Email Bombs Exploit Lax Authentication in Zendesk
2 days ago
- #Zendesk
- #cybersecurity
- #email-spam
- Cybercriminals are exploiting Zendesk's lack of authentication to send threatening emails from multiple corporate customers.
- Zendesk is a customer service platform that allows anonymous support requests, which is being abused for spam.
- Abusive messages can include any subject line, such as fake law enforcement investigations or personal insults.
- Messages appear to come from customer domains (e.g., [email protected]), not Zendesk itself.
- Zendesk acknowledges the issue but states some customers prefer anonymous ticket submissions for business reasons.
- Anonymous submissions allow spammers to use any email address, leading to mass spam notifications.
- Zendesk has rate limits, but they failed to prevent a flood of messages in a short time.
- Zendesk recommends customers enable authenticated workflows to prevent abuse.
- Criticism: Anonymous submissions should be disabled by default or removed entirely to prevent misuse.