You step away for ten minutes
You step away from your desk to take a phone call. When you come back, there are two hundred new emails. That was twelve minutes. You check the senders: a local bicycle shop, a hotel in a city you've never visited, a grief counselling newsletter, a religious pamphlet service you've never heard of. Then fifty more arrive while you're processing that. This is what a registration bomb attack looks like from the inside. It started yesterday. It hasn't stopped.
The content is a catalogue of the entire internet
What makes registration bomb attacks uniquely disorienting is the randomness of what arrives. These aren't fake emails or obvious spam. They're real confirmation messages from real organisations: local businesses, global hotel chains, community groups, charities, newsletters, religious organisations, bicycle repair shops, grief support services, local sports clubs. Every single one of them has a signup form on their website. An attacker doesn't need any technical sophistication to do this. They run a script that takes your email address and submits it to thousands of public signup forms simultaneously. The forms do exactly what they're supposed to do. The emails are legitimate. That's precisely the problem.
The websites sending these emails have no idea
The bicycle shop that just sent a welcome email didn't do anything wrong. Their form works correctly. Their email system is functioning normally. They have no visibility into the fact that their signup flow was used as a weapon against a stranger. From their perspective, someone signed up for their newsletter. That happens all the time. This is what makes registration bomb attacks so difficult to counter through conventional means. There is no bad actor to block. There is no suspicious sender. There are only thousands of ordinary organisations whose infrastructure has been silently conscripted into a flood. None of them will ever know.
The pauses are the cruelest part
The attack doesn't arrive as a continuous stream. It comes in waves. For eight minutes, nothing. The inbox settles. You breathe. Maybe it's over. You start working through the backlog. Then eighty more arrive in the next two minutes. This is not accidental. Registration bomb scripts submit to thousands of forms in batches, and confirmation emails arrive in clusters as different services process them at their own pace. Some arrive instantly. Some are delayed by an hour. There is no predicting when the next wave hits. One colleague stepped into a meeting for an hour and came back to three hundred new messages. Another is currently receiving fifty to a hundred new emails every minute. The false quiet between waves is almost worse than the flood itself: it keeps you from doing anything else, because you're always waiting for it to restart.
Everything has to be checked by hand
This is the detail that makes registration bomb attacks genuinely crippling: you cannot simply delete everything. Buried somewhere in the flood is an email from a client, a payment confirmation, a contract, a time-sensitive request. You don't know where it is. You have to look. At fifty to a hundred emails per minute, looking means spending your entire working day doing nothing but sorting. Even generously, identifying and dismissing each email takes two to five seconds. Three hundred emails is twenty-five minutes of work, and that's just to get back to zero, not to actually respond to anything. It gets worse: the same emails appear repeatedly. The same bicycle shop sends another confirmation. The same hotel. The same newsletter. The attacker has submitted your address to the same forms multiple times, in multiple waves, so you cannot even build up a mental list of known senders to dismiss on sight. Every email has to be assessed on its own. The moment you clear the backlog, more arrive. There is no catching up. There is only falling behind at different speeds.
The business cost nobody mentions
The obvious cost is time. The less obvious cost is the cognitive load that never fully lifts. Operating under a continuous attack means a portion of your attention is permanently allocated to managing the flood. Decisions slow down. Real emails get missed. The low-level anxiety of knowing something important might be buried in the noise is constant and exhausting in a way that's hard to explain to someone who hasn't experienced it. The motives behind these attacks vary more than most people realise. Some are cover for financial fraud: a payment confirmation or password reset buried in the noise. Some are blackmail, plain and simple: pay to make it stop. Others have no obvious financial goal at all. The chaos is the point. Infrastructure is being probed for weakness, or an organisation is being destabilised for reasons that have nothing to do with money. In a period of escalating global unrest, registration bomb attacks are increasingly being used to test what breaks and when, and who responds, and how quickly. That context makes them harder to dismiss as a nuisance.
The only solution that works is upstream
There is no way to manage a registration bomb attack efficiently once it's inside your inbox. The only defence that actually works is intercepting it before it arrives, at the network level, where the burst pattern is visible before a single email reaches you. MX Moat sits in front of your mail server as an MX gateway. When hundreds of first-time senders arrive simultaneously from across the internet, the burst pattern triggers detection within minutes. The emails are quarantined before your inbox sees them. Your colleagues keep working. The bicycle shop confirmation never arrives. The grief counselling newsletter never gets a chance to pile up alongside three hundred others just like it.