Spam Bombing

This guide outlines the immediate actions required when a client experiences a "Spam Bomb" or "Email Bomb". It explains how to identify the real threat hidden within the spam, how to clean up the inbox without losing data, and how to secure the account afterwards.

A “Spam Bomb" is an automated attack where a bot subscribes the victim's email address to thousands of legitimate newsletters simultaneously.

Why is this happening? This is almost always a smokescreen. The attacker is trying to bury a single, critical email notification—such as a password change alert, a bank transfer confirmation, or an unauthorized Amazon order—so the victim misses it in the chaos.

CRITICAL: Do Not "Select All" and Delete

Resist the urge to mass-delete the spam immediately. If you delete the spam in bulk, you risk deleting the one email that warns of the actual financial or security compromise.

Before cleaning up the mess, you must identify if a compromise has occurred. Use the search bar in your email (Gmail, Outlook, Yahoo, etc.) to scan for the following keywords amidst the spam:

• "Password reset" or "Security alert"

• "Order confirmation" or "Purchase"

• "Bank" / "Transfer" / "Wire"

• "Login from new device"

• "Zelle" / "Venmo" / "PayPal"

If you find a suspicious email:

1. Screenshot it immediately.

2. Forward it to BlackCloak.

3. Contact the specific vendor or bank immediately to freeze the transaction.

Once you have searched for threats, use the "Unsubscribe Filter" method to clear the inbox without losing legitimate mail.

Since most of these emails are "legitimate" newsletters, they contain the word "Unsubscribe." We can use this to filter them out automatically.

For Gmail:

1. Click the Show search options icon (the sliders in the search bar).

2. In the "Has the words" field, type: unsubscribe

3. Click Create filter.

4. Check "Skip the Inbox (Archive it)" (or apply a label called "Quarantine").

5. Check "Also apply filter to matching conversations".

6. Click Create filter.

For Outlook:

1. Go to Settings (gear icon) > View all Outlook settings.

2. Select Mail > Rules.

3. Name the rule "Spam Bomb Mitigation".

4. Add Condition: Message body includes > type unsubscribe.

5. Add Action: Move to > select Junk Email (or a "Quarantine" folder).

6. Run the rule.

(i) Pro Tip

Keep this filter active for 72 hours. The attack usually subsides after a few days. After that, disable the filter so you don't miss newsletters you actually want.

After the noise has been managed, you must ensure the attacker has not established a "backdoor" into the account.

• [ ] Check Forwarding Rules: Attackers often set up a rule to forward your emails to them.

  • Gmail: Settings > Forwarding and POP/IMAP. Ensure no unknown addresses are listed.

• [ ] Review Active Sessions: Force a sign-out on all other devices.

  • Gmail: Bottom right of inbox > "Details" > "Sign out all other web sessions".

• [ ] Rotate Password: Change the email account password immediately.

• [ ] Verify 2FA: Ensure Multi-Factor Authentication is enabled and the phone number listed is correct.

Escalation: If a suspicious transaction or identity compromise is found, escalate to the BlackCloak Security Team immediately for:

• Identity theft monitoring initiation.

• Coordination with financial institutions.

• Deep-dive header analysis.

Schedule your Security Review with our team.