My google inbox is filling up with hundreds and hundreds of "please confirm your new account on our website" messages. A coworker reports he had the same thing happen to him a couple of weeks ago. What kind of bizarre attack is this? It's kind of a DoS attack in that I am forced to waste my time deleting these messages while making sure to not delete any actual email messages, but what possible benefit is there for the hacker doing this? Is this a known attack?
2 Answers
One known attack pattern is to hide transactions in the noise.
An attacker who has somehow figured out how to make a transaction - a purchase, a bank transfer, a paypal payment, something like that - on your behalf may flood your inbox with unrelated emails in an attempt to keep you from noticing any notification emails for that transaction.
So check those emails carefully before deleting them.
- 71,975
- 17
- 161
- 198
This is called list bombing (aka email bomb, list linking, email cluster bomb, subscription bombing, etc). A list bomb is a targeted attack in which a victim's email address is signed up for numerous bulk mail systems without the victim's consent, resulting in lots of bulk mail, ~legitimate and spam, filling the victim's mail box. This got attention in 2016 when Brian Krebs blogged about email bombs aimed at .gov addresses. Wired Magazine also wrote about list bombs on journalists at ProPublica.
As the other answer to this question notes, it isn't just a nuisance: list bombs can be used to overwhelm your inbox and hide email alerts in the noise. If you just mass-delete your latest mail, you might miss something important (like a confirmation message of some action you wouldn't approve or some receipt for something you didn't purchase).
See my answer to duplicate question I woke up and my email has been signed up to hundreds of online services. How can I fix this?
- 9,718
- 2
- 22
- 44