Subscription Bombing: What Is It? And What Can Be Done About It?

At one time or another, many of us have been the recipient of massive numbers of emails flooding our inbox from newsletter subscriptions or opt-ins that we’ve never signed up for. It’s called Subscription Bombing, and while it’s quite common, most people don’t know how or why it happens.

Let’s first establish that it’s nothing you’ve done, specifically. However, just because it doesn’t seem to have a specific intent doesn’t mean there isn’t one lurking in the background.

What is Subscription Bombing?

Subscription bombing is essentially a diversion tactic. Your inbox will be so overwhelmed with traffic that you won’t likely see the culprit, generally, one email saying your password has been changed or that there is fraudulent activity on your account.

Here’s how it works: An attacker uses automated tools to submit an email address to as many contact forms and signup forms as possible, thereby flooding your inbox. The ultimate purpose of this kind of attack is usually to distract you from another email that the attackers do not want you to see.

Some of the reasons why a malicious player might be subscription-bombing you include:

  • Attempting to transfer your domain away from you
  • Gain access to financial or social accounts
  • Hide evidence of fraudulent financial transactions
  • Damage your company’s reputation
  • As a component of a more widespread DDoS attack

Why is Subscription Bombing So Difficult to Block?

Annoying though it is, email filters won’t flag incoming emails as malicious because they come from legitimate sources. Even the most advanced virus or spam filter can’t tell the difference between a newsletter you signed up for and a newsletter that someone else signed up for using your email address.

There are a few strategies to block this type of activity, but you should be aware of the limitations of these approaches.

1.      Manually Unsubscribe

For sites with a double opt-in process, you will only receive one email asking you to confirm your email address. As long as you don’t do that, you won’t receive any more messages from that site. However, for sites that don’t have a double opt-in process, you will have to unsubscribe manually.

2.      Country-Code Blocking

Your spam filtering and virus protection service can block requests that come from another country in another language using country code blocking. Let them know which countries you want to receive email from, and they will block the rest.

3.      Mark as Spam

Once you have manually gone through all of the fraudulent emails to filter out the ones you want, you can mass-select them and mark them as spam. This will automatically block the sender.

4.      Block All Newsletters and Subscriptions

Your email filter can be set to block all newsletters and subscriptions. However, some legitimate mail is likely to get caught up in the process, which would require you to manually add the domains from which you still want to receive email to your Allow list.

What To Do if You’ve Been Subscription-Bombed

When your inbox is flooded with useless messages, it’s tempting to mass-delete everything. Keep in mind, the subscription-bomber is banking on your annoyance and impatience.

Instead, here’s what you should do:

  • Resist the urge to mass-delete your entire inbox.
  • Take your time and look carefully for any messages that say your password has been changed or that there is fraudulent activity on any of your accounts.
  • Check your financial accounts (Amazon, PayPal, bank accounts) for fraudulent transactions.
  • Check the archives and recently deleted items in your Amazon, iTunes, PayPal, and other shopping accounts as the malicious actor might have attempted to hide the transaction.
  • Change your passwords immediately.
  • Remove one-click payments and saved credit card information from your account profiles.
  • Activate two-factor or multi-factor authentication on all accounts.
  • Create and customize filters on your email to help stem the flow.
  • Contact your email hosting provider to find out what they can do.

How MX Guardian Helps

While subscription bombing attacks are challenging to block, MX Guardian can help.

If you manage your own email infrastructure, our cloud-based solution can be deployed as a front-end intervention to malicious messages from entering your network. MX Guardian offers more customized filtering and rules options than embedded spam filters, helping to keep you and your accounts safe 24/7.

Sign up today for a full-featured 30-day free trial and stop subscription-bombers in their tracks.