Don't verify email addresses by sending spam to them
6 hours ago
- #spam
- #email validation
- #API abuse
- A Pangram sign-up form sends a POST request to validate an email address, which triggers a spam email to be sent to the provided address.
- The spam email comes from various rotated sender domains and includes a base64-encoded HTML body, indicating a spam campaign.
- Unlike typical spammers, they retry from different servers if rejected, showing persistent efforts to deliver spam despite some IPs being blacklisted.
- This method of email validation is ineffective because it either delivers spam to valid addresses or fails if spam filters reject it.
- The author speculates that this may involve a flawed SaaS email validation service or a misbehaving LLM agent, while actual transactional emails from Pangram use Mailgun.