Knowledgebase: Inbound Mail Flow
Customer suddenly started receiving an inordinate amount of unwanted email
Posted by Michael Gabbitas, Last modified by Michael Gabbitas on 05 April 2018 05:42 PM

Occasionally a customer will report suddenly being bombarded by hundreds of unsolicited email messages - possibly even in other languages. This typically indicates that the customer is  the unfortunate victim of what is sometimes called an "email bomb" or a "form attack". What has happened is that somebody intentionally and maliciously entered the email address into an automated script that registered the email address at thousands of websites around the world. The email showing up in the user's mailbox is the result of all of those unwanted registrations - the messages are nearly all confirmations of registering, or signing up for a newsletter, or creating an account, etc. 

Because the messages are essentially legitimate (as far as the sender is concerned, they are replying to someone who "legitimately" signed up for their service), many of the messages will not be scored very high for spam, and will not be stopped by our engine. 

There are, however, a few things the customer can consider doing that will help minimize the impact of this type of attack.

  • Since many of these messages will be recognized as "bulk", make sure the Quarantine bulk email option is enabled for that user (found in the Spam settings).
  • Temporarily lower the spam sensitivity slider - reducing the threshold for messages to be quarantined. 
  • Create a custom filter that allows only email from the United States - since the majority of these messages often come from other countries. 
  • Create a custom filter to quarantine messages with the word "verification" or "confirmation" (or "confirm", or "welcome", or . . . ) in the Subject (or even in the body).
  • (More extreme) Temporarily disable the user's account in Proofpoint until the storm subsides.

Recognize that any of these steps will have consequences and can be considered temporary remediation steps to take until the attack ends. These attacks typically die down substantially after several hours. 

(4 vote(s))
This article was helpful
This article was not helpful

Comments (0)