sodiboo Feb 4
ugh. someone is signing up to like dozens of random accounts with my email address
Show threadsodiboo Feb 4
yeah so I thought this was targeted and was secretive at first but turns out nope it's super widespread.

these are all from Zendesk and I'm pretty sure you can filter them all with these rules here are some more complete rules. they adapted to a more difficult-to-filter spam vector. see replies
Show threadsodiboo 
as far as i can tell based on various folks one talked to and also just my own inbox, this adversary is perhaps scraping emails from git? But I've also received a bunch of emails to addresses that I've never used for git (but I believe all of the non-git ones I used were given out to Zendesk customers), and even to non-existent addresses I've never used for anything. So, I'm not sure what's up with that.

I asked my mom and dad. They don't use git. They haven't received any spam. Unsure about the correlation between those two statements.
Feb 4 at 9:34pmWeb
Show threadsodiboo Feb 4
It also appears to have maybe stopped between 30-60 minutes ago? It was >1 email per minute before that and then nothing. Maybe Zendesk turned off their email system for now?
Show threadsodiboo Feb 4
apparently Zendesk got a new chief operating officer yesterday?

Zendesk names Craig Flower COO to drive AI first shift

so maybe someone is retaliating, on account of the AI, and trying to get Zendesk emails flagged as spam? that's a hypothesis. no evidence to back this up.
Show threadsodiboo Feb 4
about an hour after they initially stopped, I received one (1) more spam signup. this time, Fastmail marked it with a spam score of 10.1, compared to most previous ones being around 0.0. this is enough to pop a big scary warning. so, I guess if they're trying to get Zendesk marked as spam, it's working
Show threadsodiboo Feb 4
about half an hour ago I received another batch of spam signups, this time plus-adressed to my git committer identity. okay, sure, cool, thanks I guess.
Show threadsodiboo Feb 5
it seems the filter i posted 3 hours ago has successfully been catching every single spam signup email. so, that's nice.
Show threadsodiboo Feb 5
yeah this definitely never stopped there was just a pause. I just checked and I've received about 100 new mails overnight. all of them were caught by my filter though, so I got no notifications. fuck yeah love email filtering
Show threadsodiboo Feb 5
almost all of the ones I got overnight have a spam score of >2.0 on Fastmail. I have no idea what the implications of this score is, but it's definitely higher than the 0.0 that almost every email had when it began. so again, of the adversary is trying to tank Zendesk's email reputation, it's working. amazed that Zendesk has not disabled account signups or something. I get that it's been less than half a day so for all I know their employees were all asleep but seriously? it feels like something should've been done by now.
Show threadsodiboo Feb 6
https://www.bleepingcomputer.com/news/security/zendesk-spam-wave-returns-floods-users-with-activate-account-emails/
Zendesk spam wave returns, floods users with 'Activate account' emails

A fresh wave of spam is hitting inboxes worldwide, with users reporting that they are once again being bombarded by automated emails generated through companies' unsecured Zendesk support systems. Some recipients say they are receiving hundreds of messages with strange or alarming subject lines. such as 'Activate account...'

BleepingComputer
Show threadsodiboo Feb 6
https://news.ycombinator.com/item?id=46890418
Tell HN: Another round of Zendesk email spam | Hacker News

Show threadsodiboo Feb 8
It seems the spammer has moved onto creating support tickets. Notably, FACEIT has even sent me a follow-up email explaining what happened:




Hello there,

We understand you may have received an unexpected email from our customer support system confirming that a ticket has been created in your name.

Please rest assured that this was not caused by a breach of our systems.

This was triggered by a spammer using your email address to raise a ticket on our support system, and you received our automated response email confirming receipt of your ticket.

What you should know:

-You can safely ignore or delete the email.
-The email is not a sign that your email account was hacked.
-If you are an existing user, your personal data is still securely stored by us.
-The automated email you received was triggered by an external submission, not by any activity within your account.
-If you are not a user and have no relationship with us, you can safely ignore this message - no further emails should follow.
-We always verify your identity before taking any action on support tickets.

