SaaS systems are spammer targets

There are probably hundreds of thousands of really awesome SaaS products out there. They provide a framework to do all sorts of stuff that used to be really hard to do. Almost all of them include some email component. They dutifully build the email piece into their platform and, because they’re smart, they outsource the actual sending to one of SMTP providers. They’re happy, their customers are happy, and spammers are happy.

SaaS providers focus on their core competencies, which is their platform. Their focus is building a product that meets the needs of their customers. They’re not an email service provider, so they think, and they don’t really pay much attention to email. They send mail by handing it off to their provider and assume all will be well with delivery because their customers are small businesses and are not sending lots of mail and aren’t spammers.

The problem is, spammers have recognized these SaaS companies are a way to access high powered sending infrastructure that have banned them from sending directly. Many of these bad guys take advantage of freemium models and simply send low volumes of email through multiple accounts. Because they’re hiding in the middle of real customers, they can often go undetected for months or years.

Eventually, though, someone notices and the SaaS provider experiences a blocklisting or other delivery problem. At that point, there’s a scramble to figure out why delivery is horrible or they’re listed on Spamhaus or their provider is sending them compliance notices. Often responding to these problems can take months and require some business processes to be rethought from the ground up.

There’s no easy fix for this problem. But just as SaaS providers need to think about application and data security, they also need to think about email security. How can they detect and prevent spammers from abusing their system and hurting them and their customers.

 

Related Posts

ESPs leaking email addresses

Two of my tagged email addresses started getting identical pharma spam over the weekend. It is annoying me because I am now getting spam in a mailbox that was previously spam free. The spam is overwhelming the real traffic and I am having to make some decisions about what to do with the email addresses and their associated accounts with the companies I gave them to.
One thing I did notice, though, is that both companies use iContact as their ESP. A cursory check of my other mailboxes shows that none of my other tagged addresses are mailed through iContact. I don’t think it’s very likely that these two individual, unrelated companies made deals with the same spammers to sell address lists at the same time. It’s much more likely that there was a compromise somewhere and address lists were stolen.
Edit: Checked my other account and, likewise, I’m getting the same spam to a 3rd address serviced by iContact. I’ve sent mail to all 3 companies involved and we’ll see how they react.
And, as I was thinking about this, iContact just laid off a bunch of staff about the same time they announced their partnership with Goodmail. Based on past history with companies in this situation, it seems possible this is a disgruntled former employee. I’ve also seen reports from other people noticing spam to addresses given to iContact customers.

Read More

Zoho, phishing and who’s next?

ZDnet reports that Zoho’s problems with phishing aren’t over. Their report states that Zoho is being used as a pipeline to exfiltrate data from phished accounts.

Read More

Company responsibility and compliance

I blogged a few times recently about Zoho and their issues with malicious actors abusing their platform. They asked me to post the following statement from their CEO Sridhar Vembu.

Read More