|Situation||You are suddenly receiving a large amount of unwanted email. This is primarily made up of confirmation emails for websites, newsletters or forums that you did not sign up for.|
|Solution||Although this is a difficult situation to prevent, the below suggestions can help reduce the impact of this type of attack. These actions should all be used only temporarily until the attack subsides.|
You may suddenly be bombarded by hundreds of unsolicited email messages, possibly even in other languages. This typically indicates you are the victim of what is sometimes called an email bomb or a form attack.
What is an email bomb?
This occurs when somebody intentionally enters an email address into an automated script that registers the email address at thousands of websites around the world. The email showing up in the user's mailbox is the result of all of those unwanted registrations. The messages are nearly all confirmations of registering, or signing up for a newsletter, or creating an account, etc.
Why aren't they stopped?
Because the messages are essentially legitimate (as far as the sender is concerned, they are replying to someone who legitimately signed up for their service), many of the messages will not be scored very high for spam, and will consequently not be stopped by our engine. A combination of the following steps may help minimize the impact of this type of attack:
Possible solutions (Temporary)
Recognize that any of these steps will have consequences if left in place long term and should be considered temporary remediation steps to take only until the attack ends. These attacks typically die down substantially after several hours and are usually over within a couple of days.
- Since many of these messages will be recognized as bulk, make sure the Quarantine bulk email option is enabled for that user (found in the Spam settings).
- Temporarily lower the spam sensitivity slider (at Company Settings > Spam). This reduces the threshold for messages to be quarantined.
- Create a custom filter that allows only email from the United States as the majority of these messages come from other countries (at Company Settings > Filters).
- Create a custom filter to quarantine messages with the word verification or confirmation (or confirm, or welcome, or . . . ) in the Subject (or even in the body).
This should only be considered an extreme, last resort option.
- (More extreme) Temporarily disable the user's account in Proofpoint until the storm subsides.