Newsletter bombs are the new DDoS
So called 'newsletter bombs' are increasingly being sent to the publicly known email addresses of journalists, companies, and also dot-gov email addresses. These attacks send thousands of fake newsletter sign-up emails to targeted email addresses rendering the attacked mailbox useless.
According to German secure email service Tutanota, which had its own main contact address targeted, these attacks are easy to execute because most newsletter sign-up forms have no protection against malicious bot sign-ups.
"Being a secure email service, the irony of not being able to use our main mailbox was particularly depressing", says Matthias Pfau, co-founder and developer of Tutanota. "Dozens of emails were arriving in our inbox every minute, and searching for legitimate emails among this vast number of sign-up emails became quickly impossible. These were definitely two very stressful weeks for us."
Tutanota's blacklists and spam filtering were also unable to filter out the unwanted newsletter sign-up emails as the crawler cleverly abuses otherwise legitimate email servers. "Our first move right after the attack was to search the internet for similar attacks and protection methods against this. But with no luck", says Pfau. "The reason is simple: It is impossible for email services to differentiate between legitimately signed up for newsletters and newsletters that were being signed up for illegitimately by an attacker."
It eventually tackled the problem by whitelisting important email addresses and email domains so legitimate messages would be sent to the inbox. All other emails were then sent to the spam folder, while notifying the sender, if they can be authorized via SPF (to prevent backscatter). The notification contains a link that can be used by the sender to get whitelisted immediately and to move the mail to the inbox automatically. The original attackers are not able to click this link, as they never receive the responses.
"After having 'survived' this attack, we ask all newsletter companies to properly protect their sign-up forms against malicious bot sign-ups. But judging from the vast amount of newsletters we have received in the past two weeks from all kinds of websites around the world -- approx. 500,000 -- we are pretty sure that this is never going to happen", says Pfau. "That's why we have implemented our own protection method against newsletter bombs, and we will soon roll out this feature to Tutanota users as well."
You can find out more on the company's blog.