Diving into Email Bomb Attack

AuthorSchneider, M.; Shulman, H.; Sidis, A.; Sidis, R.; Waidner, M.
TypeConference Paper
AbstractWe explore Email Bomb - a particularly devastating type of Denial of Service (DOS) attack that recently gained traction. During the attack Email account of a victim is targeted with a flood of Emails. Existing anti-spam defences fail at filtering this Emails' flood, since the Emails are not sent from spoofed addresses, but originate from legitimate web services on the Internet which are exploited as reflectors. We perform a two-year study of the Email bomb attack and the affected actors - the victims and the reflectors. We show that although the attack is rented for one day, the Email flood proceeds over longer time periods often lasting months after the initial attack. We identify the properties that allow the attackers to recruit web sites as potential reflectors and demonstrate how the attackers harvest web reflectors. We show that even popular Alexa web sites, such as, are exploited to launch Email bomb attacks. The main problem is that such attacks are extremely simple to launch and can be rented for 5USD on darknet. We setup a tool which periodically collects and analyses the Emails received during the attack, the analysis as well as the data is presented online at We argue that email bomb attacks do not only pose inconvenience and hinder the ability of victims to function, but also we provide the first demonstration how such attacks can be leveraged for hiding other devastating attacks which take place in parallel. We show that existing countermeasures fall short of preventing email bomb attacks and provide effective mitigation recommendations that are based on our study of this attack.
ConferenceInternational Conference on Dependable Systems and Networks (DSN) 2020