sodiboo 
ugh. someone is signing up to like dozens of random accounts with my email address
Feb 4 at 8:00pmWeb
Show threadsodiboo Feb 4
yeah so I thought this was targeted and was secretive at first but turns out nope it's super widespread.

these are all from Zendesk and I'm pretty sure you can filter them all with these rules here are some more complete rules. they adapted to a more difficult-to-filter spam vector. see replies
Show threadsodiboo Feb 4
as far as i can tell based on various folks one talked to and also just my own inbox, this adversary is perhaps scraping emails from git? But I've also received a bunch of emails to addresses that I've never used for git (but I believe all of the non-git ones I used were given out to Zendesk customers), and even to non-existent addresses I've never used for anything. So, I'm not sure what's up with that.

I asked my mom and dad. They don't use git. They haven't received any spam. Unsure about the correlation between those two statements.
Show threadsodiboo Feb 4
It also appears to have maybe stopped between 30-60 minutes ago? It was >1 email per minute before that and then nothing. Maybe Zendesk turned off their email system for now?
Show threadsodiboo Feb 4
apparently Zendesk got a new chief operating officer yesterday?

Zendesk names Craig Flower COO to drive AI first shift

so maybe someone is retaliating, on account of the AI, and trying to get Zendesk emails flagged as spam? that's a hypothesis. no evidence to back this up.
Show threadsodiboo Feb 4
about an hour after they initially stopped, I received one (1) more spam signup. this time, Fastmail marked it with a spam score of 10.1, compared to most previous ones being around 0.0. this is enough to pop a big scary warning. so, I guess if they're trying to get Zendesk marked as spam, it's working
Show threadsodiboo Feb 4
about half an hour ago I received another batch of spam signups, this time plus-adressed to my git committer identity. okay, sure, cool, thanks I guess.
Show threadsodiboo Feb 5
it seems the filter i posted 3 hours ago has successfully been catching every single spam signup email. so, that's nice.
Show threadsodiboo Feb 5
yeah this definitely never stopped there was just a pause. I just checked and I've received about 100 new mails overnight. all of them were caught by my filter though, so I got no notifications. fuck yeah love email filtering
Show threadsodiboo Feb 5
almost all of the ones I got overnight have a spam score of >2.0 on Fastmail. I have no idea what the implications of this score is, but it's definitely higher than the 0.0 that almost every email had when it began. so again, of the adversary is trying to tank Zendesk's email reputation, it's working. amazed that Zendesk has not disabled account signups or something. I get that it's been less than half a day so for all I know their employees were all asleep but seriously? it feels like something should've been done by now.
Show threadsodiboo Feb 6
https://www.bleepingcomputer.com/news/security/zendesk-spam-wave-returns-floods-users-with-activate-account-emails/
Zendesk spam wave returns, floods users with 'Activate account' emails

A fresh wave of spam is hitting inboxes worldwide, with users reporting that they are once again being bombarded by automated emails generated through companies' unsecured Zendesk support systems. Some recipients say they are receiving hundreds of messages with strange or alarming subject lines. such as 'Activate account...'

BleepingComputer
Show threadsodiboo Feb 6
https://news.ycombinator.com/item?id=46890418
Tell HN: Another round of Zendesk email spam | Hacker News

Show threadsodiboo Feb 8
It seems the spammer has moved onto creating support tickets. Notably, FACEIT has even sent me a follow-up email explaining what happened:




Hello there,

We understand you may have received an unexpected email from our customer support system confirming that a ticket has been created in your name.

Please rest assured that this was not caused by a breach of our systems.

This was triggered by a spammer using your email address to raise a ticket on our support system, and you received our automated response email confirming receipt of your ticket.

What you should know:

-You can safely ignore or delete the email.
-The email is not a sign that your email account was hacked.
-If you are an existing user, your personal data is still securely stored by us.
-The automated email you received was triggered by an external submission, not by any activity within your account.
-If you are not a user and have no relationship with us, you can safely ignore this message - no further emails should follow.
-We always verify your identity before taking any action on support tickets.

