Freshworks’ practices on tackling spam

When Freshworks was founded, we had only one product–Freshdesk, our customer support helpdesk. The email functionality was tightly coupled with the product and the email team supported our customers in sending emails to their customers. As we started building more products, it became apparent that the email module was central to the business workflow. We decided to hive email off into a platform service. This would help us decouple the existing module, and also help when we launch new products.

Over time, as we grew and our customer base increased, we were prone to spammers using our domain to send emails with the intention of disrupting services and causing harm. We realized that we needed to train our email team to handle email spam and abuse.

Protecting Freshworks’ IP reputation

Spam is unwanted email, sent in bulk with the intention to mislead the receiver. Spam emails can range from being mostly harmless to being very malicious. Spam emails typically contain attachments/links that may appear harmless that when opened, install malware or asks for your personal details like a bank account number or social security number. Internet products are abused in different ways, primarily because there is potential to reach a large audience with very little effort. But if our emails are reported as spam frequently, the more our IP reputation will take a hit. Moreover, they will result in substantial business losses. Some common spam attacks include:

  • Phishing attacks:  Phishing attacks use email and fake website links to solicit an individual’s personal information such as account usernames and passwords, credit card numbers, and other sensitive data. Take a look at the following email:

sample spam email

In the above email, the sender’s email address appears randomized and thus suspicious. The message claims your account to be unsafe and asks you to fill the details of your account by clicking on a link. Such emails also tend to carry typos and grammatical mistakes. Sometimes, special characters are used to replace normal letters – to make it look unsuspecting.

  • Malware: Malware and viruses are introduced into systems via email as attachments, embedded files, and links in email messages. Clicking on these will install unwanted software that range from being a nuisance (think of repetitive pop-ups that don’t close) to being very dangerous (a total system wipe).
  • Denial of Service (DoS): A DoS attack involves flooding the recipient with more input than they can handle, overwhelming the network resources and the targeted systems, resulting in a slowdown and reducing operational efficiency. While phishing and malware attacks are targeted at individuals, DoS attacks are aimed at businesses/service providers.

To ensure that we stay protected from such spam attacks, we introduced “Antispam Service”.

The anti-spam system

Spam emails are usually sent in bulk.  But when even a relatively small number of the recipients mark an email as spam, emails from the sending IP address will be blocked. This is a strategy followed by prominent email service providers like Gmail, Yahoo, and Outlook. The anti-spam system provides basic email spam check and virus scan along with a specific mitigation plan for each attack.

  • Phishing emails: The email sent by spammers in itself has very little value. It usually contains a hyperlink or an attachment which when clicked on can lead to a spam site or trigger a virus download. Hence, our focus was to identify patterns surrounding suspicious links by the following methods:
  • Hyperlink identification – When recipients mark an email as spam, the contained links are often reported to a central database maintained by blacklist providers. We use such blacklist providers to identify and penalize incoming emails with suspicious links. For outgoing emails, we use the same service to predict if the emails have a chance of being rejected or marked as spam by email providers.
  • Third-party blacklists – We use third-party services to identify and blacklist domains that are seen as malicious spammers.
  • Custom blacklist – While configuring new systems, we create custom categories of blacklisted URLs, specific to our business, based on the spam feedback loop.
  • Virus/malware protection – We have a third party anti-virus software that aids us in scanning attachments for specific code patterns and compares it against information in the database. We remove such flagged attachments from the email and thereby prevent our customers from being affected by them.

While these measures drastically improved Freshworks’ IP reputation, we were faced with a new challenge: How do we handle false positives? A false positive is when a legitimate user complaint email gets classified as spam and the user is unable to seek resolution. This again impacts our reputation.

To minimize false positives, we implemented strict scoring mechanisms when classifying an email as spam. We also put API provisions in place for customers to report false positives. The following figure shows the elimination of false positives before and after implementing these strategies.

Email spam percentage
Monthly Spam trend after the elimination of false positives

 

However, email was not the only channel that spammers targeted. We scrutinized other possibilities where we could be vulnerable to spam and ensured we put prevention measures in place.

Prevention of solution article spam

Freshdesk, the customer support software from Freshworks, provides a free knowledge base for customers and often directs people who have frequently asked questions to this knowledge base that contains solution articles authored by support agents. These solution articles are indexed by search engines and attackers use this to mislead customers. Scammers use these articles to create fake support websites using appropriate keywords (helpline, support, and help), and add phishing links to the articles. Here is an example which shows how this can be misused.

Sample solution article spam

Spammers try to get these fake websites to appear at the top of web search results for certain popular keywords to lure customers. One of the most common tricks is to provide a fake support helpline for a known company. Look at the example above. We have “Gnail helpline phone number”. The keyword ‘Gnail’ can be easily identified as spurious.

To mitigate such attacks, we adopted higher resolution detection methods for solution articles. One such method is to take note of the frequency of words appearing in the article and assign an adaptive score to them. This acts as a prevention measure made in response to the spammer aspiring to achieve SEO.

Initially, a lot of accounts were created just to exploit the solution article feature. Once we started identifying and blocking those accounts, there was a drop in the creation of such accounts. The following figure shows the trend:

The monthly trend of solution spam accounts as we implemented spam prevention methods

Template spam check

Freshdesk allows customers to configure their email notification templates, and we have seen spammers configure phishing content on these templates We conduct in-depth tests on custom phishing, hidden URLs, sexual content filters, and bitcoin rulesets to identify spam at this step and avoid the further processing of spam.

These measures have all been reactive and managed to stop a fraction of spammers. The need of the hour was to proactively stop spammers before they even entered our system.  

Taking a proactive approach: Sign-up spam check

Internet-driven businesses often require users to sign up before using their product/service. Spammers use temporary or disposable email addresses to register fake users. They use spam bots built to find the sign-up form code on your website and submit fake information that skews the accuracy of the statistics of the list.

A fake email address is being used during sign up

One of the preliminary actions to block spammers before entering the system is by analyzing their behavior during sign up and intervene.

  • Blacklisted IPs, domains, and email addresses – Freshworks maintains a known list of IPs/domains/email addresses used by spammers. The IP/domain used to sign up are compared against this extensive list and scammers are weeded out.
  • Rate limit by IP and email addresses – Traffic from IPs is restricted so that hackers cannot sign up for multiple accounts.
  • Disposable mail – Users with temporary email addresses are restricted from signing up.

Apart from this, Freshworks uses third-party services to determine the reputation of new users and takes action accordingly during sign up. Here, the spam score of an account is calculated using a set of rules. A user account with a high spam score is restricted from sending emails, and emails from accounts with a low score are routed via a different path and SEO optimization is disabled for their customer portal.

Sign-up spam trend

What Next?

Abuse prevention is a process where companies constantly update their detection models to identify and tackle strategies that scammers come up with.  At Freshworks, we are training our systems based on user actions and continuously developing the system to improve accuracy in detecting issues. We are working on various machine learning models based on sign up reputation, user behavior, entity changes, inbound traffic, and outbound traffic to enhance our spam detection. One such model is Bayesian classification where we decide an email as spam based on the entities which match the identified known spams. The learning is user specific, spam for one user need not be the same for other users.

Related Posts