How to mitigate email bombing

Summary

Email bombing is when an attacker registers your email address with hundreds or thousands of mailing lists.

Body

What is email bombing?
Email bombing is when an attacker registers your email address with hundreds or thousands of mailing lists.

What should I do if I'm getting email bombed?
You are the victim of a security incident. Please report this to your IT Help Desk and ask for assistance. We will recommend that you change your password as a precautionary measure. You may also want to check for fraudulent activity in your Dartmouth and personal financial accounts. Below are additional steps you can take to help reduce the amount of time you spend sorting through emails.

Why was I targeted for email bombing?
The most likely reason someone is doing this to you is because they are trying to hack your account or overwhelm your inbox with messages so that you don't notice an important email about fraudulent activity. People who deal with financial data are more commonly targeted.

A lot of the emails I am getting have an unsubscribe button. Should I click it?
In general, we don't recommend trying to unsubscribe from mailing lists. Most reputable services that do mailings, won't email more than once unless you have confirmed your subscription. Less reputable services may unsubscribe you, but then sell your address to other services.

Can Dartmouth ITC, Microsoft, or Google block these emails from being sent to me?
Unfortunately this is difficult because the attacker is not directly emailing you. Instead, the attacker is likely using a bot network of hundreds/thousands of IP addresses that are browsing to legitimate websites, entering your email address, and signing you up to receive a newsletter. Some people want to receive some of these newsletters so we cannot globally block them. We cannot block the emails based on the sender's IP address because they are coming from a legitimate newsletter website. We can block the emails based on keywords in the sender address, subject, or body of the email but we run the risk of blocking legitimate emails if we get the filters wrong.

What can I do to filter these emails?
We recommend setting up your mailbox configuration so that new emails, by default, go to a sorting folder. We then use rules to move "known good" emails to your Inbox and "known bad" emails to your Junk E-mail folder.

The following instructions outline how to do that in Office 365.

  1. Log into the web interface for Office 365 email by browsing to https://bwa.dartmouth.edu/ and authenticating.
     
  2. Once in your mailbox, create a new folder named "Outside".
     
  3. Click the gear icon in the upper right to open the Settings panel. In the search, type "rules", press enter, and click "Inbox rules" from the results.
     
  4. Click the plus sign to create a rule with the following settings and then click OK:
    • Name: 3 - Outside
    • When the message arrives, and it matches all of these conditions: [Apply to all messages]
    • Do all of the following: Move the message to folder... Outside
    • Except if it matches and of these condition: None
    • Check: Stop processing more rules
       
  5. Click the plus sign to create a rule with the following settings and then click OK:
    • Name: 2 - Known Bad
    • When the message arrives, and it matches all of these conditions: It includes these words in the sender's address... ultraoffer.com
    • Do all of the following: Move the message to folder... Junk E-mail
    • Except if it matches and of these condition: None
    • Check: Stop processing more rules
       
  6. Click the plus sign to create a rule with the following settings and then click OK:
    • Name: 1 - Known Good
    • When the message arrives, and it matches all of these conditions: It includes these words in the sender's address... dartmouth.edu hitchcock.org
    • Do all of the following: Move the message to folder... Inbox
    • Except if it matches and of these condition: None
    • Check: Stop processing more rule
If you have existing inbox rules, these rules should be the last rules in your list with "3 - Outside" as the very last rule in the list.

In the above steps, ultraoffer.com was used as an example bad domain. Replace that domain with a list of domains that are sending you spam. As you receive more spam, update the "2 - Known Bad" rule to route those messages to your Junk E-mail folder. Likewise, dartmouth.edu and hitchcock.org were used as examples of good domains. Update the "1 - Known Good" rule with additional domains that you wish to receive email from. As these rules continue to get updated with more good and bad domains, more email will go directly into your Inbox and Junk E-mail folders and you will need to spend less time sorting messages in your Outside folder.

Is there anything else that can be done?
ITC has reached out to our email providers and asked if they can do anything else and/or develop tools to help us combat this problem. In the meantime, ITC has created scripts that can be run by affected users to parse emails that have been sorted into good or bad folders. The script will automatically update the known good/bad rules so that you don't have to manually update them. Currently the scripts are in beta and only available upon request.

Details

Details

Article ID: 82545
Created
Wed 7/3/19 10:01 PM
Modified
Tue 4/21/20 4:00 PM