We understand this may have caused confusion or concerns, and we sincerely apologise for the inconvenience.

We are currently reviewing the configuration on our contact form and will be implementing additional measures to prevent this type of misuse in the future.

Thank you for your understanding.

FACEIT Support
Show threadsodiboo Feb 8
These are not signup attempts. So, they bypassed my filter. My git email inbox is now full again.

This seems to be happening just in the last 4 hours?
Show threadsodiboo Feb 8
Okay, so, first of all, I noticed there's a third kind of signup email. "Suspend Verify". Not sure what that's about. Here's a slightly better email filter for the signup spam
Show threadsodiboo Feb 8
But for all the support tickets? I genuinely couldn't find a way to select just those. So, here's an email filter that catches all emails from Zendesk that are auto-generated.

⚠️ You'll probably want to combine this with some other filter, because this on its own catches legitimate Zendesk mail. ⚠️

Notably, "An agent has responded to your ticket" counts as auto-generated, even though that mail literally represents a human action. They have headers that look identical to the initial ticket creation email.

Personally, I'm not receiving this spam to any addresses that were genuinely used for Zendesk support. So, I can trivially filter by the recipient (my) address, and not allow any addresses except the ones I'm excepting Zendesk mail on. And on the ones I do expect Zendesk mail, I'm not making them as "spam" such that they won't auto-delete; but I'm still moving them out of my inbox so I don't get notifications.
Show threadsodiboo Feb 8
If you wanted to be the most "erm, actually" about this, you could probably try to filter for X-Zendesk-From-Account-Id. I suppose this identifies which Zendesk user account the email relates to. If you have an allow-list of this header's values, you can safely black-hole all other Zendesk Mail.
Show threadStarlight ✨Feb 5
@sodiboo Me too! And I love Sieve, it's amazing. I wish more email hosts supported it (with extensions).
Show threadROllerozxaFeb 4

@sodiboo

> AI is fundamentally reshaping the future of customer service, demanding that all those serious about success operate with radical shifts in speed and efficiency

Do you feel reshaped yet sodi? You better be, that spam was hand picked to you by an AI system with radical speed and efficiency.

Show threadterms of service Feb 4
@sodiboo it recommends using search engine of choice and just looking up said email in quotes, might give a clue to the source (git platform or not)
Show threadsodiboo Feb 4
@thermia zero results for anything other than my git committer identity
Show threaddgwFeb 4

@sodiboo @thermia Got a few using my GitHub committer email, and a few others using previously leaked emails at breached web services.

Most of mine were sent to nonexistent addresses referencing Epstein and Diddy. Guess they figured out I have a catch-all. 😑

Show threadsodiboo Feb 4
@dgw @thermia I got just one for epstein and one for diddy 😔

RE: https://gaysex.cloud/notes/aic4fuhxddjx06p2
Show threaddgwFeb 4
@sodiboo @thermia This has major script-kiddy energy. Like grow up, dude, whoever you are. 😩
Show threadberdarioFeb 4
@sodiboo last one I got was 19 minutes ago, so I don't think it's necessarily over yet.
Show threadpiegamesFeb 4
@sodiboo all mails I got so far were to unused addresses on my catchall domain. Mostly stuff like reddit@ or discord@, but also epstein@ and diddy@, kekw@ and true@. Not all seem to he Zendesk, vut many, haven't looked into it further yet
Show threadsodiboo Feb 5
@piegames A lot of Zendesk customers have custom domains, so it won't say zendesk.com. But you can still identify them by the header X-Mailer: Zendesk Mailer and X-Zendesk-Priority-Mail identifying the kind of email.

But wait, yeah! I recognize all of those email aliases. I received to the exact same email addresses under the catch-all domain that I use for my git committer identity! I also got pog@, twitch@, slack@, discord@, xqc@.

