Support Ticket #1
An email recently landed in my inbox titled RE: Your payment method has expired, delivered to an old address of mine: webmaster@mobeigi.com.
At first glance, this email seemed legitimate. It wasn’t flagged as spam and appeared to come from a trusted address, support@discord.com. Even more convincing, it passed SPF, DKIM and DMARC checks, which are strong indicators of authenticity unless Discord’s email systems had been compromised.
At this point, I was very confused. While I do have a Discord account, I’ve never paid for any feature that would require a payment method. I also hadn’t created any support ticket recently.
On October 3, Discord disclosed a security breach where user emails were exposed, so I assumed this message was somehow related to my address being included in that breach.
Brace yourselves, Zendesk emails are coming
What came next was completely unexpected. A complete onslaught of support emails poured in from what felt like every company on the planet using Zendesk. For some reason, I was hit particularly hard compared to other users caught in this spam campaign. Each message carried a ridiculous support ticket subject, and many came from companies I’d never used before.
For example, here’s the email I received from Lime Support:
Over the span of three days, I received emails from the following companies, each with its own support ticket subject:
2K | Your Discord Account has violated our Terms of Service |
CompTIA | [IMPORTANT] Law Enforcement Cooperation Demand For Your Discord Account from FRANCE |
Discord | Your Payment Method Has Expired |
EVE Online | Safety Alert From Madagascar Law Enforcement Regarding Discord Breach |
Five Below | We Got Your Request! |
Happy Wars | [Request received] |
IntelliJ | Law Enforcement Data Demand For Your Discord Account |
KnowBe4 | Law Enforcement Data Demand For Your Discord Account |
Lime | Law Enforcement Data Demand For Your Discord Account |
MayaMobile | Request Received: |
Otter.ai | Your Discord Account has violated our Terms of Service |
Passwordsecure.com | Law Enforcement Data Request For Your DISCORD Account From Cambodia |
StreamText | Law Enforcement Safety Notification From Norway Regarding Discord |
Thistle | Law Enforcement Emergency Data Request For Your Discord Account From Argentina |
Tinder | Your Discord Account has been disabled |
Tonies | Law Enforcement Investigation For DISCORD From South Korea |
Yogasleep | Law Enforcement Investigation for DISCORD |
I have to congratulate law enforcement for taking the Discord security breach so seriously. Special thanks to the dedicated efforts of France, Madagascar, Cambodia, Norway, Argentina, and South Korea for what appears to be a glorious international operation to keep my Discord account safe.
On a serious note, I was pleased to see that Happy Wars, Five Below and Maya Mobile did not include the support ticket subject in the email itself. Whether intentional or not, this helps prevent potentially sensitive information from being accidentally exposed. Imagine sharing your screen during a presentation and an incoming email pops up revealing a confidential support ticket subject like 'WinRAR stopped working after I upgraded from the trial version to a paid licence'.
I received a few follow-ups from support staff at some of these companies, understandably confused about what I was actually asking for help with:
Zendesk Anonymous Authentication
It turns out the malicious actors behind this spam campaign were exploiting a flaw in Zendesk’s Anonymous Authentication feature. This feature allows companies to let users submit support tickets using only an email address, without needing to log in. It's handy in situations where someone is locked out of their account (for example, their Discord account) but still needs a way to contact support to get their account back.
Unfortunately, providing an email address is all that is required for a ticket to be created. The attackers took advantage of this by submitting tickets using email addresses they did not own. Zendesk’s automated system then sent automatic acknowledgement messages to those addresses, resulting in a flood of legitimate and verified emails with odd support ticket subjects that easily bypassed spam filters.
It is unclear why the attackers chose to do this, as there appears to be no real benefit beyond annoying random people on the internet, damaging Zendesk’s credibility, or possibly trying to harm Discord’s reputation given how often its name appeared in the ticket subjects.
Contacting Zendesk
I contacted Zendesk Support on 14 October, and they replied with the following:
Thank you for your report.
The emails that you've received were ticket creation notifications from accounts using our platform to allow anyone to submit support requests, including anonymous end-users.
Requests that can be submitted in an anonymous manner can also make use of an email address of the submitter's choice. However, this method can also be used for spam requests to be created on behalf of third party email addresses.
We have started investigating additional preventive measures and issued a series of recommendations to our customers.
We highly recommend you to mark these emails as spam and use the blocking rules in your email client to hinder the creation of these emails moving forward.
Thank you once again for your email and for providing us the chance to work with you on this matter.
I explained why this recommendation was terrible.
Firstly, marking these emails as spam would raise the spam rate for legitimate support addresses like support@discord.com. This metric is important to email providers, as it influences whether future emails are flagged as spam. For example, AWS SES can suspend outbound email if the spam rate becomes too high.
Secondly, creating blocking rules in your email client would also stop legitimate Zendesk messages. While that might work as a short-term fix, it would prevent me from receiving genuine support tickets I raise in the future.
My recommendation to the Zendesk team was simple:
The anonymous request feature should almost certainly have an email validation loop:
"Zendesk sent you an email, please enter code to submit this anonymous support request".
This validation loop would ensure that support tickets could only be created by users who actually own the email address used to raise the ticket. Of course, attackers could still try to abuse the validation emails as another spam vector, but that risk is smaller, and rate limiting, bot detection, and captchas could help minimise it.
I was told my suggestion was helpful and would be passed on to the team 🤞.
Aftermath
Zendesk published an announcement on 17 October officially acknowledging the issue. They wisely updated their advice to ignore or delete suspicious emails instead of marking them as spam. Shortly after this announcement, the barrage of spam in my inbox stopped. It’s unclear whether Zendesk implemented a technical fix to address the vulnerability or instructed clients to temporarily disable their Anonymous Authentication feature 🤷♂️.