How to deal with Mailbait/Mailbomb floods

Created by Yves Lacombe, Modified on Tue, 22 Oct at 4:18 PM by Yves Lacombe

What is Mailbait?


Mailbait is when a malicious actor decides to sign up your CEO or one of the higher ups to a bot service that basically signs the person up to a large number (ie: gazillion) of legitimate mailing lists, newsletters and other automated email services.  These services exist and they are designed to flood someone's mailbox with tons of useless email.  Example:  https://mailbait.info/.


Normally - people who use Mailbait services, it's mainly to test a mail servers ability to handle load and is often used by IT researchers.


Although it's not meant to be used maliciously - it's often the case.  


These attacks tend to last a few hours to a couple of days as the bot eventually runs out of things to subscribe you to.


IMPORTANT: Sometimes scammers will use a mailbait or mailbomb attack to trigger a fake support call.  Please pay attention to someone wanting to "help" with the mailbomb that isn't affiliated with Vircom!   Ideally you should just call us to make sure the support call is legitimate.


How do you know $user is affected by mailbait?


They start receiving thousands of subscription confirmation requests from various web forums, newsletter services, and just about every language known to man.




Why isn't proofpoint stopping them?


Because these are otherwise legit emails.  There's not malicious, they're not bulk because it's only a single email coming from a given source.  There's just lots of them coming in, in a very short time span.



What can you do about it?


Two ways ... there's a "light" method where you try to block as much as you can or the "heavy" method which is basically "block everything except for people I trust"


== The Light Method ==


1. Use geo-ip blocking to block anything not from your country


https://support.vircom.com/a/solutions/articles/48001238784


2. Look at the inbound traffic and look for common keywords in the subject (ie: subscribe, confirm, etc ...) and create a filter rule to block based on those keywords.


if subject contains Subscribe, Confirm, Account then quarantine



== The Heavy Methods ==


The only thing we would recommend would be to create a temporary trust list based on the last 30 days of legit senders the person had in the proofpoint message log and then block anything else that is coming in that isn't on this trusted list.


Note that a mailbait attack only lasts a few days.  So when the bot finally finishes looping through all it's known reservoir of newsletters and web forms to subscribe your user to, the volume should abate.



How do I make that trust rule?


First, go into the proofpoint message log and locate the day the mailbait started.  You want to get all the CLEARED emails that were delivered prior to that day.


So lets say in my case, my personnal address is [email protected] - and the mailbait started on March 22nd 2022.  I want all the good mail that came in from March 21st and prior.



Don't forget to put our designated victim in the to field.



Once you have the result, click on the export button.



You'll get a CSV file ...



Open the CSV file with excel, and then do a data filter on the first line




Start by removing duplicates based on the "from" column and then  you probably want to filter out anything with the word "bounce", "no-reply", "noreply"


By just removing dupes and "noreply"/"bounce" entries, you should go from several thousand senders to a few hundred.





Copy paste the FROM column to a text editor like notepad





In my case, I went from a starting 2000 entries down to 96 just with the dupe removals and the omission of obvious newsletters.  I could chop it down some more since there are some obvious newsletters present I could trim down ... 


After trimming, I've only got around 40 recipients I want to receiving mail from (example).  in the same text editor, I add a comma to each entry except the last one.




After wards, go to proofpoint and create a new inbound rule:




So basically -- block everything coming for this user EXCEPT those that are in the listed addresses in the rule.



This should tie over your end users for the day or so the mailbait flood runs.


Remember to turn off the rule soon after