Email Bombs Exploit Lax Authentication in Zendesk

Posted3 months agoActive2 months ago

todsacerdoti

69 points

17 comments

krebsonsecurity.comTechstory

calmnegative

Debate

20/100

Email SecurityZendeskSpam

Key topics

Email Security

Zendesk

Spam

A vulnerability in Zendesk's authentication allows spammers to send 'email bombs' to unsuspecting recipients, and commenters discuss ways to mitigate such attacks and share their own experiences.

Snapshot generated from the HN discussion

Discussion Activity

Active discussion

First comment

Peak period

Day 1

Avg / period

5.7

Comment distribution17 data points

Loading chart...

Based on 17 loaded comments

Key moments

01Story posted
Oct 17, 2025 at 7:27 AM EDT
3 months ago
Step 01
02First comment
Oct 17, 2025 at 9:52 AM EDT
2h after posting
Step 02
03Peak activity
12 comments in Day 1
Hottest window of the conversation
Step 03
04Latest activity
Oct 26, 2025 at 1:15 AM EDT
2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (17 comments)

Showing 17 comments

dboreham

3 months ago

3 replies

Ah. This explains a bunch of odd emails I received all at the same time last week.

Ekaros

3 months ago

I was kinda confused why I got one from company that really doesn't even operate here and what was the vector with it...

whatamidoingyo

3 months ago

Yeah, I got like 50 from bugcrowd. I figured someone found a bug somewhere, lol.

Volundr

3 months ago

Yeah I got enough of these from discord, that I emailed their abuse@ and put in a support ticket, but they ignored me. Nice to have it confirmed. I ended up doing a password rotation on the off chance it was me.

fckgw

3 months ago

3 replies

If you start getting an email bombed out of nowhere, being signed up for hundreds of newsletters or other email notifications, take a quick look at your credit card statements for any unknown purchases. Email bombs are often used by card thieves to hide legitimate purchase notifcation email from retailers when they use your stolen creds.

mcast

3 months ago

1 reply

Better yet, setup transaction alerts on all your credit cards, and use a budgeting app like Monarch/YNAB to review all your household transactions each month or receive weekly email summaries.

YeBanKo

3 months ago

1 reply

> Monarch/YNAB

Yeah, right. Let some thirds party app collect all your info in their secure cloud. Do you also give Monarch login to your bank account?

PhilippGille

3 months ago

Outbank is an option that runs locally but still connects to banks to fetch transactions: https://outbankapp.com/

OptionOfT

3 months ago

Another reason to actually get your credit card statement via snail-mail.

I understand it is wasteful, but I go on an evening walk and pick up the mail.

The effort for me to pick up the mail and read my credit card statement is actually quite nice.

It doesn't require you to sign in, and search my house for my phone or my YubiKey, it doesn't prompt me for other credit card offers, doesn't require me to download a PDF reader.

tlonny

3 months ago

Also check airline miles haven’t gone missing.

A friend of mine recently had his BA account compromised, all his Avios stolen and he was none the wiser after receiving about 60 emails a minute

mobeigi

2 months ago

This spam campaign drove me nuts! I received so many of these emails from so many random companies.

The key takeaway is to always have a email verification loop (or something stronger like phone verification) when using an anonymous user feature. You need to prove you own an email address before you use it.

bombcar

3 months ago

You know, combing "bomb" with LAX makes me think really different things for awhile until my parser finally woke up ...

bgc

3 months ago

Another fun Zendesk “feature,” that, to my knowledge, has never been fixed is if you CC it on a thread with any other email address that auto-replies, it will get stuck in a loop and ping-pong emails back and forth until the mailbox fills up.

vachina

3 months ago

This attack is called email amplification. Any open form that triggers email sending is vulnerable. Fortunately these bots are pretty basic in my experience, putting a captcha (or anything unexpected) in front is enough to stop these bots.

ianhawes

3 months ago

Brian Krebs is a saint for being the perennial punching bag and target of cybercriminals but continuing to publish important information independently.

jtokoph

3 months ago

Unless I missed it, the article doesn’t explain how this works. It seems like the spammer sends an email to support@somecompany.com but spoofs the From address to be the target of the spam. The Zendesk ticket system then sends the auto reply to the spoofed From address

ssalmon

3 months ago

This doesn't surprise me since Zendesk uses the same DKIM key for all customers. I have multiple domains that I support and they all point to the same CNAME record.

View full discussion on Hacker News

ID: 45615449Type: storyLast synced: 11/20/2025, 12:44:40 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN