Tell HN: Another round of Zendesk email spam
35 pointsby Philpax3 hours ago11 comments
  • hampus2 hours ago
    If your email service supports Sieve scripts (for example, Fastmail or Proton Mail), you can use this filter [1] that I made. It's very aggressive and will block all emails that originate from Zendesk, so you'll need to disable it whenever you're actually expecting mail from Zendesk.

    [1]: https://gist.github.com/hampuskraft/780c8fbcc4042689153533ef...

  • deweya minute ago
    Glad I'm not the only one. It seems to use {popular website without tld}@example.com as a pattern, so I'm getting a lot via my catch all address even if I haven't used the specific inbox yet.
  • spike_protein2 hours ago
    I've got four emails, and I've no idea what’s going on. (I have a public email address on GitHub)
    • bentleyan hour ago
      It seems to have started two weeks ago. A spammer realized that one can find a Zendesk‐based help forum, open a new ticket without an account, fill the ticket with spam URLs, and put an email address scraped from GitHub commit logs in the author email field. Zendesk would “helpfully” send the “author” the contents of the ticket, becoming in effect an open relay for spam emails. Two weeks ago is when the spammer started the attack in earnest: I received hundreds of these spam emails, typically one or two per Zendesk‐hosted help forum, sent to email addresses that I’ve only ever used on GitHub. It was discussed a bit on HN: https://news.ycombinator.com/item?id=46685768

      Since then, Zendesk seems to have strengthened their system so that opening a ticket requires account activation first. Leading to today, when I’ve received thousands of signup attempt emails (again, typically one or two per Zendesk‐hosted forum). This is way more emails than I got last time. I hypothesize that the spammer is doing a “last gasp” attack: now that Zendesk has burned the exploit by no longer including the ticket text in the emails, the spammer is trying every Zendesk site it knows in hopes that some of them are slow to update and still forward the ticket text to the victim.

  • semiquaver12 minutes ago
    Zendesk’s mailserver reputation has got to be extremely poor by now. I think they will have trouble with deliverability after this is over. Got about 50 of these today and nearly all of them were categorized as spam before they made it to the inbox despite being nominally “legit”
  • dang2 minutes ago
    I got about 50 of these this morning and thought it was a disgruntled HN user.
  • axka2 hours ago
    I'm getting emails titled "Activate account for ...", and addressed to random names of web services at my domain (e.g. reddit@example.org). Also Twitch-related names like pog, kekw and xqc.

    Also super annoying are crypto scams sent from an Italian ISP's (tiscali.it, shame on you) email service, even though I tried to contact the ISP, but that's unrelated to this.

    • trevyn2 hours ago
      Yep, same here, with those exact prefixes...
  • graton2 hours ago
    Same. I've gotten over 30 I think.
  • bitwize1252 hours ago
    sounds like a sign up bomb for github addresses, these are typically used to hide new login notifications by threat actors
  • _Chiefan hour ago
    Received 15+ in 10mins on a public email (dropbox, soundcloud, gitlab, tidelift etc). Then just started hitting handles on the domain ( diddy@, epstein@ ). Just placing an aggressive block for "Activate account" and "zendesk" in content for now
  • petetnt2 hours ago
    Started getting these too just now
  • noname1203 hours ago
    Yeah same here, specifically on my (public) GitHub email address