The technique goes by several names: email bombing, subscription bombing, cluster bombing. The mechanics are mundane. Millions of websites have a newsletter signup form that will accept any address typed into it, and a large share of them send at least one message (a welcome, a confirmation request) without verifying anything. An attacker feeds your address into thousands of those forms with a simple script. No account compromise is needed, no malware, nothing sophisticated: just the aggregate politeness of the internet's signup forms, aimed at one mailbox.
Security journalist Brian Krebs was hit with one of the widely documented early cases in 2016, when his address was subscribed to tens of thousands of lists in short order. In the years since, the technique has moved from harassment tool to a standard component of financial fraud, and that shift is what makes it worth understanding.
The flood is a smokescreen
A pure harassment bombing wants to make your mailbox unusable. The fraud variant wants something more specific: to control what you notice during a narrow window. The sequence usually looks like this:
- The attacker already has something: your bank login from a credential-stuffing hit, your card number from a breach, or access to a merchant account where your card is stored.
- Just before using it, they trigger the bombing. Your inbox becomes noise.
- Inside the flood arrive the emails that would have tipped you off: a purchase confirmation, a wire-transfer notice, a password-change alert, a "new device signed in" warning.
- By the time you dig out, the fraud is hours or days old, and the recovery window (canceling a transfer, freezing a card, contesting a change) has narrowed or closed.
The same play works against businesses. Ransomware crews documented by Microsoft and others in 2024 used email bombing against employees, then called the overwhelmed victim posing as the company's IT helpdesk, offering to "fix the email problem" via a remote-access session. The flood manufactures both the crisis and the pretext for the rescue. If you have read our piece on MFA fatigue attacks, the family resemblance is clear: overwhelm a human channel until the human stops evaluating each event on its merits.
A sudden flood of subscription confirmations is not a spam-filter failure. Treat it as a probable indicator that a fraudulent transaction is happening right now, and go looking for the email you were meant to miss.
What to do while it's happening
The order of operations matters, and mass-deletion is last, not first.
- Search before you clean. Search the flood for terms that would appear in the buried signal: your bank's name, "transfer," "order," "payment," "password," "security alert," "verification code." Do this first, while everything is still in the mailbox.
- Check the accounts that hold money. Log into your bank, card, and main shopping accounts directly (never through links in any of these emails) and review recent activity and pending transactions. If something is in flight, the phone call to your bank matters far more than the inbox does.
- Lock the identity layer. Change the password on the email account itself and confirm your recovery addresses and forwarding rules were not altered. An attacker who can also read your mail is running account takeover, which is a different and worse incident than bombing alone.
- Then triage the noise. Filter on common signup-confirmation phrasings and archive rather than delete, so anything you misclassified is recoverable. Expect a tail of stragglers for weeks; unsubscribing from each list individually is mostly wasted effort during the acute phase.
- Do not "fix it" with a stranger. If someone calls offering IT help you did not request while your inbox is melting, that call is part of the attack.
Reducing the blast radius in advance
You cannot prevent someone from typing your address into forms. You can arrange your email life so that the flood has less to bury.
The structural fix is separation: the address that receives your bank alerts and password resets should not be the address that circulates publicly. Aliases do this well: give every merchant and mailing list its own alias, keep the underlying mailbox for a small set of critical senders, and a bombing aimed at any harvested alias can be shut off by disabling that one alias, while your bank's messages arrive in a channel the attacker never learned. Filters help too: a rule that routes messages containing your bank's sending domain (checked against authentication results, not just the display name) into a protected folder means the signal survives even when the inbox drowns.
For anyone running newsletter infrastructure, the fix on your side has been standard practice for years: confirmed opt-in (no mail beyond a single verification request until the subscriber proves control of the address) and a CAPTCHA or rate limit on the signup form. Lists that skip these are the ammunition this attack is made of, and blocklist operators increasingly treat them accordingly.
Why this attack keeps working
Email bombing exploits a mismatch between how mail systems and humans handle volume. Spam filters look at each message individually, and each subscription confirmation is individually legitimate: a real service, sending exactly the message it always sends, to an address someone entered. There is no forged header for SPF or DKIM to catch. The attack lives entirely in the aggregate, and the aggregate is something most mail pipelines were never designed to reason about, though providers have gotten measurably better at detecting the pattern since 2016.
The durable defense is the one no filter can provide: knowing the pattern. An inbox that suddenly fills with confirmations is asking you a question, and the right answer is "what am I not supposed to see today?" Ask it early enough and the attack's whole premise, that you will spend those hours deleting instead of looking, falls apart.