If your email service supports Sieve scripts (for example, Fastmail or Proton Mail), you can use this filter [1] that I made. It's very aggressive and will block all emails that originate from Zendesk, so you'll need to disable it whenever you're actually expecting mail from Zendesk.
Zendesk’s mailserver reputation has got to be extremely poor by now. I think they will have trouble with deliverability after this is over. Got about 50 of these today and nearly all of them were categorized as spam before they made it to the inbox despite being nominally “legit”
Considering I get spam from large U.S. companies because they believed someone else when they used my email to sign up for something, I am inclined to agree with you. No matter how many times I click "mark as spam" in Gmail, it always gets delivered to my inbox.
Credit Karma is the biggest offender off the top of my head. For a company in the consumer datamining business, they sure aren't doing a good job.
Well, I got most of the Zendesk inbox-bombing emails into SPAM in Gmail.
All support[at]<company>.zendesk.com were flagged, none of them reached the Inbox.
Most of whatever[at]company.tld were flagged also. I think only Headspace and another that I don't remember got to my inbox. There were some automatic SPAM flags using custom domains that are more or less known: Tinder, Squarespace, TED, ...
So I guess currently their reputation is messed up.
They've been getting hammered by bad actors. Work in the email industry and its been bad for them. Hopefully they figure it out. Yesterday I got two phishing scams that were from a BS gmail saying they were in hiring at Unilever and Nestle.
Glad I'm not the only one. It seems to use {popular website without tld}@example.com as a pattern, so I'm getting a lot via my catch all address even if I haven't used the specific inbox yet.
For a company utterly dependent on email, Zendesk came across to me as very naive about email sending.
I did a Zendesk integration shortly after working on a general overhaul of our email at a previous company. The overhaul involved separating out our different types (transactional, marketing, support, etc), and then implementing best practices on deliverability for each of them. Not your day-one email setup, but we were still a small company.
The comparison to Zendesk's approach was astounding. Assuming you don't want to use a Zendesk address (we didn't, customers thought it was dodgy), the email setup they let you do was bad, and their support folks had no idea about any of the details. DKIM, SPF, etc, was all alien to them. Ironically they had pretty bad support in general.
I transitioned Zendesk from their original Exim-based ingress/egress SMTP services to Postfix and set up all the DKIM and SPF stuff long before there was ever a mail team. I worked regularly with large email providers to ensure our egress CIDR blocks were clean.
That's good to know you knew what you were doing! However the product also didn't appear to expose any of the control we needed to have a good email setup. Maybe this is because we weren't paying enough (mentioned in another reply), but we were also never directed to pay more despite asking for this sort of control.
That is true. There's a lot of magic that goes into parsing the emails. But end user configuration of the infrastructure of sending didn't really exist when I was there
Unfortunately, it's less a Zendesk thing and more of the end user deciding to turn off the security features to make it easier for their users to use. SPF/DKIM signing happens on all outbound mail I get from Zendesk. On the inbound email, SPF/DKIM/ARC verification is on by default but people keep turning it off. That's before weak spots like chat come in where the customers turn off captcha and just let any email get entered in.
Unfortunately, too many company admins keep saying "we don't want our customers to have to be configured correctly, we might miss a message from them" and disable all the built in protections. Hopefully the option to disable protections will go away soon.
Not necessarily, our support team kinda loved it. I used the interfaces and it was pretty good software in many ways. They just didn't seem to be very capable when it came to medium complexity email setups. Many of their setup guides literally tell you to log into support address Gmail and set up a forwarding rule to send everything to Zendesk.
I suspect the issue is that we weren't paying enough. We had maybe 10 seats. I bet if you're buying 1000 seats a bunch of Zendesk engineers turn up and configure everything for you, but with the robust email setup needing that engineering time on their side to configure... so I guess in that way it may be Enterprise shitware.
i received _a lot_ of these as well (~200 now). i'm noticing while all are from the zendesk platform using it as a relay similar to the previous waves, many of them are specifically customers of synack, as the emails are coming "via" the responsibledisclosure.com platform. not sure if there's any correlation there—i don't think they've been compromised, but they may be being used as a trampoline.
similar to others i had it hitting emails that "don't exist" (wildcard catchall), including the less tasteful ones mentioned here.
It seems to have started two weeks ago. A spammer realized that one can find a Zendesk‐based help forum, open a new ticket without an account, fill the ticket with spam URLs, and put an email address scraped from GitHub commit logs in the author email field. Zendesk would “helpfully” send the “author” the contents of the ticket, becoming in effect an open relay for spam emails. Two weeks ago is when the spammer started the attack in earnest: I received hundreds of these spam emails, typically one or two per Zendesk‐hosted help forum, sent to email addresses that I’ve only ever used on GitHub. It was discussed a bit on HN: https://news.ycombinator.com/item?id=46685768
Since then, Zendesk seems to have strengthened their system so that opening a ticket requires account activation first. Leading to today, when I’ve received thousands of signup attempt emails (again, typically one or two per Zendesk‐hosted forum). This is way more emails than I got last time. I hypothesize that the spammer is doing a “last gasp” attack: now that Zendesk has burned the exploit by no longer including the ticket text in the emails, the spammer is trying every Zendesk site it knows in hopes that some of them are slow to update and still forward the ticket text to the victim.
It's not for fun. They are hijacking a trusted server (Zendesk) to smuggle phishing links past my spam filter. Since Zendesk blocked the text relay, their bot is now just spamming signups as a side effect of the failed exploit.
I get similar ones from Zoom and other collaboration providers. Like folk make a meeting in Zoom and then can invite any email they know. Is that just me? Eventbrite, Meetup and Luma do similar.
Thank you for letting us know, got a bunch of those in the last two hours, like one each five minutes, but it seems they've stopped (at least for now).
They're being used to hit addresses of mine exposed to Discord and GitHub. Catch-all had the names of two people in the news, oddly, as well. Hint: 1,000 bottle delivery to an island.
I'm getting emails titled "Activate account for ...", and addressed to random names of web services at my domain (e.g. reddit@example.org). Also Twitch-related names like pog, kekw and xqc.
Also super annoying are crypto scams sent from an Italian ISP's (tiscali.it, shame on you) email service, even though I tried to contact the ISP, but that's unrelated to this.
Received 15+ in 10mins on a public email (dropbox, soundcloud, gitlab, tidelift etc). Then just started hitting handles on the domain ( diddy@, epstein@ ). Just placing an aggressive block for "Activate account" and "zendesk" in content for now
I've been getting some of these these to my wildcard domain - I've had sign-up messages sent to diddy@<domain> and epstein@<domain>, which is... odd. And no, I can't say I've ever used those addresses.
Huh. I thought this was targeted to me in particular, because it started coming up with new aliases at my Firefox Relay subdomain, and then only once I started blocking them it started using plus-addressing on my gmail. Annoying.
If your email service supports Sieve scripts (for example, Fastmail or Proton Mail), you can use this filter [1] that I made. It's very aggressive and will block all emails that originate from Zendesk, so you'll need to disable it whenever you're actually expecting mail from Zendesk.
[1]: https://gist.github.com/hampuskraft/780c8fbcc4042689153533ef...
For those on Fastmail, here's a link to get to that setting directly: https://app.fastmail.com/settings/filters/sieve
Who knows when they’re emailing a mailbox behind Zendesk?
Zendesk’s mailserver reputation has got to be extremely poor by now. I think they will have trouble with deliverability after this is over. Got about 50 of these today and nearly all of them were categorized as spam before they made it to the inbox despite being nominally “legit”
Unfortunately mail server reputation's based on how rich and important you are and not how much spam you send
Considering I get spam from large U.S. companies because they believed someone else when they used my email to sign up for something, I am inclined to agree with you. No matter how many times I click "mark as spam" in Gmail, it always gets delivered to my inbox.
Credit Karma is the biggest offender off the top of my head. For a company in the consumer datamining business, they sure aren't doing a good job.
You know them off the top of your head - because they reached you in your inbox - and other places.
It sounds like they’re crushing their goal, actually.
Two of the biggest spammers in the world are Salesforce and Hubspot. They should both be blacklisted yet most of their email goes into the inbox.
