TL;DR if your SaaS app has some sort of email-sending functionality in it - beware of spammers who will register trial accounts massively and use it to send spam.
This happened about 6 months ago, when I received an abuse-report, claiming that our server is sending tons of spam, overloading "okla.com" mailservers. Wait, what?!
It quoted the original email sent by our server and a kind invitation to investigate what had happened.
Our company sells a SaaS app where anyone can register a trial account - a helpdesk software app. And like any helpdesk app, it features tight email integration. Which means - it is capable of sending and receiving huge amounts of email.
This time the spammers abused the option to "forward a support ticket by email" that literally allows sending a message to as many people as you want. Furthermore, a user could edit the message so that it looks like a regular email, rather than a formatted message from a SaaS-app.
I located the trial-accounts that were sending emails using this module and blocked them all. We also had to add some anti-spam logic and trial-limitations.
Last month I have received an alert that our server's CPU is maxing out. Turns out is was the SMTP service again. The spammers were back. I had to stop the mail queue and investigate further.
Our app can import an unlimited number of users from a CSV file. And send a "welcome email" to every user after importing. The email text is 100% editable by the account administrator. We're still fighting these guys... Looks like they are using some botnet/proxynet + browser automation scripts to register hundreds of trial accounts in the app...
This is one of those "getting big" problems. Five years ago I wouldn't even think about something like that. When you're a small company with a dozen customers - your app is not that "visible" on the Internet, no one would bother to research and discover its "undocumented" potential.
But as you get bigger - it's time to look at your app security at a different angle. Carefully review what your trial-users are allowed to do.
by Alex. CEO, founder