← Back to blog
2026-04-105 min read

What is a Registration Bomb Attack?

Last Tuesday, 500,000 emails hit one inbox in four hours. The victim's spam filter didn't catch a single one. Here's exactly how registration bomb attacks work, and why your current setup can't stop them.

The attack that looks like nothing

Imagine opening your inbox to find it buried under 500,000 emails. Confirmation emails. Welcome emails. Newsletter opt-ins. Every single one is technically legitimate, sent by real companies like Spotify, LinkedIn, and thousands of smaller services. Your spam filter passes every one because, from its perspective, nothing is wrong.

How it works

A registration bomb is simple to execute. An attacker writes a script that takes your email address and submits it to thousands of online registration forms simultaneously. Within minutes, every service on that list sends you a confirmation email. The attacker doesn't need to hack anything. They don't send a single email themselves. They just pull a trigger and let the internet do the rest.

Why your spam filter can't catch it

Traditional spam filters look at the content and sender reputation of individual emails. A registration bomb defeats this completely, because each email, taken on its own, is perfectly normal. The "Verify your account" email from Spotify is not spam. The welcome email from a newsletter you were signed up for without your consent is not spam. The pattern only becomes visible when you look at hundreds of emails arriving from hundreds of different senders in minutes. That's not something individual spam filters are designed to detect.

What the attacker wants

Registration bombs are almost always a distraction. While your inbox is paralysed under a flood of noise, the attacker is doing something else: a fraudulent bank transfer, an account takeover, a password reset email buried somewhere in the chaos. By the time you dig through the flood, the real damage is done.

The only effective defence is upstream

Because the attack happens at the network level, with thousands of senders and coordinated timing, the defence has to happen at the network level too. That's what MX Moat does. By sitting in front of your mail server as an MX gateway and scoring traffic at the ASN (autonomous system number) level, MX Moat detects the burst pattern within minutes and quarantines the flood before it reaches your inbox. Legitimate email passes through normally. Your inbox stays usable.

Frequently Asked Questions

Can I recover from a registration bomb attack without a gateway?

You can, but it's painful. It requires manually filtering thousands of emails, unsubscribing from hundreds of services, and hoping the attacker doesn't repeat the attack. A gateway prevents the problem entirely.

Do I need to change my email provider?

No. MX Moat sits in front of your existing provider: Office 365, Gmail, or anything else. You change one DNS record and your mail flows through MX Moat first. Your provider never changes.

How quickly does MX Moat detect an attack?

Typically within 3-5 minutes. The burst detection triggers as soon as the pattern becomes statistically significant, usually after the first 10-15 emails from first-time senders in a short window.

Have a question about protecting your domain?

Get in Touch →

Don't Wait for the Attack

Registration bombs don't send warnings. By the time you notice, 100,000 emails are already in your inbox. Protect your domain now.

Protect Your Domain →
🇪🇺 EU-hosted · GDPR compliant · Works with any email provider · Setup in 5 minutes