Well, I got most of the Zendesk inbox-bombing emails into SPAM in Gmail.
All support[at]<company>.zendesk.com were flagged, none of them reached the Inbox.
Most of whatever[at]company.tld were flagged also. I think only Headspace and another that I don't remember got to my inbox. There were some automatic SPAM flags using custom domains that are more or less known: Tinder, Squarespace, TED, ...
So I guess currently their reputation is messed up.
They've been getting hammered by bad actors. Work in the email industry and its been bad for them. Hopefully they figure it out. Yesterday I got two phishing scams that were from a BS gmail saying they were in hiring at Unilever and Nestle.
Glad I'm not the only one. It seems to use {popular website without tld}@example.com as a pattern, so I'm getting a lot via my catch all address even if I haven't used the specific inbox yet.
I'm seeing the same pattern, with the addition of diddy@ and epstein@, curiuosly
For a company utterly dependent on email, Zendesk came across to me as very naive about email sending.
I did a Zendesk integration shortly after working on a general overhaul of our email at a previous company. The overhaul involved separating out our different types (transactional, marketing, support, etc), and then implementing best practices on deliverability for each of them. Not your day-one email setup, but we were still a small company.
The comparison to Zendesk's approach was astounding. Assuming you don't want to use a Zendesk address (we didn't, customers thought it was dodgy), the email setup they let you do was bad, and their support folks had no idea about any of the details. DKIM, SPF, etc, was all alien to them. Ironically they had pretty bad support in general.
I worked at Zendesk on the email team. I think that's just support being support. The core engineers knew what they were doing.
I transitioned Zendesk from their original Exim-based ingress/egress SMTP services to Postfix and set up all the DKIM and SPF stuff long before there was ever a mail team. I worked regularly with large email providers to ensure our egress CIDR blocks were clean.
I like to think I knew what I was doing. :-)
That's good to know you knew what you were doing! However the product also didn't appear to expose any of the control we needed to have a good email setup. Maybe this is because we weren't paying enough (mentioned in another reply), but we were also never directed to pay more despite asking for this sort of control.
That is true. There's a lot of magic that goes into parsing the emails. But end user configuration of the infrastructure of sending didn't really exist when I was there
Unfortunately, it's less a Zendesk thing and more of the end user deciding to turn off the security features to make it easier for their users to use. SPF/DKIM signing happens on all outbound mail I get from Zendesk. On the inbound email, SPF/DKIM/ARC verification is on by default but people keep turning it off. That's before weak spots like chat come in where the customers turn off captcha and just let any email get entered in.
Unfortunately, too many company admins keep saying "we don't want our customers to have to be configured correctly, we might miss a message from them" and disable all the built in protections. Hopefully the option to disable protections will go away soon.
> DKIM, SPF, etc, was all alien to them. Ironically they had pretty bad support in general.
So basically good old fashioned "quality" enterprise shitware.
Not necessarily, our support team kinda loved it. I used the interfaces and it was pretty good software in many ways. They just didn't seem to be very capable when it came to medium complexity email setups. Many of their setup guides literally tell you to log into support address Gmail and set up a forwarding rule to send everything to Zendesk.
I suspect the issue is that we weren't paying enough. We had maybe 10 seats. I bet if you're buying 1000 seats a bunch of Zendesk engineers turn up and configure everything for you, but with the robust email setup needing that engineering time on their side to configure... so I guess in that way it may be Enterprise shitware.
i received _a lot_ of these as well (~200 now). i'm noticing while all are from the zendesk platform using it as a relay similar to the previous waves, many of them are specifically customers of synack, as the emails are coming "via" the responsibledisclosure.com platform. not sure if there's any correlation there—i don't think they've been compromised, but they may be being used as a trampoline.
similar to others i had it hitting emails that "don't exist" (wildcard catchall), including the less tasteful ones mentioned here.
