Email Security

Email Bombing: When a Flooded Inbox Is the Cover Story

July 17, 2026 6 min read Haven Team

Your inbox starts filling with newsletter welcome messages. Confirmation emails from shops you have never heard of, in languages you don't read, hundreds per hour. The instinct is to treat it as a spam malfunction and start mass-deleting. That instinct is exactly what the attacker is counting on, because somewhere in that flood is one legitimate email they need you to miss.


The technique goes by several names: email bombing, subscription bombing, cluster bombing. The mechanics are mundane. Millions of websites have a newsletter signup form that will accept any address typed into it, and a large share of them send at least one message (a welcome, a confirmation request) without verifying anything. An attacker feeds your address into thousands of those forms with a simple script. No account compromise is needed, no malware, nothing sophisticated: just the aggregate politeness of the internet's signup forms, aimed at one mailbox.

Security journalist Brian Krebs was hit with one of the widely documented early cases in 2016, when his address was subscribed to tens of thousands of lists in short order. In the years since, the technique has moved from harassment tool to a standard component of financial fraud, and that shift is what makes it worth understanding.

The flood is a smokescreen

A pure harassment bombing wants to make your mailbox unusable. The fraud variant wants something more specific: to control what you notice during a narrow window. The sequence usually looks like this:

  1. The attacker already has something: your bank login from a credential-stuffing hit, your card number from a breach, or access to a merchant account where your card is stored.
  2. Just before using it, they trigger the bombing. Your inbox becomes noise.
  3. Inside the flood arrive the emails that would have tipped you off: a purchase confirmation, a wire-transfer notice, a password-change alert, a "new device signed in" warning.
  4. By the time you dig out, the fraud is hours or days old, and the recovery window (canceling a transfer, freezing a card, contesting a change) has narrowed or closed.

The same play works against businesses. Ransomware crews documented by Microsoft and others in 2024 used email bombing against employees, then called the overwhelmed victim posing as the company's IT helpdesk, offering to "fix the email problem" via a remote-access session. The flood manufactures both the crisis and the pretext for the rescue. If you have read our piece on MFA fatigue attacks, the family resemblance is clear: overwhelm a human channel until the human stops evaluating each event on its merits.

The signal to remember

A sudden flood of subscription confirmations is not a spam-filter failure. Treat it as a probable indicator that a fraudulent transaction is happening right now, and go looking for the email you were meant to miss.

What to do while it's happening

The order of operations matters, and mass-deletion is last, not first.

Reducing the blast radius in advance

You cannot prevent someone from typing your address into forms. You can arrange your email life so that the flood has less to bury.

The structural fix is separation: the address that receives your bank alerts and password resets should not be the address that circulates publicly. Aliases do this well: give every merchant and mailing list its own alias, keep the underlying mailbox for a small set of critical senders, and a bombing aimed at any harvested alias can be shut off by disabling that one alias, while your bank's messages arrive in a channel the attacker never learned. Filters help too: a rule that routes messages containing your bank's sending domain (checked against authentication results, not just the display name) into a protected folder means the signal survives even when the inbox drowns.

For anyone running newsletter infrastructure, the fix on your side has been standard practice for years: confirmed opt-in (no mail beyond a single verification request until the subscriber proves control of the address) and a CAPTCHA or rate limit on the signup form. Lists that skip these are the ammunition this attack is made of, and blocklist operators increasingly treat them accordingly.

Why this attack keeps working

Email bombing exploits a mismatch between how mail systems and humans handle volume. Spam filters look at each message individually, and each subscription confirmation is individually legitimate: a real service, sending exactly the message it always sends, to an address someone entered. There is no forged header for SPF or DKIM to catch. The attack lives entirely in the aggregate, and the aggregate is something most mail pipelines were never designed to reason about, though providers have gotten measurably better at detecting the pattern since 2016.

The durable defense is the one no filter can provide: knowing the pattern. An inbox that suddenly fills with confirmations is asking you a question, and the right answer is "what am I not supposed to see today?" Ask it early enough and the attack's whole premise, that you will spend those hours deleting instead of looking, falls apart.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →