Cybersecurity Threat Advisory 0064-19: Email Bombing
Technical detail and additional information
What is the threat?
Why is this noteworthy?
What is the exposure or risk?
What are the recommendations?
- Use email filters that are based on the logic of filtering identical messages that are received within a specified short span of time.
- Configure your email server to block messages beyond a certain size, including any attachments that exceed a certain size.
- Do not compound or expand the potential problem by interacting with, forwarding, or replying to spammed email. This includes not interacting with email – such as avoiding clicking on unsubscribe links – unless the sender has been confirmed to be legitimate.
- Implement and utilize Domain-Based Message Authentication Reporting and Conformance (DMARC) to validate the trustworthiness of email and protect domains from being used for email spoofing, phishing scams, and other cybercrimes. While this technology identifies your organization to other email servers; the more organizations who adopt this technology, the less chance that threat actors can masquerade as legitimate senders.
- Ensure out-of-office, bounce back, and other automatic messages are only sent once to prevent an endless loop of recurring automatic replies. If such automated messages are not required for business objectives, avoid using them completely.
- Where possible, limit send permissions so that only internal and authorized users may send to distribution lists.
- Avoid posting plain text email addresses online as malicious actors are able to scrape webpages for email addresses allowing them to target those addresses for email bombing and spam. While it is not possible to do this for all email addresses due to how modern communication works, companies can limit which addresses are posted online to limit the number of addresses that are obtainable.
- If an inbox is overloaded, avoid mass deleting emails during the attack; and instead using email rules to filter spam.
- Ensure critical inboxes use failover services and notification options to safeguard against automated deletion and/or hitting mail storage limits.
- Notify the email service provider (the IT team, Managed Service Provider, Office365, Gmail, etc.) if one or more users cannot send and receive mail from multiple internet connections and on multiple devices or if one or more users begins receiving very large numbers of emails that do not pertain to business purposes or any unusually large messages that are not related to business purposes.
For more in-depth information about the recommendations, please visit the following links: