
Sendgrid under siege from hacked accounts - elsewhen
https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
======
edoceo
Oof. So,I tried sending mails from our own domain and our mail server - but
Google tagged us as spam. We migrated into Google hosting and it was fixed,
now back to Spam. So we move to a provider like sendgrid, but then they have a
hack. Damnit!

When we hosted our own, we had DKIM, SPF, DMARC and such, clean IP and clean
messages, we only sent account create and transaction notices - low volume,
relevant messages to folks who opt-in. We had our little box setup right and
we're polite actors but got tagged which killed our user experience (password
resets went to Spam and folk called support)

But it feels the "big-web" forced us into vulnerable providers for the spam
game.

We need more self hosted email and less centralized control.

~~~
smnplk
`We need more self hosted email and less centralized control`

We need to start over and build a truly open internet.

~~~
dredmorbius
The open email Internet was buried in an avalanche of spam.

Open alone is insufficient.

~~~
paulryanrogers
If email were architected to put the cost of storage on senders then I think
the spam problem would have been more manageable. Instead it's so closely
modeled on physical mail that recipients get overwhelmed quickly.

~~~
smabie
Even if email worked like that, I don't think it would solve the spam problem.
Spam emails are rarely personalized and the same exact message is sent out to
many different addresses.

As such, the spammer would only have to store each unique message and the list
of recipients associated with each unique message.

~~~
dredmorbius
Even with single copy + list, with a poll-and-request delivery model (sender
polls recipient's system, which then requests message on some schedule):

1\. Sender canot simply mass-cram messages to recipients, as many spam engines
today do. (Qmail for a time was notorious for doing this).

2\. There's good chance that any bulk spammer will accrue a negative
reputation by the time most recipients bother to request messages. So they
won't.

3\. Spammer must sustain a stable online presence --- not be knocked offline
or blocked by ISP or hosting provider.

4\. Spammer has to track successful deliveries vs. messages that are complete.

Upshot: the spammer's workfactor increases.

------
maerF0x0
> Neil Schwartzman, executive director of the anti-spam group CAUCE, said
> Sendgrid’s 2FA plans are long overdue, noting that the company bought Authy
> back in 2015.

It's worth noting that this mixes up history. Authy was acquired by Twilio in
2015. Sendgrid was acquired by Twilio in 2019, there's no reason to assume in
the 4 years interim that SG should have used Authy.

~~~
psanford
For a company that went out and acquired a 2FA subsidiary, Twilio really
doesn't seem to have their 2FA story together.

For example you'd think a company with an division dedicated to authentication
would support what the industry considers the best 2FA solution: WebAuthn.
Sadly that is not an option for your Twilio account (other Auth providers like
Duo support WebAuthn).

Twilio has also been emailing me the past few months telling me I must turn on
2FA on my account. This is weird since I have TOTP enabled.

I feel like Twilio must be internally conflicted about this. As a company
dedicated to phone services they really want to push SMS solutions even though
SMS based 2FA is vastly inferior to WebAuthn.

~~~
u801e
> you'd think a company with an division dedicated to authentication would
> support what the industry considers the best 2FA solution: WebAuthn

How would WebAuthn work with someone using a mail user agent connecting via
SMTP?

~~~
tialaramex
What Sendgrid offers here (and this is fairly typical) goes like this:

* To use their APIs or SMTP submission servers you need a bearer token, which is basically a random blob of data.

* To get a new bearer token (good for any number of API calls or SMTP submissions) you log into a web site and request a new token. This site is also where you can de-authorize existing tokens. The site is protected with 2FA

Today, Sendgrid offers this, only with Authy for 2FA and it's optional. If you
decide bearer tokens are too complicated for your 15 year old PHP mail sending
code, you can just use a username and self-selected password for SMTP or the
API instead.

Authy has an obligatory SMS bypass. So even though you _can_ use an app to
generate codes, bad guys who can SIM swap their way to your phone number can
do 2FA and get into the web site to issue their own bearer tokens.

So, today if you can guess a company's username and password on Sendgrid
there's a good chance that's enough to have Sendgrid help you send spam as
that company.

With the 2FA world they want to get to, you would need to either SIM-swap,
trick their customer service agents, or most likely just pinch a bearer token
they wrote to a Pastebin or whatever.

