Registration and Password Reset Bombardment: How to Stop It

You wake up to 300 emails. Half are "Confirm your registration" from sites you have never visited. The other half are "Password reset request" from services you actually use. Your inbox is unusable. This is registration and password reset bombardment.

How the attack works

The attacker does not need your password. They only need your email address. Here is what happens:

1. The attacker collects your email address (from a data breach, public profile, or website scraping)
2. They use automated tools to submit your email to hundreds of registration forms and password reset pages across the web
3. Each site sends you a legitimate email: "Welcome to our service" or "Reset your password"
4. Your inbox fills with hundreds of legitimate-looking emails from real services

The emails are genuine — they actually come from the services. This makes them impossible to filter with traditional spam detection because they pass SPF, DKIM, and DMARC. They are real emails triggered by a malicious actor.

Why attackers do this

• Distraction — Flood your inbox to hide an important email (like a "your bank transfer was approved" notification from an account they compromised)
• Harassment — Simple harassment with plausible deniability — the attacker did not "send" anything, the websites did
• Testing — Verify that your email address is active before a targeted attack

Why traditional filters do not help

Each individual email is legitimate: real DKIM signatures, real SPF passes, real unsubscribe links. Spam filters are designed to catch forged or unwanted bulk email, not genuine one-off messages from real services. Blocking "Welcome to Twitter" would also block your own future signups.

How to stop it

Prevention: aliases per service

The most effective prevention is using a unique alias per service. If your LinkedIn alias is linkedin-abc@cleanbox.me, an attacker submitting that address to 200 registration forms only affects that one alias. Your primary inbox stays clean. And you can disable the alias temporarily until the bombardment stops.

During an attack: Shield rate limiter

If bombardment is happening right now, Shield's rate limiter can cap how many emails arrive per hour or per day. Set a temporary limit of 5 emails per hour on the affected alias — the excess is automatically rejected until the attack subsides.

During an attack: delivery snoozer

Alternatively, use the delivery snoozer to pause delivery entirely. Set a delivery window that is in the past (or a 1-minute window) and messages accumulate without flooding your inbox. Review and release them when the bombardment stops.

After an attack: audit and rotate

1. Check which alias received the bombardment — this tells you where your address was exposed
2. Change your email on the affected services to a new alias
3. Disable the compromised alias
4. Review your accounts for unauthorized access (the bombardment may have been a distraction)

For website owners

If your site is being used as a tool in these attacks (your registration or password reset forms are being abused), you should:

• Add CAPTCHA to registration and password reset forms
• Rate-limit registration and reset requests per IP and per email address
• Implement email verification before sending welcome emails (double opt-in)
• Monitor your outbound email logs for sudden volume spikes