It was 10 am on a hot, humid Tuesday in August when I decided I could finally relax. After a frantic weekend of finishing a big story—and typing so much that my forearms tingled—I needed to decompress.

I placed my phone on do not disturb, turned on my air conditioner, and blissfully spent an hour contorting myself into various poses on the yoga mat next to my bed.

Precisely at 11 am, my yoga routine finished, I turned my phone back on to see a text message from my colleague Lauren Kirchner: “I am under some kind of email attack.”

This article was co-published with ProPublica, where author Julia Angwin is a senior reporter.

I was chagrined but not surprised. Lauren had been harassed all weekend, a result of an article we had coauthored about companies such as PayPal, Newsmax, and Amazon whose technologies enabled extremist websites to profit from their hateful views. Simply in the interest of journalistic fairness, Lauren had sought comment from about 70 websites designated as hateful by the Southern Poverty Law Center and the Anti-Defamation League.

In return, her voicemail and her email inbox were filled with threats and insults. Her Twitter mentions were filled with people criticizing her appearance. Several of the sites she contacted posted negative articles about her, calling her a “fascist” and a “troll.” Alarmed, she had asked the security guards in our building to not let anyone into the office who asked for her.

But then I looked at my inbox and realized that something troubling was happening to me too: 360 emails had poured in while I was pretzeling myself. Every single one was a confirmation of a newsletter subscription or account signup from a website I’d never heard of.

“Thanks for signing up, here is your coupon!” an email from the Nature Hills Nursery said. “Please Confirm Subscription” Fintirement said. “Account details for xvwgnagycdm 1992 at ami-forum.org are pending admin approval,” a Montessori organization in Australia said.

“I am under some kind of email attack as well. Jesus,” I texted Lauren. Then I messaged my colleague Jeff Larson, who had shared a byline with me and Lauren on the article. His inbox was flooded too. Fortunately the inbox of our part-time colleague Madeleine Varner, who also had a byline but whose email address is not published on our website, was quiet.

As a reporter who has covered technology for more than two decades, I am familiar with the usual forms of internet harassment—gangs that bring down a website, haters who post your home address online, troll armies that hurl insults on a social network. But I’d never encountered this type of email onslaught before. I wasn’t sure what to do. “Hey Twitter—any advice on what to do when somebody malevolent signs you up for a thousand email subscriptions, making your email unusable?” I tweeted.

At first it seemed like a funny prank, like ordering pizza delivered to an ex-boyfriend’s house. “TBH [to be honest] it’s kind of a clever attack,” I tweeted again.

But as the emails continued to roll in, my sense of humor faded. By noon, the entire email system at our employer, ProPublica, was overwhelmed. Most of my colleagues could not send or receive messages because of the backlog of emails to me, Jeff, and Lauren that were clogging the spam filters.

The tech team advised that it would likely have to block all incoming emails to our inboxes—bouncing them back to senders—to save the rest of the organization. A few hours later, when ProPublica pulled the plug on our email accounts, I realized that what our attackers did was no joking matter; they had cut off our most important avenue of communication with the world. “Preparing to say goodbye forever to my inbox,” I tweeted. “It does seem like killing a reporter’s email account is the definition of a chilling effect, no?”

Email senders are not in the business of making it harder for people to receive their missives. Mark Pernice for WIRED

Later I learned that the type of attack aimed at me and my colleagues is often called “email bombing” or “subscription bombing.” It’s clever jujitsu that turns one of the hallmarks of spam prevention—the confirmation email—into a spam generator. It works like this: The attacker uses an automated program to scan the web for any signup form that asks for an email address, from a newsletter subscription to an account registration. It then inserts the target’s email address into each of the forms, flooding the victim with confirmation emails.