Subscription Bombing

The Five Stages of Coping

In cybersecurity, the art of distraction is classic offense: flood a victim with noise while silently executing a more sinister attack. One infamous tactic is subscription bombing, where an attacker overwhelms your inbox with thousands of unsolicited subscription confirmations, newsletters, and password reset emails. The intent? To distract and disorient, masking a more severe attack—such as credit card fraud or account takeover. I recently became an unwilling expert on subscription bombing, so why not share what I learned.

My Story

In short, I received nearly 2,000 unsolicited emails in just a few hours. The evening prior, I bought computer parts from an unfamiliar online vendor and the checkout process felt suspicious. I entered my credit card details, only to be redirected unexpectedly to PayPal where I was asked to enter the details again. I ignored my gut feeling… because… well, shiny new toys. That was a big mistake.

Twelve hours later, chaos ensued.

Stage 1: Denial

Maybe denial isn't exactly right, but disbelief definitely set in. It was 9:57 AM, and I was on a client call when my phone began vibrating relentlessly. By 10 AM, my inbox had 61 new emails. Surely whatever was going on wasn't that bad, right? Classic denial.

The first seven emails from the attack

At 10:07 AM, with 174 unread emails piling up, reality struck: two international charges of $3,137.09 each appeared on my credit card. Both labeled ominously as PAYPAL *XUM9. Denial quickly faded into panic.

Actual credit card alerts

Tip: Always trust your instincts. If a transaction feels off, stop immediately and verify the site’s authenticity.

Stage 2: Panic

The subscription bombing effectively overwhelmed my ability to think at my best. I needed to deal with the fraud, but the barrage of emails was driving me crazy. Then I noticed that between 9:52 AM and 10 AM, attackers made 52 attempts to reset my Plex password. These password reset emails were buried under hundreds of subscription confirmations from sites I'd never even heard of. Now I’m wondering if my Plex account is the target, and perhaps they’ve breached my email too? (Note: After later analysis, I don’t believe my Plex account was being targeted.)

4 of the 52 Plex account password reset emails

Advice: Even in your personal life, it never hurts to have an incident response checklist handy. Panicking can lead to missed critical steps.

Stage 3: Action

Regaining composure, I quickly called my bank. Within nine minutes, the fraudulent charges were confirmed, the compromised card number was canceled, and replacement cards were ordered.

Next, I needed to deal with the flood of emails and running a personal M365 instance helped significantly. I created an Outlook rule to redirect all new emails into a PST file. This stopped my inbox from overflowing and allowed me to use the search and filter features to handle legitimate messages.

Quick Action Tip: Creating inbox rules during an attack can save you from severe disruptions and possible inbox lockouts.

Stage 4: Cleanup & Resolution

Cleanup was arguably worse than the attack itself. Over a week later, I'm still cautiously unsubscribing from hundreds of mailing lists. I say cautiously because wouldn’t it be genius to sneak a phishing attack into an unsubscribe link a few days later? To complicate matters, about 8% of the emails I received were written in non-English languages (26 languages, to be exact).

Side Benefit: I've quickly become proficient in identifying international "unsubscribe" links.

Replacing our credit cards was tedious. I needed to update my card number across numerous accounts—Apple, Amazon, streaming services, and more. To mitigate future issues, I'm now exploring virtual credit card services like Privacy, which significantly limit the impact of compromised card numbers.

I also notified the vendor that I suspected caused my chaos and explained how the website checkout required my card number twice. They were surprised to hear from me, but noted that they recently moved to PayPal after some prior problems. Two days later, the vendor confirmed a breach and vowed improvement, albeit without offering any compensation or detailed reassurance. Skeptical applause?

Email from the compromised website vendor confirming their breach

Cyber Hygiene Tip: Use virtual credit cards for online purchases to simplify incident management and minimize risk.

Stage 5: Post-Mortem Analysis

As a cybersecurity pro, curiosity got the best of me. I extracted and analyzed the 2,000+ emails received in just 24 hours with Python and ChatGPT. The highlights were fascinating and alarming:

  • The peak minute of the attack was at 2025-04-16 15:18, during which 92 emails were received.

  • 291 messages referenced listservs in headers, implying heavy use of mailing list subscriptions, a classic method in subscription bombing attacks.

  • 23 languages were detected, including English, Spanish, Japanese, German, French, Chinese, Russian etc.

  • The global distribution of TLDs (e.g., .es, .de, .ru, .fr, .nl, .jp, .pl) included 153 international domains. 187 domains were .edu.

  • Password reset forms were used similarly to email subscriptions when the site was known to send email confirmations. My email address was submitted 52 times to the plex.tv password reset form. 135 emails were from password resets.

  • The most common/repeated sending domains were plex.tv, wsu.edu, golfweek.at and wordpress.com.

Pro Tip: Consider using email aliases or dedicated addresses for different services, enabling easier identification and isolation when compromised.

Final Thoughts

Subscription bombing isn't just a nuisance; it's a smoke-screen attack method masking more severe threats. Early detection, rapid response, and proactive security measures (such as virtual credit cards) can greatly mitigate damage. Take it from me, even the pros aren't immune. Stay vigilant and remember, when something feels off, it probably is.