Jan 5 2016 :: by Alex Yumashev

TL;DR if your SaaS app has some sort of email-sending functionality in it - beware of spammers who will register trial accounts massively and use it to send spam.

Incident #1

This happened about 6 months ago, when I received an abuse-report, claiming that our server is sending tons of spam, overloading "okla.com" mailservers. Wait, what?!

It quoted the original email sent by our server and a kind invitation to investigate what had happened.

What happened?

Our company sells a SaaS app where anyone can register a trial account - a helpdesk software app. And like any helpdesk app, it features tight email integration. Which means - it is capable of sending and receiving huge amounts of email.

This time the spammers abused the option to "forward a support ticket by email" that literally allows sending a message to as many people as you want. Furthermore, a user could edit the message so that it looks like a regular email, rather than a formatted message from a SaaS-app.

I located the trial-accounts that were sending emails using this module and blocked them all. We also had to add some anti-spam logic and trial-limitations.

Incident #2

Last month I have received an alert that our server's CPU is maxing out. Turns out is was the SMTP service again. The spammers were back. I had to stop the mail queue and investigate further.

What happened

Our app can import an unlimited number of users from a CSV file. And send a "welcome email" to every user after importing. The email text is 100% editable by the account administrator. We're still fighting these guys... Looks like they are using some botnet/proxynet + browser automation scripts to register hundreds of trial accounts in the app...


This is one of those "getting big" problems. Five years ago I wouldn't even think about something like that. When you're a small company with a dozen customers - your app is not that "visible" on the Internet, no one would bother to research and discover its "undocumented" potential.

But as you get bigger - it's time to look at your app security at a different angle. Carefully review what your trial-users are allowed to do.

  • Can users send emails from your app?
  • Can users send HTTP-requests?
  • Can they schedule events so things run autonomously in your app?
  • Do you have an API?
  • Does your API has some quotas or trial-limitations?
  • Protect your app from browser automation: limit the number of user-accounts one could create during the trial etc. etc.
  • Prepare a script that will detect and delete bot accounts
  • Look for odd usage patterns, like - 10000 users but no UGC. Or - 1 user, but tons of UGC. Etc.
  • Perform a regular blacklist-check for your servers and IPs
  • Review your metrics often. If your trials go up by 500% overnight - probably it is not your genius marketing.

'SaaS startups - Beware of Spammers!' was written by Alex Yumashev
Alex Yumashev
Alex has founded Jitbit in 2005 and is a software engineer passionate about customer support.

Subscribe comments Tweet