They _could_ do much better in 2020, but there's no sign Sendgrid has any
interest in doing more than the very bare minimum.

~~~
u801e
> To get a new bearer token (good for any number of API calls or SMTP
> submissions) you log into a web site and request a new token.

Is the bearer token used as the password in the SMTP transaction? Could the
same one be used for IMAP access?

------
jeffbee
If you run a service that can be abused like this, you're going to need
objective account abuse metrics to warn you before these things happen.
Specifically you're going to need a Russian speaker to prowl around on Russian
forums buying your own hacked accounts, so you can figure out the market
price. If accounts on your system are selling for ten cents, might be time to
reflect on account security.

~~~
neolog
Do big companies actually do this (check market price by buying their own
accounts on forums)?

~~~
timClicks
Absolutely. Edit: Although it's rarely direct. Normally big corp will engage a
security consultancy and discuss type of reconnaissance as one part of a wider
strategy.

------
jbverschoor
Well, I've tried contacting sendgrid about phishing emails that look like
they're from @sendgrid.com , using their own server. The SPF records match, so
it isn't marked as junk mail.

It's similar to the github pages exploit from years ago, which is why we now
have github.com and gitub.io

The purpose of these mails is of course to get credentials and spam some more.

At first I checked for a bounty, but as this is a "configuration error" (SPF),
there is no bounty.

Then I sent it by mail, but yeah.. No reply.

~~~
nodesocket
Can you elaborate how a 3rd party is able to send e-mail from @sendgrid.com?

~~~
jbverschoor
Simple. Their ip addresses of their client/guest-servers are whitelisted in
the SPF records. So anyone can impersonate them.

Not 100% sure if that was the case now, as I can't find the email anymore, but
I've been getting them from both sendgrid and mailgun.

Mailgun's SPF (was at least):

    
    
      v=spf1 include:spf1.mailgun.org include:spf2.mailgun.org include:_spf.google.com include:aspmx.pardot.com include:mail.zendesk.com include:spf.mailjet.com ~all
    
      spf1.mailgun.org: v=spf1 ip4:104.130.122.0/23 ip4:146.20.112.0/26 ip4:141.193.32.0/23 ip4:161.38.192.0/20 ~all
    
      v=spf1 ip4:209.61.151.0/24 ip4:166.78.68.0/22 ip4:198.61.254.0/23 ip4:192.237.158.0/23 ip4:23.253.182.0/23 ip4:104.130.96.0/28 ip4:146.20.113.0/24 ip4:146.20.191.0/24 ip4:159.135.224.0/20 ip4:69.72.32.0/20 ~all
    

In the mailgun case I received mails from for example 198.61.254.24 with from:
invoice@mailgun.com

This is actually part of a bigger issue, where lots of people use the same
email service to send out emails. In theory that should work with gmail or
office365, but iirc gmail forces your from sometimes, and google+ms probably
thought about this, right? ;)

~~~
monadic2
I'm surprised they give clients access to their own DKIM.

~~~
perennate
It doesn't pass DKIM. But the fact that it's sent through Sendgrid's platform
gives the e-mail credibility. Because no one expects Sendgrid to allow random
customers to set e-mail (not necessarily envelope) from address to
@sendgrid.com.

~~~
monadic2
Based on my experience with sendgrid it's par for the course.

------
Farfromthehood
Sendgrid user for many, many years.

I believe we disabled 2FA because it broke /prevented our client's ability to
send via SMTP. No idea if they've fixed the issue (and honestly don't care).
Make security easy to adopt of you want us to implement it.

Also, organization-wide, we don't use 2FA that requires a mobile phone
number/SMS (because we don't trust vendors with our phone number).

