One particular user has mass spammed our support email address 2 times in the last 2 weeks. For the first one, I contacted FS support and after a few days, they realized the user was blocked and had to manually unblock them on the backend.
I thought the issue was on our side until it happened again and realized it is some type of loop or issue on the FreshService email side. 4 days have passed, and support is lacking on helping. The user is a VIP and needs to open up tickets via email for their processes but is blocked. To explain further, the user opened 3 tickets last week, no issues. The 4th one was opened via the support email address which forwards to the FS email. In 8 minutes, 142+ emails flooded the support address along with all the users who were CCed. As soon as FS blocked the requester, all emails to everyone stopped. After troubleshooting with the user, the first time it happened, it was sent with Outlook via a Macbook. The second time, an iPhone via the Outlook app. No cloud or admin rules are setup.
Has anyone experienced this?
Page 1 / 1
Hi @alyssia.correa.
Can you take a look into this?
Regards,
Elvis
Hi Bobby.
Not on my side. I’ve just pinned someone from FS Community.
I’d suggest to request Escalation on your case. You could also contact your CSM.
Hope you get to a prompt resolution on your issue.
Regards,
Hi Bobby.
Not on my side. I’ve just pinned someone from FS Community.
I’d suggest to request Escalation on your case. You could also contact your CSM.
Hope you get to a prompt resolution on your issue.
Regards,
Thanks, appreciate it. I’ve requested escalation multiple times. Support is acting like it’s fixed by unblocking the requester but obviously it’s going to happen again.
The issue is on Freshworks’ email server but it doesn’t seem like support knows how to troubleshoot that as they keep looking in our admin settings. Very frustrating and I’m beginning to think we need to move to another product based on my last few technical support issues.
I’ll reach out to my CSM, thanks.
Hi.
Reading again your case, it’s actually pretty odd.
The bad is that such email service, if I understand correctly, is not from Freshworks itself, so I understand why they are not being able to initially troubleshoot it.
Please don’t get me wrong; I’m not apologizing on their behalf; I’m just throwing some ideas trying to analyze the case. They should be able to Escale it internally in order to address it, but it’s actually pretty odd.
I work on my side (among other stuff) with Email Servers and Email Deliverability and, as you mentioned, it seems some kind of loop. There must be something triggering that.
Just to double check: You mentioned Outlook Mac App and Outlook iOS client (Apple’s always been a nightmare with email clients, but that’s what VIP uses, we gotta deal with that); so, are you using Microsoft 365 as your Email Platform?
If so, is your Outgoing mail sending directly to Internet and not using any third party tool in the middle (Corporate Signature solution, Outgoing AntiSpam, etc.)? I guess you did these checks (Connectors, rules), as well as your Mail flow logs; just double checking all the steps in the process. Is your SPF properly setup? Did you enable DKIM signing for your outgoing emails?
Just thinking “FW” mail server didn’t accept the email, then retries could be made from the Sender side. I’ve noticed several times that, for some odd reason, iOS Outlook App uses different Outgoing email servers or setup.
Again, just trying to brainstorm a little.
Best,
Thanks @eeha0120 -
The email is from Freshworks server though. I’ll try to explain more below
End User Sends email to suppor@OurDomain --- Fwded to Freshworks email proxy --- Opens a ticket and emails Requester that a ticket has been opened… also emails any other email address CCed on the actual email.
This has been setup this way for 3 years, no issues. The end user used multiple devices, so that rules that out. I thought maybe they had cloud Outlook rules that were setup to fwd emails, that is not the case. I checked to see if they were apart of any shared inboxes of distribution groups involved, they are not.
What convinced me that it was on the Freshworks email side - As soon as they blocked the end user, ALL duplicate emails stopped. If it was on our side, the duplicate emails would continue to the other users but they stop the moment Freshworks blocks the user. Email logs on Freshworks side will likely reveal the cause and maybe there is something on our side that we need to adjust but I am powerless without those logs. Only support can help and we are going on 3 weeks with no resolution.
This is the ticket activities export. The Freshworks (FW) email system sent the reply to all on the email 164 times within 30 minutes or so. As soon as FW blocked the requester, all emails out stopped. The end user has never sent duplicate emails to any other user, ever. Only these two incidents while dealing with FW. 95% of our end users open tickets the same exact way as this end user.
To add one more thing that I recently noticed.. My assumption is that FW emails back to the CCed users with the email of the sender. How does this work? Is it spoofed or proxied in some way? It’s always worked so I do not know what would have changed. Anyways, I grabbed a screenshot from a person CCed and it didn’t display the email correctly and had the below messages on the email:
“We could not verify the identity of the sender” and “The actual sender of this message is different than the normal sender”
My guess is that the answer is there somewhere but I have no way of fixing it without further information from those logs on FW’s side.
Hi.
Thanks for sharing these additional details on your case.
I was asking about your domain SPF records and DKIM enabled just for that, because of the spoofing possibly been sent, which you have just confirmed.
We could analyze one of the emails the CC’ed are receiving in order to understand a little bit more or even trying to help FW to diagnose, if you wish. DM if you are willing to.
But now I’m a little even more intrigued about this, as you see in ticket activities the replies being sent.
If it were something on FW outsourced email service, you wouldn’t notice the updates on ticket activities, so, this is something happening in a higher level than email. Email, I guess and think, is only processing what it is requested to do. Something on the FD side itself is “replying” and hence the emails are being sent. But I completely follow without further information.
Yes, definitely logs would help a lot.
Once again, thanks for sharing. Hope you get the proper help on this odd case. If I can be of further help, DM!
Regards,
Thanks for your help @eeha0120.
Yes, DKIM SPF and DMARC are all setup. I’ll update this thread if I ever receive a resolution from FD.
Hi @BobbyBMore - this may seem rudimentary but ….
The only time I’ve seen a similar ticket storm is when a Help Desk email (e.g. support@customer) emails our support@fsvc and we create a ticket and our acknowledgement email goes out and their HD creates a ticket and sends an acknowledgment email which creates a new ticket on FS and then we reply and round and round we go.
Usually, I handle that through Supervisor Rules to check the inbound email and if it’s from support@customer then do not send acknowledgment email.
I have turned off the automated New Ticket auto in Email Notification bc of the risk of ticket storms - we have a lot of MSP customers with their own HD portal.
→ Yes, FS uses an authorized “spoof” of our domain names so that emails go out from FS looking like our support@ourdomain email acct sent them even though they definitely were sent by FS.
My other thought was to double check Email Settings and Mailboxes to confirm that the email account that receives the inbound email and then forwards to FS is set up correctly and that the forward is not duplicated or has some other rule that is creating the spam situation.