Is that maybe the common denominator? Did everyone's email addresses get scraped from git and assumed to be catchalls?
Show threadRTG-powered VelFeb 5
@sodiboo i have not received any spam to my [email protected] address, or any address in fact
Show threadROllerozxaFeb 4
@sodiboo that's crazy...
Show threadchaos ΘΔ& (it/he)Feb 5
@sodiboo can you export that rule for us?
i haven't gotten an of these yet but i have only gotten like 2 genuine spam emails in the past 4 years so im probably not on any lists yet
Show threadsodiboo Feb 5

@chaos sure. here's the exported rule in the JSON format that Fastmail gives me.

{ "redirectTo": null, "conditions": null, "fileIn": null, "search": "header:\"X-Zendesk-Priority-Mail=Verification Email\" OR header:\"X-Zendesk-Priority-Mail=Signup Attempt\"", "updated": "2026-02-04T21:09:49Z", "created": "2026-02-04T21:07:51Z", "showNotification": false, "name": "Zendesk signup spam", "combinator": "any", "snoozeUntil": null, "skipInbox": false, "markRead": false, "markSpam": true, "previousFileInName": null, "discard": false, "markFlagged": false, "stop": true }
not sure this is what was wanted? it doesn't feel very portable. either way, the image (or the alt text) should be sufficient to input an equivalent rule into any mail filtering interface.

Show threadchaos ΘΔ& (it/he)Feb 5
@sodiboo it's a json-encoded version of a sieve rule so its reasonably portable
we use fastmail so we can just add it as is, but moving to self hosted mail eventually
Show thread🌸 lily 🏳️‍⚧️   θΔ ⋐ & ∞Feb 4
@sodiboo this happened to me
i just unsubscribed and it went away
Show threadsodiboo Feb 4
@tauon unsubscribed from what?
Show thread🌸 lily 🏳️‍⚧️   θΔ ⋐ & ∞Feb 4
@sodiboo all the mailing lists
i think it's an unrelated but similar thing actually
Show threadsodiboo Feb 4
@tauon no. I'm not being added to mailing lists. they are actively going to like several new websites and trying to sign up for an account. so my inbox is filled with "Welcome to so-and-so! Please verify your email. If you didn't sign up for this service, you can safely ignore this email".
Show threadAlice Feb 4
@sodiboo same

so it's not just me, ok
Show threadsodiboo Feb 4
@alice you too????
Show threadthe thing Feb 4
@sodiboo that's why i personally use e-mail aliases everywhere. they all come into my main inbox, but no one knows the original inbox.
Show threadsodiboo Feb 4
@thing I do use email aliases kinda sorta but uh they're all predictable wildcard.

and this adversary seems to know that, inventing new email addresses that I've never given out, with identifiers like pog and kekw. they're laughing at me through the email address. lmao.
Show threadthe thing Feb 4
@sodiboo
randomise the alias names, (as im the user part of email address) and keep what they correspond to somewhere safe :)
Show threadsodiboo Feb 4
@thing yeah. I am now using an email provider which makes this trivial so that's my intent for the future. but historically, I haven't been doing that :)
Show threadTired Bunny  Feb 4
@sodiboo @thing

This is why I am grateful for systemli having completely randomized alias handles instead of wildcardy ones.
Show threadvalkyrie_pilotFeb 4
@sodiboo yeah i'm getting this too, where on earth would this come from
Show threadsodiboo Feb 4
@valk wait what, you're being targeted with the same thing at the same time?
Show threadROllerozxaFeb 4
@sodiboo how targeted is it? there used to be a period where I would get signed up to various gay or furry forums with my email address and some offensive name they had put in. but that was a long time ago.
Show threadROllerozxaFeb 4
@sodiboo (it's also probably the kind of thing one shouldn't mention publicly because then someone else will get the brilliant idea to do the exact same. but oh well, too late.)
Show threadAliceFeb 4
@sodiboo wow whack someone i know is having this happen to them also today