We understand this may have caused confusion or concerns, and we sincerely apologise for the inconvenience.

We are currently reviewing the configuration on our contact form and will be implementing additional measures to prevent this type of misuse in the future.

Thank you for your understanding.

FACEIT Support
Show threadsodiboo Feb 8
These are not signup attempts. So, they bypassed my filter. My git email inbox is now full again.

This seems to be happening just in the last 4 hours?
Show threadsodiboo Feb 8
Okay, so, first of all, I noticed there's a third kind of signup email. "Suspend Verify". Not sure what that's about. Here's a slightly better email filter for the signup spam
Show threadsodiboo Feb 8
But for all the support tickets? I genuinely couldn't find a way to select just those. So, here's an email filter that catches all emails from Zendesk that are auto-generated.

⚠️ You'll probably want to combine this with some other filter, because this on its own catches legitimate Zendesk mail. ⚠️

Notably, "An agent has responded to your ticket" counts as auto-generated, even though that mail literally represents a human action. They have headers that look identical to the initial ticket creation email.

Personally, I'm not receiving this spam to any addresses that were genuinely used for Zendesk support. So, I can trivially filter by the recipient (my) address, and not allow any addresses except the ones I'm excepting Zendesk mail on. And on the ones I do expect Zendesk mail, I'm not making them as "spam" such that they won't auto-delete; but I'm still moving them out of my inbox so I don't get notifications.
Show threadsodiboo Feb 8
If you wanted to be the most "erm, actually" about this, you could probably try to filter for X-Zendesk-From-Account-Id. I suppose this identifies which Zendesk user account the email relates to. If you have an allow-list of this header's values, you can safely black-hole all other Zendesk Mail.
Show threadStarlight ✨Feb 5
@sodiboo Me too! And I love Sieve, it's amazing. I wish more email hosts supported it (with extensions).
Show threadROllerozxaFeb 4

@sodiboo

> AI is fundamentally reshaping the future of customer service, demanding that all those serious about success operate with radical shifts in speed and efficiency

Do you feel reshaped yet sodi? You better be, that spam was hand picked to you by an AI system with radical speed and efficiency.

Show threadterms of service Feb 4
@sodiboo it recommends using search engine of choice and just looking up said email in quotes, might give a clue to the source (git platform or not)
Show threadsodiboo Feb 4
@thermia zero results for anything other than my git committer identity
Show threaddgwFeb 4

@sodiboo @thermia Got a few using my GitHub committer email, and a few others using previously leaked emails at breached web services.

Most of mine were sent to nonexistent addresses referencing Epstein and Diddy. Guess they figured out I have a catch-all. 😑

Show threadsodiboo Feb 4
@dgw @thermia I got just one for epstein and one for diddy 😔

RE: https://gaysex.cloud/notes/aic4fuhxddjx06p2
Show threaddgwFeb 4
@sodiboo @thermia This has major script-kiddy energy. Like grow up, dude, whoever you are. 😩
Show threadberdarioFeb 4
@sodiboo last one I got was 19 minutes ago, so I don't think it's necessarily over yet.
Show threadpiegamesFeb 4
@sodiboo all mails I got so far were to unused addresses on my catchall domain. Mostly stuff like reddit@ or discord@, but also epstein@ and diddy@, kekw@ and true@. Not all seem to he Zendesk, vut many, haven't looked into it further yet
Show threadsodiboo Feb 5
@piegames A lot of Zendesk customers have custom domains, so it won't say zendesk.com. But you can still identify them by the header X-Mailer: Zendesk Mailer and X-Zendesk-Priority-Mail identifying the kind of email.

But wait, yeah! I recognize all of those email aliases. I received to the exact same email addresses under the catch-all domain that I use for my git committer identity! I also got pog@, twitch@, slack@, discord@, xqc@.

Is that maybe the common denominator? Did everyone's email addresses get scraped from git and assumed to be catchalls?
Show threadRTG-powered VelFeb 5
@sodiboo i have not received any spam to my [email protected] address, or any address in fact