Election Security Spotlight – Email Bombs

What is it

An email bomb is an attack against an email inbox or server designed to overwhelm an inbox or inhibit the server’s normal function, rendering it unresponsive, preventing email communications, degrading network performance, or causing downtime. The intensity of an email bomb can range from an inconvenience to a complete denial of service. Typically, these attacks persist for hours or until the targeted inbox or server implements a mitigation tactic to filter or block the attacking traffic. Such attacks can be carried out intentionally or unintentionally by a single actor, group of actors, or a botnet. There are five common email bomb techniques:

1. Mass mailing – intentionally or unintentionally sending large quantities of random email traffic to targeted email addresses. This attack is often achieved using a botnet or malicious script, such as by the automated filling out of online forms with the target email inserted as the requesting/return address.
2. List linking – signing targeted email addresses up for numerous email subscriptions, which indirectly flood the email addresses with subscribed content. Many subscription services do not ask for verification, but if they do these emails can be used as the attack emails. This type of attack is difficult to prevent because the traffic originates from multiple legitimate sources.
3. ZIP bomb – sending very large compressed archive files to an email address, which when decompressed, consume available server resources to damage performance.
4. Attachment – sending multiple emails with large attachments designed to overload the storage space on a server and cause the server to stop responding.
5. Reply-all – responding “Reply All” to large dissemination lists instead of just to the original sender. This inundates inboxes with a cascade of emails, which are compounded by automated replies, such as out-of-office messages. These are often accidental in nature. This can also occur when a malicious actor spoofs an email address and the automatic replies are directed toward the spoofed address.

Why does it matter

Email bombs can create denial of service conditions that may impede election offices from conducting routine or election day activities. For example, a successful email bomb may inhibit election offices from accessing inboxes for citizen engagement, voter registration, or other services. The impact of such an attack is highly likely to compound if occurring around polling or registration dates. Additionally, cyber actors sometimes use email bomb attacks to mask other malicious activity, distract users, or prevent the regular flow of notifications associated with critical or abnormal account activity.

What you can do

Implement a policy that addresses user and technical processes for preventing and responding to email bombs. As a general rule of thumb, avoid using your work email to subscribe to non-work related services and limit online exposure of your direct email addresses. Instead use contact forms, which do not expose email addresses or generic email addresses (e.g. elections@your_agency) that can be adjusted when necessary. In the event your inbox is hit with an email bomb, avoid mass deleting emails. Instead use email rules to filter spam as this will prevent the accidental deletion of legitimate emails.

— 

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to election infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the election community, please contact [email protected].