Beware of Subscription Bombs hiding financial fraud

One of my users was hit with 3000 spam email Friday night. Many of the email said she had “subscribed.” After reviewing things to make sure her email account hadn’t been hacked, I started to look for what spammers were hoping to accomplish with so many email.

It turns out she might have gotten subscription bombed.

The idea is that a hacker used a bot to subscribe her to various services in order to obscure email alerts for purchases or other financial activities.

She is currently following these steps:

Has anyone ever heard of subscription bombing?

Do you have any controls in place to alert you to a sudden influx of email for any account?

We’ve had this happen to one of our church clients before. Tanked the email account, basically had to start with a fresh one. Not much you can do about it really…mailbombing for the modern age.

I had this happen to me some time back. After hacking a site and recovering the coded password file, they managed to discover the (not strong enough) password for one of my rarely used accounts and were going to change the password on it. They did the subscription bombing to hide the change notification in the flood of a few 1000 messages.

I pre-filter messages so the password change stood out, being in a different folder and I was able to jump on it quickly. Cleaning up the messages wasn’t too bad since they were all grouped together. Most of the subscriptions needed a confirmation to complete the process so they just timed out with no further messages.

With well over 1000 username/password pairs stored in my password manager, I still find ones to update that I’d all but abandoned. I’m really glad I pre-filter. I am also fixing the passwords.

What terms are you filtering on?

Most of the spam came from locations outside the US. Microsoft suggested that we could filter to eliminate languages other than English. That would work for most of our employees. Only a few work with other countries. Probably not a perfect solution.

Microsoft said there is no alert for large influx of incoming email.


After selling my ISP business in the late 90’s, I decided to use a personal domain and
run my own mail server. This gives me complete flexibility of what I filter without the
worry of affecting anyone else. I am well aware that this doesn’t scale at all well to an
organization of more than one, but it does what I need.

I assign a unique email alias to each organization with whom I do business. It’s more
work than the regular user is willing to spend, but as a result I can easily flag messages
in procmail as not matching the sender/recipient pair. This is especially helpful for domain
contact spam. If they aren’t the domain registrar, then there’s no reason for them to be
sending to the domain registrar address. Same goes for folks who have decided to sell
my unique-to-them email address to others.

Out of the 1000+ specific aliases I have, more than 80 have been retired as having been
whacked by spammers, some more than once (e.g. Adobe, VMware, Applian, and others).
I also use fail2ban blocks, Spamassassin blocklists, denied TLDs, and denied languages
as first pass filters. As a result, I rarely get spam. The few that leak through are quickly
recognizable as such.

None of these specifics will work for a general user base or even personally if you use a
large mail service such as gmail or O365, but message processing macros in Outlook or
similar may do some of it for you.


1 Like