*IIRC, Sendgrid initially only offered 2FA via SMS, but now you can also use an authenticator app.

~~~
dylz
Phone 2FA is broken by default.

Yes, it broke SMTP and it also broke all API access until they kinda-fixed API
keys. Pretty much anything you used basic auth for at a touch point.

------
sarreph
At work we had a Sendgrid account that got compromised, after which all of our
comms were (predictably) being marked as spam. After back and forth with
support, we were told to continue sending as normal and that "eventually" our
genuine emails would stop getting sent to spam.

That lacklustre support response was enough to put me off the service. And
then, funnily enough, a few days ago I received a reply from Sendgrid support
about _another_ account I had opened for a side project. This reply came in ~2
months late, where I was asking if I could be moved to a different IP range as
all my emails were getting blocked by Outlook services due to the shared IP I
was assigned being (seemingly) misused by spammers. Again, the response was
"just keep trying as normal" and eventually my emails would work...
Apparently. That's obviously not a viable business communications strategy.

The funniest part about both these support responses was that despite one of
them taking several weeks to get a response, I'm being pinged every few days
asking me if my issue was solved. It's all well and good for me to wait months
when I need a response as to why _all_ my emails are getting sent to spam, but
as soon as the ball is in their court, they don't mind pestering me for a
response.

I don't have enough bandwidth for a dedicated IP, so I signed up for a service
that requires a credit card even for its free plan, which I believe is a
decent enough barrier against spamming.

~~~
old-gregg
> That lacklustre support response

Frankly, this makes my blood boil. Full disclosure: I used to work at
Sendgrid's competitor (Mailgun) and I'm quite familiar with what's happening
under the hood. __You __allowed spam to be sent from your account. You
poisoned the IP space (not just one address you were sending from, but the IP
block, affecting others) with spammy reputation. These blocks are expensive
and hard to acquire (due to IPv4 shortage) and at this point you have caused
more damage to Sendgrid and their customers, than your account value can
probably compensate for. What kind of "support" do you expect at this point?
You rented a hotel room, gave the key to someone who erected a meth lab there,
and you're unhappy with the hotel's reaction?

Sending email on behalf of other people is __hard work __. The margins are not
great, the ratio of spam-to-ham for new accounts is insane, and they 're
constantly under pressure between their customers who pay very little but want
to spam the entire universe (I am sorry but most of you do!) and ESPs not
wanting that traffic.

~~~
sarreph
I don't think I did a great job of making clear that my main gripe with their
support (taking months) was from a separate, personal account which — from day
one — was unable to send non-spam, transactional email to anyone with an
Outlook address. In my first example, the account's (for previous employer —
not "me") _right to support_ I guess is more debatable...

But I don't think your analogy of the hotel room is totally representative
here. Without knowing how someone has had their credentials hacked, it's much
more prudent to assume that in your analogy that the room key was pickpocketed
/ stolen. And then it becomes more of a grey-area as to how much support one
can expect.

That being said, I do appreciate your insight on account value, as compromised
accounts clearly do constitute a burden that don't end up paying for
themselves (even if they aren't "to blame").

~~~
BoorishBears
> And then it becomes more of a grey-area as to how much support one can
> expect.

Lol no it doesn't. The comment you replies to uses an excellent example, this
isn't someone snuck into your room with the stolen key and messed it up, they
burned the room down.

Their support isn't coming after you for the value of the room, but they're
also politely telling you they aren't about to replace your belongings or give
you a new one

~~~
solidasparagus
But notice how that doesn't happen very often. Because hotel keys almost never
have the room numbers on them. This is basic security the hotel provides to
handle the inevitable fact someone is going to lose their credentials. The
Sendgrid equivalent would be some mechanism to prevent lost credentials
leading to abuses - such as 2FA.

~~~
tialaramex
I'm actually intrigued now that I think about this.

What do you think typical hotel keys actually are? They _could_ be arbitrary
one shot token random tokens authorised for your stay. When you check out your
token, even if you've cloned it, is now useless. This would superficially
match the UX you see used, in which each mag stripe card is rewritten before
it's handed to you when you check in.

But from what I can tell _actually_ the typical practice is that the card
doesn't have a random token, it encodes the room number and period of stay. If
you write a new card with a different room number and period it would work,
although of course that doesn't make such a thing legal to do.

I think the lack of a human readable number on your typical hotel keycard is
because it was easier/ cheaper not because of some security insight. I would
be happy to be proved wrong.

Certainly when I've stayed at very small hotels with actual keys, the keys
were marked with a room number. These hotels also _really_ wanted the keys
back when you check out of course, not because they think you'll come back
later and enter a room that's now empty or has a different guest (at such a
small hotel that would not be subtle) but because they need it for the next
guest.

Anyway. Sendgrid's 2FA doesn't actually block lost credentials. If you have
Sendgrid 2FA and use it to get a token for their API, and then the new guy
puts it on Pastebin your token will now be abused to send spam.

