zlacker

>>Philpa+(OP)
I've got four emails, and I've no idea what’s going on. (I have a public email address on GitHub)

>>spike_+pe
It seems to have started two weeks ago. A spammer realized that one can find a Zendesk‐based help forum, open a new ticket without an account, fill the ticket with spam URLs, and put an email address scraped from GitHub commit logs in the author email field. Zendesk would “helpfully” send the “author” the contents of the ticket, becoming in effect an open relay for spam emails. Two weeks ago is when the spammer started the attack in earnest: I received hundreds of these spam emails, typically one or two per Zendesk‐hosted help forum, sent to email addresses that I’ve only ever used on GitHub. It was discussed a bit on HN: >>46685768

Since then, Zendesk seems to have strengthened their system so that opening a ticket requires account activation first. Leading to today, when I’ve received thousands of signup attempt emails (again, typically one or two per Zendesk‐hosted forum). This is way more emails than I got last time. I hypothesize that the spammer is doing a “last gasp” attack: now that Zendesk has burned the exploit by no longer including the ticket text in the emails, the spammer is trying every Zendesk site it knows in hopes that some of them are slow to update and still forward the ticket text to the victim.

>>bentle+Fn
What would be the goal of all this? Just for the fun of it?

>>alejo+uV
It's not for fun. They are hijacking a trusted server (Zendesk) to smuggle phishing links past my spam filter. Since Zendesk blocked the text relay, their bot is now just spamming signups as a side effect of the failed exploit.

[Ref](https://support.zendesk.com/hc/en-us/articles/8257723564186-...)

[Ref 2](https://darknetsearch.com/knowledge/news/en/zendesk-ticket-s...)