Email Bomb Hit Tutanota's Contact Mail Address with 500.000 Newsletters

Two weeks ago a massive email bomb has been executed against Tutanota's main contact mailbox hello@tutao.de, which sent 500.000 newletters to this mailbox rendering it useless. The attacker has automatically signed up Tutanota's main mail address to thousands of online newsletters so that confirmation request mails hit the hello-mailbox continuously. Until we implemented a protection method around half a million unwanted mails were received.

Now that we have implemented a fix, we want to apologize to our users, and in particular to businesses interested in Tutanota, who were contacting us during that time. It was impossible for us to find the legitimate mails among the hundreds of thousands of newsletter mails, so unfortunately we weren't able to answer.

It took us several days to stop this attack, and the fact that about 30 new mails were popping up each minute did not make things easier. Now that we have fixed the issue, we are working hard on catching up on your mails.

No mail service offers protection against newsletter bombs

The newsletter bomb is a known attack that has been going on for a while. Security Blogger Brian Krebs has reported on email bombs when he was targeted himself (along with over 100 dot-gov (.gov) email inboxes) last year: "The emails came in at a rate of about one new message every 2-3 seconds. By the time I’d finished deleting and unsubscribing from the first page of requests, there would be another page or two of new newsletter-related emails. For most of the weekend until I got things under semi-control, my Gmail account was basically useless."

As far as we are informed no mail provider has come up with a solution so far. Mail services can't protect their users from this attack because they can't put all newsletter services on a blacklist. It is impossible for the mail services to differentiate between legitimately signed up for newsletters and newsletters that were being signed up for illegitimately by an attacker.

Newsletter attack very easy to execute

The problem with the newsletter attack is that it is so easy to execute. It can be targeted to every publicly known mail address: The attacker simply uses a webcrawler that searches for webforms with input[type=email] fields. Then the bot automatically signs up a particular mail address to thousands of newsletters on the entire internet.

As a consequence, the targeted mailbox becomes useless as people need to spend hours to delete these mails and to unsubscribe from these unwanted newsletters.

Tutanota is the first to offer protection from newsletter attacks

That's why Tutanota's fix turns the verification process of newsletter emails around: Instead of asking the recipient to verify that they really signed up for the newsletter in question, any email coming from a non-whitelisted domain (ie. unwanted newsletters) is at first moved to the spam folder automatically.

How Tutanota's protection works

Our approach to protect a mailbox from newsletter bombs is a semi-automated whitelisting approach:

  • We whitelisted important mail addresses and mail domains so that these legitimate emails would be sent to our inbox.
  • We sent all other mails to the Spam folder. The sender is notified about this, if he can be authorized via SPF (to prevent backscatter). The notification contains a link that might be used by the sender to get whitelisted immediately and to move the mail to our inbox automatically. The original attackers are not able to click this link, as they never receive these responses.
  • We batch-delete all Spam mails once a week.

This way we still receive important messages but do not have to manually filter through the mail flood.

DDoS attack against a personal mailbox

The newsletter bomb is like a DDoS attack against a personal mailbox because the user will be unable to work with this mailbox. The easiest solution for private users would probably be to sign up for a new mail address and inform all legitimate contacts about this move.

With Tutanota this is not necessary. We are able to protect any Tutanota mailbox against these attacks by sending all newsletter sign-up mails to the spam folder (as described above). So why not sign up for our secure mailbox in the first place!

Newsletter email bombs can't hit Tutanota again

Looking back, these were some stressful days for our developers, but also for our users who had to wait for our replies longer than usual. But after all, we can now say that we are prepared for the future. Newsletter bombs are no longer a threat to Tutanota account owners.

Free your data from mass spying!

and get your encrypted mailbox for free now.

Matthias is co-founder and developer of Tutanota. I write code to fight for our human right to privacy. I want to create a cloud service which is so easy to use and so secure that it locks out all the spies. We really deserve better.

Posted on: 2017-05-10

Share

Comments