I have a client who is the victim of an email bomb. She started receiving hundreds of mails from websites all over the Internet. Nearly all of them were the kind of subscription confirmation email you would get after signing up for a newsletter, forum, or other subscription service. When I say they came from all over, she had emails in French, German, Russian, Chinese, Japanese, and many other languages in addition to English.
This is a DDoS (distributed denial of service) attack, and it happens when an attacker uses automated bots and scripts to sign your email address up to thousands of online registration and subscription forms. Each subscription generates and auto response message. These messages come from many sites, and are not blocked by spam or phishing filters, since they are legitimate responses from trusted websites.
The good news was that most of these email responders required that a link be clicked in order to confirm the “subscription” and consequently, since we were NOT replying, this would be the only email from each particular site. The bad news is that some sites just simply take the subscription without confirming, meaning that regular newsletters and other emails will be coming, and you would need to unsubscribe to each individually.
The purpose of these sorts of attacks are usually to provide distraction from other attacks being carried out simultaneously, such as unauthorized purchases, financial transactions, or credit card usage. The transaction advice emails that are sent get lost in the traffic, as victims resort to bulk deletions to empty their inbox.
The only way to reduce the flow is to set up email filters that block words such as subscription, confirm, confirmation and similar terms found in these emails. You can use Google Translate to find what foreign words you need to block. Working through the barrage may take a week, or two, and in the end you may be stuck with some very persistent newsletter emailers.
If you run a website that has any sort of sign-up or subscription form, be sure to add a CAPTCHA to the form to prevent having your site used for this sort of reflection DDoS attack.