Why we blocked mailbox creation for some accounts

Oct 7, 2020  - written by  in Domain names

In August 2020, spam accounted for nearly 85% of global email traffic, or a whopping 344.66 Billion emails in total for the month. That means in just 31 days, 44 spam messages for each person on Earth were sent. Since the first spam email in the 1970s, unsolicited, sometimes malicious, email has been a nuisance at best. In the worst case scenarios, phishing email and other malicious email costs businesses billions of dollars per year.

Luckily, there’s also an army of workers devoted to the Sisphyean task of fighting spam: coming in to work with daily queues of reports to process, monitoring traffic for trends, and building out smart new solutions to protect you from spam. Cheers to all of those hard-working unsung heroes.

As a provider of an email service, we are part of this fight. And we’re always trying to improve our practices to help fight this plague of the digital age. Most of the time, that means taking proactive steps to respond to spam reports and take the necessary actions to shut down spammers using our services to send unsolicited mass emails.

But sometimes that means plugging holes we really should have plugged already.

A security feature we added last week falls into the latter category.

Until then, it was possible to create email mailboxes—and start using them—from Gandi accounts that used email addresses we hadn’t yet verified.

This hasn’t been a huge problem for us in the past for a couple of reasons. First, because you would still need to purchase a domain name, there’s a monetary barrier that deters some of this behavior. And second, we block accounts that don’t verify their email addresses after 7 days. So that further narrows the field.

But recently, our Abuse team noted a pattern—user accounts were being created automatically in order to create mailboxes used to send malicious emails.

It wasn’t a hard decision to make that no longer possible.

Now, anyone who tries to create an email mailbox from an account with an unverified email address will get a message explaining to them that they must validate their email address first.

So, that’s one hole plugged, but of course, the fight against spam continues.