The main benefit is that the random tokens aren't guessable whereas your
brilliant choice of Sendgrid password, "sendgrid" is very guessable. Yes this
is some very weak sauce.

------
statquontrarian
I've been a paying customer for years on their shared server plan ($15/mo) and
I've had terrible customer service and lots of emails marked as spam (e.g. to
my Mom) due to a bad reputation of the shared box. I haven't migrated out of
laziness and inertia.

This article and the fact that other comments mention that SendGrid is seen as
spammy is the final straw and I'm going to migrate. What paid email senders do
people recommend that aren't excessively marked as spammy by gmail, etc.?

~~~
throwaway200829
Throwaway since I’m a former Twilion.

Even though people love Twilio for their developer friendliness and nice APIs,
what no one wants to talk about publicly is their disproportionate amount of
revenue that comes from spammy behavior. Either as a company or it’s
customers.

I was in sales. I saw the revenue numbers and sold these deals. It’s
staggering.

Yet wall street looooooves Twilio because of their revenue growth.

Note: Twilio owns Sendgrid.

~~~
lowdose
What I would like to know from a Twilion:

Is Twilio used by commercial parties in the past to participate in voting in
the European Song Festival?

~~~
tialaramex
Did you mean the Eurovision Song Contest, or something else?

------
moomin
I still remember when SendGrid got DDoSed after an incident at PyCon* and they
caved. This told me two things: 1) they weren’t prepared to stand up for their
own employees when the chips were down 2) their engineering wasn’t good enough
to cope with a bunch of amateurs attacking them.

* Let’s not derail this into a discussion of whether or not they should have done it in the first place. They didn’t, they only acted after they couldn’t cope with the DDoS.

~~~
Drdrdrq
For those of us who don't know / remember the incident:
[https://venturebeat.com/2013/03/21/sendgrid-under-ddos-
attac...](https://venturebeat.com/2013/03/21/sendgrid-under-ddos-attack-after-
its-developer-evangelist-complains-about-sexual-jokes-at-pycon/)

------
darkport
I developed a tool called shhgit.com that watches code commits across GitHub,
Gitlab and Bitbucket in real time. In a ~24 hour period you will find 100s of
valid SendGrid credentials/API keys so this does not surprise me. They really
need to enforce 2FA and IP whitelisting for API key use.

------
aspectmin
Sigh. Same happened to me. A few months ago. Sendgrid account hacked, someone
set up a campaign and sent a huge amount of spam mail. Big bill on my credit
card. Contacted Sendgrid, they blamed it on me. I cancelled my account, never
going back. Screw them

~~~
jeffbee
Was it not your fault?

~~~
jlgaddis
Right!? He should have known better than to go out by himself, late at night,
dressed like that! /s

~~~
maerF0x0
Not sure the analogy is fair. There is an onus on users to have some
sensibilities in security such as password quality / non-reuse.

------
pmlnr
That's actually good. Sendgrid & the rest are excluded from the paranoid
gmail, m$, etc spam filters, while small senders suffer from being sent to
spam immediately.

There should be no exceptions.

~~~
tunesmith
I was under the impression that individual servers should be fine as long as
their ip isn't on a recognized blacklist and they use free things like SPF and
DMARC - is that not true?

~~~
bleepblorp
It's not generally true unless you're a Capital-E grade _Enterprise_ customer
running a single server as a side component of a much larger Internet
presence.

Finding connectivity that's not already blacklisted by the GOOG-MSFT email
protection racket and will allow individual servers to send outgoing SMTP is
basically impossible for sub-enterprise scale organizations. The major cloud
services block outbound SMTP for non-Enterprise customers and minor cloud
services will already be blacklisted.

Getting your mail delivered by GOOG-MSFT also means that you need to have
matching forward and reverse DNS, and ideally you should have your own ASN
that has never been associated with any addresses that have ever been accused
of sending spam. This is an impossible hurdle except for large organizations.

The entire email ecosystem is stacked for force smaller players to pay a head
tax either directly to GOOG-MSFT, in the form of using their mail services and
paying extortionate per-user mailbox costs, or by using paid mail relay
services.

------
bytecycle
My university straight up blocks any mail coming from a SendGrid IP because of
the massive amount of phishing.

What would be a huge UX and security improvement is showing which team members
are using 2FA. Just like GitLab shows a little blue label next to the
username.

------
walrus01
Sendgrid and its cohorts have always been a source of spam. The spamassassin
setup on my postfix SMTP gateway ranks all of the bulk email newsletter
sending services with +2.5 points or higher.

This is like a sewage treatment plant complaining someone has come at 3am, cut
the lock off their gate and dumped a tanker truck full of additional sewage.

