Disarming the email bomb
Experts call for new defenses as an old attack rears its head again
The first sign of trouble came just after midnight.
It didn’t look like much – just a junk email, the kind you get when you sign up for a mailing list. The only problem: the recipient, a middle manager in the airline industry, hadn’t signed up for anything.
Within an hour, there were 93 more messages just like it. The next hour? 763. Then another 828 on top of that.
This wasn’t spam. This was a cyberattack.
It was an “email bomb,” a type of denial-of-service attack that’s as old as the commercial Internet itself. All told, it battered the victim’s inbox with more than 6,500 messages in 12 hours. They slipped past spam filters, bogged down the server and ultimately blocked legitimate business communications for nine hours.
Email bombs are back, according to recent research by experts from Forcepoint, a commercial cybersecurity company jointly owned by Raytheon. They are “more sophisticated, prevalent, devastating and varied in their targets,” the researchers say, making a case for new defenses like machine learning to flag suspicious spikes in incoming mail and head them off before they break their inbox targets.
Not only are email bombs resurgent, they're also cheap. The researchers say they found ads offering to bomb inboxes for as little as 70 cents per 1,000 emails.
"The target of an attack could be anyone," said Cristina Houle, who co-wrote the article with colleague Ruchika Pandey. "We're all at risk."
Beyond the CAPTCHA
Email bombing dates back to the late 1990s, with high-profile attacks on targets that included Langley Air Force Base in Virginia. Two key factors make them particularly dangerous today:
- The messages get around traditional filters: they’re mainly harmless, automated, sign-up notifications from legitimate internet forums, newsletters, mailing lists and similar services.
- The number of those sites has grown dramatically, and their security measures – if they have them at all – are no match for modern, automated hacking tools.
Email bombs are the reason we have CAPTCHAs, those little "type this text" tests websites served up to distinguish people from robots. The problem with CAPTCHAs (trivia: it stands for Completely Automated Turing Test To Tell Computers and Humans Apart) is that not everyone uses them, the authors write.
Other older defenses include something called "confirmed opt-in," which sends an email to the person registering for the website or mailing list. The trouble there is that it solves one problem, but creates another: A thousand confirmation emails from a thousand different sites are just as bad as a thousand unwanted emails from a single site.
“They weaponized the mitigation,” Pandey said. “And we’re playing catch-up again.”
So, rather than focusing defenses solely on the problem's point of origin, Houle and Pandey recommend defending the target as well. Specifically, they call for automated tools that speed-read emails for indicators of attack, looking for phrases like “welcome to” and “account details” and languages not normally seen on the user’s network.
All to fend off a resurgent style of cyberattack few have worried about since the days of AOL Instant Messenger.
"Everything old is new again," Houle said. "People have been focusing on the site management. For us, it's just clear more has to be done on this end."