mail servers) would use a greater amount of processing, which could result in a DoS (Denial of Service). A ZIP or .tar.gz file can even contain a copy of itself, causing infinite recursion if the server checks nested archive files.
Detection and Prevention of Email Bombing
If your system suddenly becomes sluggish (email is slow or doesn’t appear to be sent or received), the reason may be that your mailer is trying to process a large number of messages.
a) Use anti-virus software and firewall: –
You can reduce the chances of being attacked, by using anti-virus and putting up a firewall configured to restrict traffic.
b) Use email filter applications: –
Email filters are packages that are used to manage unsolicited emails by filtering emails according to the source address. Some of the email filters that are commonly used for Mac OS are:
• Personal AntiSpam X5
Filter package tools for Windows include:
• Email Chomper
• Spam Buster
• Cactus Spam Filter
c) Use Proxy Servers: –
It is difficult to spam and filter each and every email bomb coming from different IP addresses. Such a situation could be mitigated with the help of proxy servers. A proxy server is a computer to which all other computers in a particular network are connected. The proxy server has certain rules for filtering the messages it receives requesting for information and resources of the computers connected to it. This helps in filtering malicious requests and messages from suspicious IP addresses before they are sent to the clients of the proxy server.
d) Using Simple Mail Transfer Protocol (SMTP): –
Denial of Service attacks can also be solved using SMTP which is a method of authenticating the exchange of messages across Internet protocols. The clients access their mailbox using Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP).
Through SMTP, the Mail Submission Agent then transfers a mail or information to the Mail Transfer Agent (MTA). On connecting to the SMTP, the MTA analyses the mail exchange record and IP address of the sender and reject the message if they are found suspicious. Security mechanisms such as authentication and negotiation are processed during the exchange of data.
It is important that you identify the source of the email bombs and once you have identified it, you need to configure your router or firewall and prevent incoming packets from that address. Review email headers to determine the true origin of the email. Review the information related to the email bomb/spam following relevant policies and procedures of your organisation.
e) Avoid replying or forwarding: –
Do not propagate the problem by forwarding (or replying to) spammed email.