MailBait Floods: What to do? : Constant Edge

This article will cover what Mailbait is and the best process to reduce the amount of mail received in ProofPoint

What is Mailbait?

Mailbait Flood is a term used to describe the practice of flooding someone's email inbox with a large number of spam or junk emails. The term "Mailbait" refers to a website that provides a service for sending large volumes of emails to an email address. This service is often used by spammers to inundate someone's inbox with unwanted messages, which can be disruptive and annoying.

You will know if a user is affected by mailbait if they start receiving hundreds/thousands of subscription confirmation requests from various web forums, newsletter services, and just about every language known to man.

Why doesn't ProofPoint block it?

Because these are otherwise legit emails. There's not malicious, they're not bulk because it's only a single email coming from a given source. There's just lots of them coming in, in a very short time span.

What can you do about it?

The only thing we would recommend would be to create a temporary trust list based on the last 30 days of legit senders the person had in the proofpoint message log and then block anything else that is coming in that isn't on this trusted list.

Note that a mailbait attack only lasts a few days. So when the bot finally finishes looping through all it's known reservoir of newsletters and web forms to subscribe your user to, the volume should abate.

How do I make that trust rule?

First, go into the proofpoint message log and locate the day the mailbait started. You want to get all the CLEARED emails that were delivered prior to that day.

For example, the user is test@domain.com and the mailbait started on March 22nd 2022. I want all the good mail that came in from March 21st and prior.

Don't forget to put your designated victim in the to field. Once you have the results, click on the export button.

You'll get a CSV file ...

Open the CSV file with excel, and then do a data filter on the first line

Start by removing duplicates based on the "from" column and then you probably want to filter out anything with the word "bounce", "no-reply", "noreply"

By just removing dupes and "noreply"/"bounce" entries, you should go from several thousand senders to a few hundred.

Copy paste the FROM column to a text editor e.g notepad

In my case, I went from a starting 2000 entries down to 96 just with the dupe removals and the omission of obvious newsletters. I could chop it down some more since there are some obvious newsletters present I could trim down ...

After trimming, I've only got around 40 recipients I want to receiving mail from (example). in the same text editor, I add a comma to each entry except the last one.

After wards, go to proofpoint and create a new inbound rule:

So basically -- block everything coming for this user EXCEPT those that are in the listed addresses in the rule.

This should tie over your end users for the day or so the mailbait flood runs.

Remember to turn off the rule soon after

MailBait Floods: What to do? Print

Related Articles