Wednesday, December 18, 2019

Email Bomb. What is it and Why?

A few weeks ago I was alerted by PayPal and Amex that a $1000+ charge from Ebay was made to my PayPal account.  Someone was able to use my PayPal account for a MacBook order with overnight USPS delivery.  These alerts stopped all transactions, but not the headache.

Within minutes I noticed that my linked email account had unusual activity.  I received welcoming messages from bulletin boards and companies, and instructions to confirm my online registration.

First a few dozen, then hundreds, then thousands !

The email avalanche continued through the evening, with many filling my Inbox and many more in the Spam box of my Gmail account.  Worried about missing real emails, I deleted the first hundred or so by hand, but then had to use mass delete to keep up with the 15,000+ messages in a few hours.  The Spam folder also had 10,000+, but they needed no action.  Blissfully, Gmail offers unsubscribe as part of Inbox spam identifier, which I used.

This is called an Email Bomb.

While tracking the email avalanche I turned to the Internet for insight.  I surmised that the emails were used as a distraction, which the Internet search confirmed.  The culprit hopes that a spending alert gets lost in thousands of other emails, so that the order goes through undetected.  Luckily, not in this case, as I use text messaging to confirm large credit card orders.  I even know the source of my headache, as the USPS order included delivery details.  The culprit lives in Indianapolis.

I assume that the email bomb is created with a registration bot on websites that do not use captchas and such.  The result is a huge nuisance and I must have lost a few regular emails, but the email avalanche stopped within two days.  Since then, I got the occasional "you have not confirmed" reminders, but as a trickle.  I assume that my email is still registered on many sites that did not ask confirmation, and hopefully nothing too embarrassing or disturbing.  This story is also a mea culpa.

I reset my passwords and was told to replace my credit card (though that account was not breached, nor were funds removed from PayPal).
Take-home messages:

  1. Set confirmation text messages for (large) orders.
  2. Use 2-step verification on financial and other sensitive accounts.
  3. Keep Inbox mostly empty.