The e-mail bomb or how unwanted registrations affect reputation

Do not think you have unexpectedly earned international recognition – your web page is being used in a scheme known as “the e-mail bomb” or “distributed spam distraction”.

Why do they do it?

The purpose of the e-mail bomb is to distract the target user’s attention and hide some important message under heaps of spam. The e-mail to be hidden is usually a message from some large online store (e.g. Amazon) notifying you about a new order made by criminals using your user account or credit card.

They need a lot of e-mails to create this heap, and these e-mails must not end up in the recipient’s spam folder either. Newsletter subscription confirmations, user registration notifications, password change messages and everything else that the user would normally not want to see caught in the spam filter are very suitable for this purpose.

The easiest way to generate such notifications is to use a botnet that will post the e-mail address that is going to be congested on various website forms – perhaps the most original example I have noticed is the using of one online forum for posting consecutive requests – one to register a user and another to request a password change for this user. Two e-mails sent just like that.

How does this affect the reputation of your domain, website or newsletter?

The owner of the mailbox hit by the bomb will probably mark these unwanted e-mails as spam and train the spam filter of the e-mail service they use to recognise such e-mails. The “artificial intelligence” will probably notice the domain name and IP address of the sending server as the attributes of these e-mails, and other strings of text such as the address and phone number provided in the e-mail footer will likely also get their statistical spam score.

In other words, Gmail, Hotmail, Yahoo and others will actually learn that your company is the one behaving like a jerk and sending e-mail, consistently marked as spam by many users.

The impact spreads wider, not affecting just your domain. As in the case of most web hosting services or the so-called shared hosting the IP address of one and the same server or outgoing e-mail solution is shared by several websites, delivering their e-mail could also become problematic. And this bad reputation could also affect the operation of the network, i.e. the neighbouring IP-addresses.

How does Zone act in such cases?

E-mails sent from the web server pass through our spam filter and limiter, so a website taken over by criminals, for example, can only send a few hundred e-mails before it is automatically blocked.

The e-mail bomb is a bit more complicated – just a few messages per hour or on a daily basis are sent for each website and they do not differ significantly from conventional contact form postings or e-shop orders.

However, we will receive feedback via the so-called feedback loop, meaning that, for example, Hotmail will forward any messages marked as a spam to our special address. If we start getting more than the usual number, it is a sign that some functionality of the website is being exploited.

To prevent further damage, we will block the sending of e-mails when detecting such an activity – we will, of course, also inform the website owner immediately to avoid the loss of necessary e-mails.

What can the website owner do to resolve this problem?

Let’s start with the nature of the problem. The e-mailing botnet scans websites and looks for forms that would send out an e-mail after they have entered an e-mail address.

For example, a widget for subscribing to a newsletter, provided on a website footer and implemented using the WordPress Contact Form 7 plugin.

A bot will find this form on the webpage and post to it:

POST /products/toothbrushes/ HTTP/2.0
your-email=l*********a%40hotmail.com&_wpcf7=8&_wpcf7_locale=en_US [...]

… and the e-mail message is on its way. The attack on this mailbox started at 4:53 A.M. today and, as the log of one of the anti-spam services shows, nearly 50 attempts were blocked by the sites using their plugin throughout the day:

There were 33 attempts to send e-mails from the websites of Zone’s customers, and the websites used included an IT company, a radio station, a car dealer, a housing association, a hiking trail, and a number of other perfectly ordinary websites having one common denominator – an unprotected form on their website.

As a solution, the web form or other functionality needs to be protected by a captcha. One of the most common solutions is Google’s reCAPTCHA (a free service) supported by most web forms including the Contact Form 7 plugin.

To activate it, you need to log in to the reCaptcha page, add your web address and enter the API keys received in the appropriate field on the form to be protected.

Contact Form 7 can be configured to use reCAPTCHA version 3 which, unlike the previous ones, functions unobtrusively for the user – meaning they do not have to identify all the pedestrian crossings or traffic lights in the mosaic.

Admittedly, reCAPTCHA displays its logo at the bottom of the page by default, to inform users that their activity is being analysed, and the script that is activated on every page tends to adversely affect the Google PageSpeed test result. So, as an alternative, you could consider whether the newsletter subscription form in the footer provides the desired result, and perhaps implement it differently, e.g. by posting the subscription requests directly to Mailchimp or a similar mailing list service and leave spammer detection to them.

Read more:

• Flooding e-mail with tons of newsletter/website subscriptions to hide massive Amazon purchase (reddit.com)
• E-mail Bombs Disguise Fraud – Distributed Spam Distraction (appriver.com/blog)