A large part of running a SaaS is spotting and blocking attempts to either hack your server or use your server as a spam vector.
The methods the bad guys try are surprising.
Here’s an attack I encountered in the last few days:
- Bad Person (hereafter known as BP) creates an account on my SaaS app.
- BP sets their display name on my SaaS app to “Great bargains at bargainsgalore.com”
- BP uses our “invite your team” feature to invite one person, called Spam Victim (SV). This causes my SaaS to send an invite to SV. Normally it would read “Hi, Jo Smith has invited your to join their Feature Upvote account.” In this case it reads “Hi, Great bargains at bargainsgalore.com has invited to join their Feature Upvote account”.
- BP deletes invited user
- BP waits a few seconds
- BP goes to step 3
I’m guessing that BP expects some email clients to linkify the email, even though my SaaS is careful to escape the user-contributed content.
Steps 3 to 6 were clearly automated as they were repeated at the rate of 10 emails/minute. I detected this after 1,000 emails had been systematically sent.
I then deleted the account. Two days later, the same thing happened but wth a slower rate of about 6 emails/minute.
I’ve now added some mitigation for this. I won’t say exactly what I did (in case BP and their ilk are reading!), but here’s some possible approaches I considered:
- Change the invite email to not include any user-contributed content
- Add reCAPTCHA
- Throttle or block by IP address
- Stop trial accounts from sending invites
- Blacklist domains known to be used in this attack
- Limit trial accounts to triggering a very small number of emails
What annoys me about this is the time and energy spent fighting this issue is time and energy no longer available for product development or marketing.
Our forum software indicates something similar has been discussed before: SaaS trial abuse from botnets/spammers. It includes this wisdom:
It’s important to strike a good balance between making the life of spammers difficult with keeping the real users from being annoyed by false positives.