I've got four emails, and I've no idea what’s going on. (I have a public email address on GitHub)
It seems to have started two weeks ago. A spammer realized that one can find a Zendesk‐based help forum, open a new ticket without an account, fill the ticket with spam URLs, and put an email address scraped from GitHub commit logs in the author email field. Zendesk would “helpfully” send the “author” the contents of the ticket, becoming in effect an open relay for spam emails. Two weeks ago is when the spammer started the attack in earnest: I received hundreds of these spam emails, typically one or two per Zendesk‐hosted help forum, sent to email addresses that I’ve only ever used on GitHub. It was discussed a bit on HN: https://news.ycombinator.com/item?id=46685768
Since then, Zendesk seems to have strengthened their system so that opening a ticket requires account activation first. Leading to today, when I’ve received thousands of signup attempt emails (again, typically one or two per Zendesk‐hosted forum). This is way more emails than I got last time. I hypothesize that the spammer is doing a “last gasp” attack: now that Zendesk has burned the exploit by no longer including the ticket text in the emails, the spammer is trying every Zendesk site it knows in hopes that some of them are slow to update and still forward the ticket text to the victim.
What would be the goal of all this? Just for the fun of it?
It's not for fun. They are hijacking a trusted server (Zendesk) to smuggle phishing links past my spam filter. Since Zendesk blocked the text relay, their bot is now just spamming signups as a side effect of the failed exploit.
[Ref](https://support.zendesk.com/hc/en-us/articles/8257723564186-...)
[Ref 2](https://darknetsearch.com/knowledge/news/en/zendesk-ticket-s...)
I get similar ones from Zoom and other collaboration providers. Like folk make a meeting in Zoom and then can invite any email they know. Is that just me? Eventbrite, Meetup and Luma do similar.
Zendesk has issued an official announcement about this.
https://support.zendesk.com/hc/en-us/articles/8257723564186-...
I'm not satisfied with it, tbh.
This announcement from December is completely unrelated.
> Thank you for your attention to this important matter.
You gotta be kidding me.
Thank you for letting us know, got a bunch of those in the last two hours, like one each five minutes, but it seems they've stopped (at least for now).
sounds like a sign up bomb for github addresses, these are typically used to hide new login notifications by threat actors
They're being used to hit addresses of mine exposed to Discord and GitHub. Catch-all had the names of two people in the news, oddly, as well. Hint: 1,000 bottle delivery to an island.
Those names are diddy and epstein, for those wondering.
Why do we have to tease out the names of convicted criminals?
More 'entertainment' than 'have to', parent named them correctly. Keeping the memes alive, not acting like they're Beetlejuice.
Why did my teaser provoke your comment? Rhetorical, by the way.
I am not sure what you mean. But I did receive many `epstein@` and `diddy@` catch-alls. As I type, they're starting up again.
I'm getting emails titled "Activate account for ...", and addressed to random names of web services at my domain (e.g. reddit@example.org). Also Twitch-related names like pog, kekw and xqc.
Also super annoying are crypto scams sent from an Italian ISP's (tiscali.it, shame on you) email service, even though I tried to contact the ISP, but that's unrelated to this.
Yep, same here, with those exact prefixes...
Yeah same here, specifically on my (public) GitHub email address
Same here, I removed my email address from Github and all other public pages
weirdly i have 10+ wild card domains and some very public emails (websites with nothing to prevent bots) yet i’ve not gotten even one?
I've also received about 40 messages, on mail adresses I've never used before.
I got about 50 of these this morning and thought it was a disgruntled HN user.
I got 201 activation emails in 98 minutes.
Received 15+ in 10mins on a public email (dropbox, soundcloud, gitlab, tidelift etc). Then just started hitting handles on the domain ( diddy@, epstein@ ). Just placing an aggressive block for "Activate account" and "zendesk" in content for now
I've been getting some of these these to my wildcard domain - I've had sign-up messages sent to diddy@<domain> and epstein@<domain>, which is... odd. And no, I can't say I've ever used those addresses.
I had several sent to these local parts as well.
Same. I've gotten over 30 I think.
Started getting these too just now
Huh. I thought this was targeted to me in particular, because it started coming up with new aliases at my Firefox Relay subdomain, and then only once I started blocking them it started using plus-addressing on my gmail. Annoying.
I just got 50 emails lol, this really sucks, phew glad i am not alone