Email Threat Landscape: 10 Types of Attacks Targeting Your Inbox
Email remains the #1 attack vector for cybersecurity breaches. Over 90% of cyberattacks begin with an email. Understanding what you are up against is the first step to protecting yourself.
1. Phishing
Fake emails impersonating trusted organizations (banks, tech companies, government) to trick you into clicking a malicious link or entering credentials on a fake login page.
How to spot it: Mismatched sender domain, urgent language, suspicious links (hover to check the real URL). See The Anatomy of a Phishing Email.
How Cleanbox stops it: Rspamd's PHISHING symbol detects known phishing URLs. DMARC verification catches domain spoofing. Crowd-sourced reputation flags reported phishing senders.
2. Spear phishing
Targeted phishing aimed at a specific person, using personal information (name, job title, recent purchases) to appear legitimate. Much harder to detect than generic phishing.
How to spot it: Unexpected requests from "colleagues" or "executives," especially involving money transfers, credential sharing, or urgent action.
How Cleanbox stops it: FORGED_SENDER and SPOOF_DISPLAY_NAME symbols detect impersonation. Contact states let you whitelist known contacts so impersonators stand out.
3. Business Email Compromise (BEC)
The attacker compromises or impersonates an executive's email to instruct employees to wire money, share sensitive data, or change payment details. BEC caused over $2.7 billion in losses in 2022 alone (FBI IC3 report).
How to spot it: Unusual payment requests, changes to bank details, pressure to act quickly, requests to bypass normal approval processes.
How Cleanbox stops it: DMARC enforcement catches spoofed domains. The FORGED_SENDER symbol flags mismatched From headers. Shield's Gatekeeper can restrict sensitive aliases to approved senders only.
4. Malware attachments
Emails containing malicious files: executables disguised as documents, Office files with macros, PDF exploits, or infected ZIP archives.
How Cleanbox stops it: ClamAV virus scanning (relay only) detects known malware signatures. The MIME_BAD_ATTACHMENT symbol flags suspicious attachment types.
5. Zero-font attacks
Spammers insert invisible text (font-size: 0, white-on-white) to confuse spam filters. The hidden text may include legitimate-looking words that lower the spam score, while the visible content is pure spam.
How Cleanbox stops it: The ZERO_FONT and R_WHITE_ON_WHITE symbols specifically detect these techniques. You can create a filter to deny all emails with these symbols.
6. URL-based attacks
Emails with links to malicious websites: credential harvesters, drive-by download pages, or redirect chains that lead to malware. The link text often shows a legitimate URL while the actual href points elsewhere.
How Cleanbox stops it: Rspamd checks URLs against reputation databases. The PHISHING symbol detects URL mismatches. TLD-based filtering can block links to high-risk domain extensions.
7. Newsletter spam
Unsolicited marketing email from senders you never subscribed to. Often sent via legitimate bulk ESP infrastructure (Mailchimp, SendGrid), making it harder to detect technically.
How Cleanbox stops it: CLEANBOX_BULK_ESP flags bulk-ESP-sent email. One-click unsubscribe lets you opt out instantly. Contact state blocked permanently rejects a sender.
8. Registration and password reset bombardment
Attackers submit your email to hundreds of signup forms to flood your inbox with legitimate confirmation emails, hiding a real attack in the noise. See our detailed article on this attack.
How Cleanbox stops it: Shield rate limiter caps how many emails can arrive per hour. Using unique aliases per service means only the targeted alias is affected.
9. Sextortion and scam emails
Emails claiming to have compromising footage or information, demanding Bitcoin payment. Often include a leaked password from an old data breach to appear credible.
How Cleanbox stops it: The LEAKED_PASSWORD_SCAM symbol specifically detects this pattern (Bitcoin address + threatening language). CLEANBOX_BLOCK triggers when multiple users report the same sender.
10. Display name spoofing
The attacker sets the display name to look like someone you trust ("John Smith - CEO" or "support@paypal.com") while the actual email address is completely different. Most email clients prominently show the display name, making this effective.
How Cleanbox stops it: The SPOOF_DISPLAY_NAME symbol (score +8.0) detects display names that contain email addresses not matching the actual sender. This is one of the highest-scoring symbols in Rspamd.
Layered defense
No single technology stops all threats. Effective email security combines multiple layers:
| Layer | What it catches |
|---|---|
| SPF/DKIM/DMARC | Domain spoofing, forged senders |
| Spam scoring | Content-based spam, Bayesian patterns |
| ClamAV | Malware, trojans, exploits |
| IP blacklists | Known spam infrastructure |
| Contact intelligence | Crowd-sourced sender reputation |
| Shield | Rate flooding, unauthorized senders |
| Filters | Custom rules for your specific needs |
For a practical implementation guide, see Building an Email Security Stack for Small Businesses.
