SaaS systems are spammer targets
There are probably hundreds of thousands of really awesome SaaS products out there. They provide a framework to do all sorts of stuff that used to be really hard to do. Almost all of them include some email component. They dutifully build the email piece into their platform and, because they’re smart, they outsource the actual sending to one of SMTP providers. They’re happy, their customers are happy, and spammers are happy.
SaaS providers focus on their core competencies, which is their platform. Their focus is building a product that meets the needs of their customers. They’re not an email service provider, so they think, and they don’t really pay much attention to email. They send mail by handing it off to their provider and assume all will be well with delivery because their customers are small businesses and are not sending lots of mail and aren’t spammers.
The problem is, spammers have recognized these SaaS companies are a way to access high powered sending infrastructure that have banned them from sending directly. Many of these bad guys take advantage of freemium models and simply send low volumes of email through multiple accounts. Because they’re hiding in the middle of real customers, they can often go undetected for months or years.
Eventually, though, someone notices and the SaaS provider experiences a blocklisting or other delivery problem. At that point, there’s a scramble to figure out why delivery is horrible or they’re listed on Spamhaus or their provider is sending them compliance notices. Often responding to these problems can take months and require some business processes to be rethought from the ground up.
There’s no easy fix for this problem. But just as SaaS providers need to think about application and data security, they also need to think about email security. How can they detect and prevent spammers from abusing their system and hurting them and their customers.