Secure email service Tutanota has built defences against newsletter bombs after becoming a victim itself.
The measures are designed to protect users' inboxes against denial-of-service attacks, which involve signing up targeted email addresses to hundreds or perhaps even thousands of newsletters, essentially rendering those inboxes useless.
The public email addresses of journalists, companies and government departments have all been victims of the tactic, which has been a known attack method for some time. Previous targets have included security blogger Brian Krebs, who was hit at the same time hackers targeted US government email addresses in August 2016. Now Tutanota has also been "bombed".
"[The attack] is very easy to execute because most newsletter sign-up forms have no protection against malicious bot sign-ups," according to Tutanota. "The attack seems to be based on a webcrawler that searches for webforms with input[type=email] fields. It automatically inserts the victim's email address and fills the other fields with random data. As a result, the email address gets flooded."
A bomb dropped on Tutanota's main contact email address two weeks ago left staff completely unable to use its inbox. Matthias Pfau, co-founder and developer of Tutanota, explained: "Dozens of emails were arriving in our inbox every minute, and searching for legitimate emails among this vast number of sign-up emails became quickly impossible. These were definitely two very stressful weeks for us."
Tutanota's blacklists and spam filtering were unable to drain out the unwanted newsletter emails, of which they received about 500,000 within a week. In response, they developed a semi-automated whitelisting approach designed to send newsletter sign-up mails to the spam folder, as explained in a blog post by Tutanota here.
A newsletter attack is akin to a DDoS attack against a mailbox. The easiest solution for private users would probably be to sign up for a new email address and inform important contacts about this move. However, public services, businesses and journalists don't have that option – their addresses must be public so they can be contacted.
"After having 'survived' this attack, we ask all newsletter companies to properly protect their sign-up forms against malicious bot sign-ups," said Pfau. "But judging from the vast amount of newsletters we have received in the past two weeks from all kind of websites around the world – approximately 500,000 – we are pretty sure that this is never going to happen.
"That's why we have implemented our own protection method against newsletter bombs, and we will soon roll out this feature to Tutanota users as well." ®