One or more users are receiving thousands of emails from different subscription websites in a short period of time.

Subscription Bombing happens when a victim’s email address is harvested from the web and entered into thousands of web forms simultaneously by bots, resulting in a barrage of unwanted messages (sometimes as many as 20k+) to the victim’s mailbox. When this happens, the victim’s email address will often become unusable as a result of the sheer volume of mail that’s delivered to the single email address.

This type of attack is almost impossible to prevent because a user with a valid email address can spam any other valid email address, newsgroup, or bulletin-board service. In this case, the attack can be carried out automatically with simple scripts submitting the email address to thousands of unprotected registration forms without proper sign-up verification such as implementing CAPTCHA or Opt-in email.

Detection

Due to the nature of the attack where the e-mail address(s) are typically signed up to multiple legitimate mailing lists which makes it very difficult for detection as these would generally be legitimate mailings.

To help mitigate the attack, make sure to:

• Implement our Spam control best practice settings.
• Make sure to enable Newsletter filtering.

Prevention/Reaction

For affected email addresses you can create a new policy group for these users that removes newsletter and marketing emails by using a verdict that prevents delivery:

About policy groups

Alternatively, you can tag these mail items and deliver them to be handled by the recipient mail server or email client. The default rules for marketing/newsletter detection tags the mail items by modifying the subject line to include the detected category. Another potential way to tag the items would be to add a message header that can be read and acted upon by other mail processes to move the messages into a separate folder, such as a junk folder, for example.
 

Clean-up process:

• Make sure that the user's email address is not listed on the web where it can be harvested by any bot.
• Simply run a web search for the user's email address on Google's search engine or any other popular search engine.
• If listed, proceed to work with the email list to get the email address removed.
• If the email is coming up with the search results but does not show up in the email list, proceed to submit the URL to Google to remove outdated search results. Other web search providers also have their own removal processes, such as Bing and Yahoo.
• Efforts to help clean up the user's mailbox can be extensive, the user's email address can be changed or renamed to help expedite this process.