~~~
techsupporter
> Sendgrid and its cohorts have always been a source of spam.

Sendgrid is the source of a lot of e-mail spam and their parent company Twilio
is the source of a lot of SMS spam. It's really a synergy match made in MBA
heaven.

------
adrianh
What service do people recommend in place of SendGrid?

Personally I need a service to send transactional emails from my company
website with a low chance that they’ll be marked as spam. Tracking is not
necessary (I disabled that in SendGrid).

~~~
xenospn
Amazon SES can work for that.

~~~
nucleardog
And depending how much you need to send, if you’re already in AWS the first
62k messages every month are free.

The only annoying thing is their sandbox and usage limits. You’re supposed to
accept a lower limit, send high quality mail, and then request a higher limit
once they’ve seen that you’re not generating a bunch of abuse reports.

Slowly on boarding senders is good for delivery but makes it difficult to just
do a simple cut-over if you’re currently sending more than whatever quota
they’ll give you right now. You need to continue sending through your old
service and slowly move your usage over.

------
tialaramex
I am not a Sendgrid customer, however examining their documentation what I
think the "attacks" look like is this:

14 year old Jimmy guesses that Foo Corp has the Sendgrid username "FooCorp"
and the password "FooCorp0" obeying a company requirement to use "At least 8
characters" and "At least one digit". Very secure. Much password.

Jimmy connects to Sendgrid's old API and literally just provides username
"FooCorp" password "FooCorp0" to send as much email as Foo Corp have paid to
be able to send. No other steps needed.

Insisting customers get 2FA would in practice mean:

1\. Get all customers to sign up to Authy's phone-based 2FA and use it for
Sendgrid. Accept that this will have a revenue impact, you're essentially
firing customers who either were too lazy to sign up for this or regard this
type of security as a joke.

2\. Deprecate older APIs that allow username + password auth

3\. Thus force users into APIs that rely on a bearer token they can only get
using 2FA.

And yet after all this work if Jimmy instead gets a copy of your bearer token
(e.g. because some idiot commits it to github) then he can once again send
emails as Foo Corp until somebody disables the stolen bearer token (and then
generates a new one and updates all their running code).

It's a poor show that in 2020 this is their _goal_ , it's not even the thing
they have and need to improve upon, it's just a future goal.

~~~
cnst
The whole idea behind Sendgrid is a joke.

It's become popular for some providers since the move to the Cloud to block
outgoing port 25, but apart from that, you literally don't need Sendgrid. Any
senior engineer can write a local "Sendgrid" in about half a day. Sendgrid
doesn't even support all the RFCs properly, so, you'll likely get dropped mail
if you move to Sendgrid from Postfix/Sendmail. Besides that, Sendgrid's UI/UX
was terrible the last time I've played with it. It's literally the lamest
startup there could possibly be.

As a customer of some unrelated service, I've already converted said service
away from Sendgrid in just a couple of emails to the owner. (Sadly, they've
moved to one of the many Sendgrid's competitors, not to Postfix/Sendmail, but
the switch was obviously painless.) That's how horrible Sendgrid is, and how
easy it is to make _other_ people switch.

P.S. I often send mail through shell scripts. Try selling me Sendgrid when my
laptop already comes with Postfix/Sendmail, with spool support. Does Sendgrid
even work when you have no internet connection? (Rhetorical question: no,
Sendgrid does not when internet is not available; but Postfix/Sendmail works
just fine even without any internet, and will spool all your mail until you
get connected to an internet with port 25 not blocked.) Sendgrid is a
downgrade however you look at it.

~~~
icedchai
You can set up Sendgrid as a Postfix or Sendmail relay host.

