Email bomb mitigation

An email bomb is a kind of online attack in which the attacker sends a massive amount of emails to a specific address or computer network in order to overflow the inbox of the recipient.

An increasingly common form of this attack consists of bombarding the user mailbox with signup confirmation emails.

Proton Mail offers spam filtering(new window) to prevent spam messages from reaching the inbox. However, in the case of email bombs, the spamming activity tends to come from legitimate signup forms, which may in some cases make the spam filter ineffective. For these situations, you can use a more advanced sieve(new window) filter. This article will explain the steps to add a sieve filter to your inbox.

IMPORTANT: By applying the sieve filters below, there is a risk of false positives that will filter out legitimate messages as well. For this reason, we recommend keeping it active only for the duration of the attack.

How to mitigate an email bomb with a sieve filter

Log into your account on the web version of Proton Mail at mail.proton.me and follow these steps:

1. Create a label that will be applied to all emails identified as part of the mail bomb attack.

• Go to Settings -> Folders/Labels.
• Click on “ADD LABEL”, create a label called “Mail bomb” and click on “Save”.

2. Create a sieve filter that will either discard all messages or send all messages to your Spam folder.

• Go to Settings -> Filters and click on “ADD SIEVE FILTER”.
• In the “Name” field, create a name for your sieve filter.
• In the “Sieve script” field, copy and paste one of the below code options.

There are four sieve filter options you can use, depending on the characteristics of the emails you are receiving and what you want to do with the emails caught by the filter:

1. A filter that discards the messages based on header(new window) content containing certain common keywords. When this filter is applied, the filtered messages will never reach the Inbox, which is why we suggest applying sieve filters for only the duration of the attack:

if anyof (
    header "x-auto-response-suppress" ["OOF", "AutoReply"],
    header "precedence" "bulk",
    header "auto-submitted" "auto-generated",
    exists "form-sub",
    exists "list-unsubscribe",
    exists "x-php-script",
    exists "x-php-originating-script"
) {
    discard;
}

1. A little softer variant of the first option. Rather than discarding the messages, this filter moves them to your Spam folder and applies the “Mail bomb” label:

require "fileinto";
if anyof (
    header "x-auto-response-suppress" ["OOF", "AutoReply"],
    header "precedence" "bulk",
    header "auto-submitted" "auto-generated",
    exists "form-sub",
    exists "list-unsubscribe",
    exists "x-php-script",
    exists "x-php-originating-script"
) {
    fileinto "spam";
    fileinto "Mail bomb";
}

1. A filter that moves incoming registration and/or subscription forms to Spam and applies the “Mail bomb” label:

require "fileinto";
if allof (
    header :contains "Subject"
        [
            "subscription",
            "mailing",
            "subscribing",
            "confirm",
            "Welcome to",
            "activation",
            "verify",
            "registration",
            "activate",
            "your account",
            "verification",
            "signing up",
            "registering",
            "new account",
            "username and password",
            "registered",
            "welcome",
            "password",
            "account details",
            "verify your"
        ]
) {
    fileinto "spam";
    fileinto "Mail bomb";
}

1. A filter that moves all newsletter messages to your Spam folder and applies the “Mail bomb” label. This filter will also match emails from the domain “mypapertoday.com”.

require "fileinto";
if anyof (
    header :contains "Subject" 
        [
            "Newsletteranmeldung",
            "Newsletterregistrierung",
            "Newsletter",
            "Anmeldung",
            "potwierdzenie",
            "subskrypcji",
            "inscripcin",
            "revista",
            "conferma",
            "inscrizione",
            "validation",
            "willkommen",
            "inscription",
            "account details",
            "Aktivierung",
            "Benutzerkontendetails",
            "bienvenue sur",
            "bienvenido",
            "новом пользователе",
            "benvenuto nel Forum",
            "Hoşgeldiniz",
            "Vítejte na",
            "пожаловать",
            "Bine aţi venit",
            "Üdvözlünk a",
            "fórumon",
            "Witamy na",
            "Velkommen til",
            "Tervetuloa",
            "unirte",
            "Welkom op",
            "activer",
            "Usuario",
            "Välkommen till",
            "Bem vindo",
            "Registrierungsanfrage",
            "注册",
            "подтверждения",
            "регистрацию",
            "Регистрационные",
            "konto",
            "dettagli account",
            "registratie",
            "conta",
            "cuenta",
            "compte",
            "registrazione",
            "contului",
            "konta",
            "aktivoi"
        ],
    address :domain :contains "From" "mypapertoday.com"
) {
    fileinto "Mail bomb";
    fileinto "spam";
}

For messages moved to Spam, you can easily review them later (by searching the “Mail bomb” label) to ensure messages were not caught in the filter by mistake. The label used for this filter can easily be changed by simply replacing the word “Mail Bomb” in steps 2 through 4 above with whatever you prefer.

Please note that free plans have limitations on the amount of filters and labels that can be used. 

Finally, you can read our article about avoiding spam(new window) to learn more about how to prevent similar kinds of attacks in the future.