Data Doctors: Understanding subscription bombing attacks

Q: Why am I being bombarded with email subscription notifications that I never signed up for, including a lot of foreign language sites and what can I do about it?

A: We all experience a variety of junk messages on a regular basis, but when something like this happens, it’s clear that someone is behind this activity.

Your email address is publicly available and there’s no verification system in place to validate the use of it in these schemes.

What you are experiencing is known as “subscription bombing,” used by those with ill intent for reasons that can range from being a nuisance to distracting you from other malicious activity.

The fact that lots of foreign websites are involved points to a scripting tool used by bad actors around the world.


The internet is filled with people that find it amusing to cause others grief, and flooding someone’s inbox with junk messages has long been one of the tactics.

In some cases, the intent is to disrupt the victim’s daily activities by overwhelming their inbox to the point that getting to legitimate messages becomes laborious and frustrating.

It’s often looked at as a type of “denial of service” attack because it can be so disruptive to the victim.

Malicious links

Another possibility is that they include a link that appears to be an unsubscribe button that links to a malicious landing page. The page attempts to compromise you by silently probing your device to see if it’s missing any security updates.

This is sometimes called a “drive-by download” because the malicious website can silently install malicious code onto your device by exploiting known security flaws.

This common attack is why keeping your device updated with the latest security patches and updates is so important.

It’s never a good idea to unsubscribe from anything that you didn’t subscribe to in the first place, especially when it’s clear you’ve been targeted.

Distraction from the real attack

It’s also possible that the onslaught is a diversionary tactic to distract your attention from a legitimate message notifying you of a change to an account or other fraudulent activity.

The intent is to overwhelm you to the point that you stop paying attention to any message that looks like an alert of any kind.

For this reason, it’s critically important that you pay attention to all of the unusual messages you get, so you don’t miss anything that would alert you to malicious activity.

What you can do

Unfortunately, there’s no simple process to magically make this nuisance go away, so you’ll continue to receive the notifications for days, weeks, or even months depending on the script used in the attack.

You may notice that many of the messages are asking you to confirm a subscription, which is known as a double opt-in process. If you don’t respond, you shouldn’t get anything else from that website.

If you don’t have two-factor authentication setup on your critical online accounts, do so immediately to help protect yourself against account takeover attempts.

If you’re not sure how to do it, you can search for instructions by name on the 2FA Directory.

Changing your critical passwords to something you’ve never used before that’s at least 16 characters long is another solid security measure for this and many other exploits being used every day against you.

Ken Colburn is founder and CEO of Data Doctors Computer Services. Ask any tech question on Facebook or Twitter.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up