------
te_chris
As a sendgrid customer, this explains why, even after upgrading to dedicated
ips and setting all our auth/security stiff correctly we still have emails
being blocked inexplicably. Top off the rubbish customer service - they didn’t
respond to me about getting blocked by outlook on our private IP until I
tweeted them... - and next week looks like my job is to move to postmark.

------
_nickwhite
Sendgrid have a _HUGE_ problem with spammers using their service. I've
probably reported 20 SPAM campaigns using their official channels, but I think
they route such e-mails to /dev/null. Never gotten a response- just more SPAM
through their service. And I can't block their IPs, as a lot of legitimate
sites utilize their services.

------
jlgaddis
The CSO said:

> _"... 2FA for customer accounts is the right thing to do, and we’re working
> towards that end ... This is part of the reason we acquired Authy ..."_

Cool, it sounds like they're making a effort to implement -- and require --
2FA... oh wait, _FIVE YEARS_ have passed since then!

~~~
nodesocket
Twilio supports and soon will require TFA. I personally don't use SendGrid
(use Mailgun), but I have to believe it should be coming soon (if not already
supported).

------
PaulBGD_
Related, 2 months ago my sendgrid account gets hacked and a stolen (I presume)
credit card gets added. They buy a plan, then proceed to send spam/phishing. I
of course contact their support within minutes of receiving an email that $750
was spent on my account. They've now spent $1500 through my account on these
spam emails, yet sendgrid finally dealt with the issue yesterday by deleting
my account.

[https://mobile.twitter.com/PaulBGD/status/129591880033708441...](https://mobile.twitter.com/PaulBGD/status/1295918800337084416)

------
jlgaddis
This list is probably incomplete / out-of-date but ...

    
    
      149.72.0.0/16
      167.89.0.0/17
      168.245.0.0/17
      192.254.112.0/20
      198.21.0.0/21
      198.37.144.0/20

~~~
jeffbee
Isn't their SPF record authoritative?

ip4:167.89.0.0/17 ip4:208.117.48.0/20 ip4:50.31.32.0/19 ip4:198.37.144.0/20
ip4:198.21.0.0/21 ip4:192.254.112.0/20 ip4:168.245.0.0/17 ip4:149.72.0.0/16

~~~
jlgaddis
Usually, yeah, but not necessarily (e.g., for those with dedicated IP
addresses).

Even then, it usually will be since most customers will just add the
(customer-specific) "include:nnn.wl.sendgrid.net", or even just
"include:sendgrid.net". But, for whatever reason, I've come across several
that add an "a:" or "ip4:" for their dedicated IPs instead (I assume there's a
good reason for that, but I don't know what it is).

~~~
megous
Probably so that they can also send some mail from their own servers, in
addition to sendgrid's.

------
jlgaddis
> _... over the past few months there has been a marked increase in malicious,
> phishous and outright spammy email being blasted out via Sendgrid’s
> servers._

Fortunately, I hadn't noticed the recent increases.

After it became apparent that they didn't bother looking ibto -- or even
reading -- abuse reports, we blacklisted basically their entire IP ranges a
long time ago and then added exceptions when they were requested.

I certainly did notice the marked _decrease_ in spam then, though.

------
tobltobs
This article sounds like sendgrid is the victim. But in reality this is going
on since months. My account was hacked three months ago and abused by
spammers. There was no way to stop it in the UI and the support didn't react
for days. In the end I had to pay ~1k$.

I guess Twilio will close down sendgrid soon anyway and this is a way to
monetize the last few months.

Stay away from Sendgrid and Twilio, they are incompetent and/or aholes.

------
urda
E-mail is a hard problem to solve, and I'm honestly really glad I do not have
to manage it day-to-day myself.

~~~
pmlnr
Enough with this "hard to solve" nonsense; email has been around since the
70s.

Google, Yahoo!, and Microsoft are f*king it up, that's all.

------
social_quotient
Maybe Twilio will use that run up (bubble) in stock price to allocate to some
tech debt like this.

169% YTD 33.8% last 3 months

I’ve always looked at SendGrid as a premium provider for transactional mail.
Why recommendations for something better but similarly priced?

~~~
cortesoft
Unless a company is selling new stock, an increase in stock price doesn't give
them any extra money to spend. It just means their shareholders are worth
more.

------
rootsudo
Yep, this happened to our ORG a while back, and Sendgrid took no
responsibility. Wish I could go into details, but... they're finally
implementing 2FA and revamping how they deal with identities.

------
PakG1
I run IT for my organization and I am seeing a lot of phishing emails from
Sendgrid. I haven't counted or done data analysis for proportion, but it's
enough volume for me to really notice it.

------
crizzlenizzle
This has been ongoing for months already. Nobody at Sendgrid cared. We had
several issues with them leading to penalize mails from their IP space.

I’m actively discouraging my customers from using their service.

------
redm
Our customers are also getting our emails flagged as malware. Great way to
onboard a service and verify your email, with a Google Malware alert. :/

Its Google's world and Twilio is living in it. :|

------
afrcnc
how I hate this kind of reporting

3 people complain on reddit and it's now "[COMPANY X] under siege"

~~~
krebsonsecurity
Spend a few minutes looking at the spam list threads linked in the article.
This is not just a few people complaining. E.g.:

[https://www.mail-
archive.com/search?l=mailop%40mailop.org&q=...](https://www.mail-
archive.com/search?l=mailop%40mailop.org&q=sendgrid)

There was a ton of material I did not include in the story, including a story
from a company that had a client have 40 million phishing emails sent through
their Sendgrid account, which it turns out was set up by an employee long ago
who was no longer with the company and had not turned on 2FA (and probably was
re-using passwords).

I started reporting this story almost a month ago after receiving more than 3
emails from different IT experts who were really frustrated with the amount of
malware and phishing coming from Sendgrid accounts. They were frustrated
because they couldn't block Sendgrid outright because too many companies they
were expecting regular emails from used the platform.

The day before I published the story, I head from someone else who was getting
phishing attacks spoofing Aruba Networks.

------
cnst
The whole idea behind Sendgrid is a joke.

It's become popular for some providers since the move to the Cloud to block
outgoing port 25, but apart from that, you literally don't need Sendgrid. Any
senior engineer can write a local "Sendgrid" in about half a day, if not less.
Sendgrid doesn't even support all the RFCs properly, so, you'll likely get
dropped mail if you move to Sendgrid from Postfix/Sendmail. Besides that,
Sendgrid's UI/UX was terrible the last time I've played with it. It's
literally the lamest startup there could possibly be.

As a customer of some unrelated service, I've already converted said service
away from Sendgrid in just a couple of emails to the owner. (Sadly, they've
moved to one of the many Sendgrid's competitors, not to Postfix/Sendmail, but
the switch was obviously painless, and actually improved reliability.) That's
how horrible Sendgrid is, and how easy it is to make _other_ people switch.

P.S. I often send mail through shell scripts. Try selling me Sendgrid when my
laptop already comes with Postfix/Sendmail, with spool support. Does Sendgrid
even work when you have no internet connection? (That was a rhetorical
question; the answer is, No, Sendgrid does not work when internet is not
available; but Postfix/Sendmail works just fine even without any internet at
all, and Postfix/Sendmail will spool all your mail until you get connected to
an internet with port 25 not blocked.) Sendgrid is a downgrade however you
look at it. When they move to MFA, it'll probably be easier to just switch to
one of their plentiful competitors than deal with any new restrictions; that's
why Sendgrid will probably be very careful around any new requirements;
because their service is 100% disposable.

~~~
cortesoft
You seem to not understand the sendgrid service at all. They aren't selling
SMTP service, they are selling deliverability (along with tracking and
metrics)

You seem to not understand the actual problem at all if you think you will be
able to successfully deliver email sent directly from a local sendmail client
on any random IP that lets you connect over port 25. No major email provider
will accept your email coming from a residential IP.

~~~
cnst
If that's what they're selling, they're not very good at it. Sendgrid doesn't
support all applicable RFCs, and they don't support spool, so, they have
exactly 0% deliverability if the recipient host is down for any reason, or
uses greylisting.

I've never had any issues with mail from my WiFi IP accepted. You'd normally
send it just to your own server from your local laptop w/o any extra
configuration, so, it's up to you how you configure your own server. I just
tried sending to Gmail directly from Postfix on my MacBook, without any extra
configuration, and it's been accepted by Gmail as well. Zero configuration on
the laptop. Postfix and the mail CLI clients come preinstalled, and the mail
just works.

