andreashennig.com

How spam bombing forced me to abandon my e-mail address and what I learned from it

Andreas Hennig -

What happened

One day, I opened up my inbox to do the occasional check for email. Since I try to unsubscribe from every newsletter, I usually only get around 3 to 5 mails a day. But what I discovered that day was very different. My inbox contained 847 mails with none of them making any sense. They all where in all kind of different languages. And they came from websites that I had never heard of (and as it turned out, that do not even exist).

I instantly knew that something was wrong. I started to panic, thinking that someone got into my e-mail account and was now able to access all my other accounts by resetting passwords.

After I calmed down a bit I realized: Hang on, to send an email, all you need is the e-mail address itself.

I did some research and discovered that I became victim of “mail bombing” or “spam bombing”: Your e-mail address is “bombarded” with lot’s of generated e-mails, sometimes with large attachments to fill up your inbox.

As a site note: Here in Germany we have the so called Impressumspflicht. It obligates every website maintainer to have contact data like an e-mail address on the website available. So my e-mail address actually was “out in the wild”.

To spoil one thing: Up unto this point I only had one main e-mail address I sort of used for everything: To sign up for websites or online shops, to give away to people to contact me and yes, also as the contact e-mail address on my website

Why is someone doing this?

The first question I asked myself was: Alright, why is someone doing this? Only to annoy me? Well, as I found out, that could actually solely be the reason. Yet, it could also be way more serious than that. The attacker might have actually been able to gain access to one of your shopping accounts, e.g. your Amazon account, and got your e-mail address that way. Now this one person wants to actually make use of this and order stuff via your Amazon account. To cover up order confirmations you usually get via e-mail, the attacker starts to flood your inbox with random other mail.

How I handled it

Looking back, I handled the situation in two phases. During the “hyper-care” phase I observed the situation and took care of the never-ending stream of incoming fake e-mails. After that, in a second phase, I started to look for long term solutions for the problem.

Hyper-care phase

During the first days/weeks my main concern was to figure out whether someone actually got access to one of my accounts.

So I checked my bank accounts for malicious activity at least once day. I also looked into my shopping accounts for orders that I had not done.

A trick attackers who gained access to an Amazon account use is to order something and “archive” the order so it does not appear in your list of orders. So make sure to also check your archived orders.

To handle the the amount of incoming mail in my inbox I increased the sensitivity for spam in the settings of my e-mail provider. I also created some filters to spot incoming fake mails and move them into the spam folder. By doing this I were able to catch about 80-90% of all the incoming spam, which made the situation a lot better.

Be careful to not create your filters to be “too aggressive”. You do not want them to catch mails that are actually important.

As a precaution, I also changed the passwords on each of my online shopping accounts. Although this was a bit of a tedious work, using 1Password to manage my passwords made this a lot easier. And went through all my accounts in 1Password. To see for which accounts I already changed the password, I added an asterisk (“*”) as a marker symbol to the title of the entry in 1Password.

Finding a long term solution

After observing the situation for about 2 weeks, it seemed like no one got access to one of my accounts.

So what should I do now? Well, the spam detection of my mail provider seemed to get better over time. But there were still around 30-50 spam mails per day “slipping through”, cluttering my inbox.

Seeing no other solution, I started to become comfortable with the idea to abandon my e-mail address. But, changing to a new mail address a big thing. You have to change it in all your accounts. Adjusting the e-mail address in an account sometimes requires a verification. You also have to inform friends and colleagues about your new mail address. And I guarantee you: Not everyone will remember this. Someone will still send mails to the old address (and I do not blame them).

Assuming I would actually move to a new e-mail address - how could I protect myself from this happening again? I realized that it might be a good idea to actually not have one e-mail address but to have many.

I also discovered that e-mails sent to different mail addresses do not actually have to arrive in different inboxes. E-Mail aliases enable you to have different e-mail addresses that all arrive in the same inbox. Depending on your e-mail provider, it might also be possible to sort mails arriving through different aliases into different folders.

One idea I had was to create a couple of e-mail aliases, corresponding to different “tiers of trust”:

  • One mail address that I only give away to people I trust (family & close friends)
  • one e-mail address for my “professional life”,
  • one e-mail address that is “out in the wild”. I am mentally prepared to abandon this e-mail address at some point in the future and move to a new one, e.g. when it was picked up by spam bombing again.

To sign up for websites, online shops etc., I could have extra e-mail aliases. E-Mail providers like Protonmail offer “email sub-addresses”. They enable you to add “+something” to your regular e-mail address to create new aliases.

To completely anonymize your e-mail address, consider using a service like https://simplelogin.io. Apple also offers something similar called Hide My Email.

Summary

So to sum things up, when you also became a victim of spam bombing, I recommend the following tips:

  • Do not sift through your inbox manually.
  • Do not mass delete e-mails from your inbox as you might delete important ones. This is exactly what the attacker wants.
  • Create filters that catch similar incoming fake mails and sort them into your spam folder. Apply these filters to your inbox to clean it up.
  • If possible, adjust the sensitivity of the spam recognition your mail provider offers.
  • Check your shopping accounts and your bank accounts for malicious activities.
  • Consider to create different e-mail aliases for different “tiers of trust”.
  • Consider using a service like https://simplelogin.io to create completely anonymized e-mail aliases.

Conclusion

Looking back, having my one e-mail address exposed all the time, I’m actually a bit astonished that it took so long for it to be picked up by an attacker and to become a target of spam bombing.

But, apart from the fact that I had to abandon this e-mail address, there was no further damage. But it was a good reminder that the World Wide Web can be a dangerous place and that you have to think about what you put out there.

Thanks for reading this article! If you liked it and it helped you in any way getting a grasp on a new topic, the best way to support this blog is just by sharing it with others. However, if you would like to support me and my work more directly you can just buy me a cup of coffee (which as we know will eventually be converted into code):

References

https://www.howtogeek.com/412316/how-email-bombing-uses-spam-to-hide-an-attack/

https://www.reddit.com/r/personalfinance/comments/bg2my9/ifyoustartsuddenlygettingemailspambombed/

https://www.makeuseof.com/what-is-email-bomb/

https://proton.me/blog/what-is-email-alias