How my SaaS was used by a spammer

SteveMcLeod · May 19, 2019, 3:25pm

A large part of running a SaaS is spotting and blocking attempts to either hack your server or use your server as a spam vector.

The methods the bad guys try are surprising.

Here’s an attack I encountered in the last few days:

Bad Person (hereafter known as BP) creates an account on my SaaS app.
BP sets their display name on my SaaS app to “Great bargains at bargainsgalore.com”
BP uses our “invite your team” feature to invite one person, called Spam Victim (SV). This causes my SaaS to send an invite to SV. Normally it would read “Hi, Jo Smith has invited your to join their Feature Upvote account.” In this case it reads “Hi, Great bargains at bargainsgalore.com has invited to join their Feature Upvote account”.
BP deletes invited user
BP waits a few seconds
BP goes to step 3

I’m guessing that BP expects some email clients to linkify the email, even though my SaaS is careful to escape the user-contributed content.

Steps 3 to 6 were clearly automated as they were repeated at the rate of 10 emails/minute. I detected this after 1,000 emails had been systematically sent.

I then deleted the account. Two days later, the same thing happened but wth a slower rate of about 6 emails/minute.

I’ve now added some mitigation for this. I won’t say exactly what I did (in case BP and their ilk are reading!), but here’s some possible approaches I considered:

Change the invite email to not include any user-contributed content
Add reCAPTCHA
Throttle or block by IP address
Stop trial accounts from sending invites
Blacklist domains known to be used in this attack
Limit trial accounts to triggering a very small number of emails

What annoys me about this is the time and energy spent fighting this issue is time and energy no longer available for product development or marketing.

Our forum software indicates something similar has been discussed before: SaaS trial abuse from botnets/spammers. It includes this wisdom:

It’s important to strike a good balance between making the life of spammers difficult with keeping the real users from being annoyed by false positives.

marya · May 20, 2019, 1:25am

Thanks for the informative post!

I haven’t experienced an issue quite like this yet, but I’ve definitely had to deal with “abuse” issues on my website. And yeah, it is so frustrating to spend time on crap like this, rather than spending it on, well, basically anything else. You have my sympathy!

Andy · May 20, 2019, 4:26pm

Desktop software does have some advantages. ;0)

–
Andy Brice
https://www.hyperplan.com

syneryder · May 20, 2019, 7:07pm

I’ve been seeing that on another SaaS that I (used to be) a customer of. They sent an email when someone liked your post, so naturally you’d click on the user profile to see who was interested in what you’d written… only to discover it was a spam account who had added spam text to their user profile. They were obviously free accounts, so preventing free/trial accounts from liking or sending email would probably help to prevent it… at least until the spammers start hijacking accounts…

I get dozens of spam attempts every day through my website (even to advertise the comment spam bots they’re using), and I can say that Google’s reCAPTCHA is useless, there is already software that can bypass it. IP blacklists have not been helpful either. What has worked for me is logging every attempt & searching for patterns (thinking: what do they have to include to achieve their goal?) and hand-writing filters to catch those.

SteveMcLeod · May 20, 2019, 7:07pm

Andy, it was the fear of problems like these that kept me away from developing a SaaS product for so many years!

rfctr · May 21, 2019, 8:24pm

They delete it to get back within the number of allowed invites? Then not letting them to delete the invite for say 3 days would make it harder to abuse.

I’d also add a “Think it is spam? Click here” button to the email. If any invited user clicks, I’d shadow-block sending more emails and flag it for a manual review. If the review confirms spamming, I’d let it stay in the shadow-blocking state - they wasted my energy, I waste theirs.

grujicd · May 21, 2019, 8:43pm

These are all good suggestions, but it’s a shame you have to deal with it in the first place. On the other hand, if you ran a physical store, you’d have to deal with locks, alarms, surveillance cameras, stolen goods, etc. So fight with malicious users/visitors is a fact of life.

IMO the biggest problem here is your email could end up flagged as a spam source. Even if you’re using outsourced mail sender, they could kick you out because of these problems.

davedevelopment · May 22, 2019, 11:23am

I feel your pain on this, we have lots of checks in place for various abuses of our system, mostly all hand coded after we notice patterns in behaviour.

It gets me down having to spend so much time on it, but I try and remember the plenty of fish founder saying somewhere that in the early days, the thing that set POF apart from the rest and what he considered to be a key to their success, was that they were the best at keeping out the fakers and the scammers.

jwr · May 29, 2019, 3:34pm

I’m looking at my SaaS now trying to find ways in which it could be abused…

But, whatever you do, please do not add the horrible reCAPTCHA thing. It provides an abysmal experience for users and does not work against determined attackers.