I’m sharing this here partly to warn other Mailgun users and partly to bring it to the Ghost team’s attention.
Our blog was lightly hit by the recent spam signups issue, which we removed as they came in and blocked as soon as the updated allowed it. We could see in Mailgun that these spam signups sent out 315 emails in those few days, which wasn’t a lot, but I naively reached out to Mailgun support to explain the issue and see how this would affect our sending reputation.
Their response was to immediately suspend our sending domain, then our account, and when I protested, they responded with this:
The only human response I got during the exchange was someone insisting that I answer a set of questions I had already answered. Everything else appeared to be automated, and according to their own terms, they don’t have to provide any explanation. We have no recourse.
We’re now locked out of sending newsletters via Ghost, which was the main reason we moved to Ghost years ago. Obviously, we’ll look into alternatives others have discussed here on the forums, but it doesn’t look promising.
That’s sad, annoying but also a little weird. I don’t want to talk on behalf of Mailgun but there should be some suspicious things on this story to have that big reaction from Mailgun, I think.
Did Mailgun block your domain? Did you try to open a new account?
I would think so as well, but what’s especially strange is that those spam signups had begun several days before I contacted support, and they only took action after I reached out. So our account was not flagged automatically for suspicious activity, which indicates intentional action.
The first thing they did was disable our domain. I didn’t see any purpose in opening a new account, as I assume they’d disable it immediately.
To add a little more context, this was their first reply:
After reviewing the ticket, it has been determined that we will need to engage another group of colleagues. We are transferring the ticket to them, and they will be responding as soon as possible.
It was only after this second group took over that we started getting the increasing notices of restriction.
Well, you’re right about that first reply. They sent it to some dumbass and then it was killed. Thank you for the warning. I’ll know never to contact those morons.
Update: No further response from Mailgun, either via the original support ticket or from emailing directly. I switched our transactional emails to our own SMTP, but newsletter sending is dead.
I recognize the huge task it would be to support other bulk sending options, and I understand John’s reasoning on that. Unfortunately, for an increasing number of us, the issue with Mailgun is not that we don’t like them or their pricing, but that we’re being blocked (or for others, severely limited) from using their service and can’t go elsewhere. It’s a shame to have so much independence with Ghost and then be held hostage by someone else.
I hate the idea of going back to an external newsletter service after years with Ghost, but that seems to be the only way forward. Other advice welcome!
Hi everyone, I contacted Mailgun support about an unusually high bill, and was surprised to discover that my Mailgun account had been misused.
I don’t understand how this is possible, and I don’t know what to do now. They’ve restricted my account, but I don’t think it’s blocked. Should I continue with support? Should I take action on my self-hosted instance?
This sounds a lot like how our support experience began, except that our numbers were too low to incur a charge. I would recommend against continuing with support, considering what happened to us, but I really don’t know. Their response doesn’t seem consistent, since our account had such a small amount of spam sends (315) compared to others here who had no repercussions.
But can you explain how it’s possible for my mailgun account to have sent so many transactional emails following subscriptions without seeing any new subscribers on my blog?
There has been a widespread spam attack on many different Ghost sites. I guess your site was affected and bots signed up loads of people, but they never clicked the magic link. This would result in loads of transactional emails, but no new members.
I’m on my last idea now, opening a new ticket with them, but it’s starting out exactly the same as the first time around: they’re transferring me to “another group of colleagues.”
If anyone is able to get through, would love advice. Until then, I guess we’re all just locked out of sending newsletters.
Final update: my second ticket got the exact same automated response, that they were permanently disabling my [already permanently disabled] account. Then they blocked my email address from replying:
To enhance the security of your account, Mailgun no longer accepts support tickets via this email address.
Never once did I get a human response. I wouldn’t recommend anyone else bother contacting Mailgun support, as no one’s home.
Anyway, I hope the Ghost team is seeing this. There’s nothing we can do on our end.
Perhaps they could integrate Plunk or Postal, which are indeed self-hostable. But that would also mean one more service to manage. I can still imagine using cloud versions of mass email distribution services. So in the end, wouldn’t we end up with the same problem with the other distributors?
The Ghost team always said that the integration of other email providers would be a community effort and that it would need to follow the adapter pattern, instead of adding another hard-coded provider. The idea with this pattern is that the community can then write adapters for any provider.
There is a very promising PR on Github from @andreascreten for this, but it hasn’t received any “official” feedback from the Ghost team so far:
Postmark is more expensive than Mailgun and not open source while Postal and Plunk are both cheaper and expensive. But maybe technically not ready to be integrated to Ghost ?
After resetting all the passwords and API keys on my account, I was able to use it again.
Mailgun sent me these recommendations after reactivating my account, what do you think?
Hello Bastien,
Thank you for working through the compromised account remediation process with us.
After reviewing the account in detail and confirming the required steps to secure your account have taken place, we have removed the disablement, and now the account is fully enabled. In the future please be cautious if you receive any emails purporting to be from Mailgun as phishing attacks oftentimes target email service providers. Also, please be sure to never post API or SMTP credentials on public repositories.
Moving forward, there are a few account settings and limits that we recommend configuring in order to better protect your account:
Setting The Account’s Custom Message Limit [1]
The custom message limit allows you to set a maximum amount of messages that can be sent through your account by disabling the account after a defined threshold is met.
IP Allow List [2]
When utilizing the IP allowlist, only the IP addresses you have specified will be able to use your API key to connect to the Mailgun API.
Public Validations Limit [3]
By using our V3 public email validations endpoint in combination with this setting, you can limit the number of validations that can be performed by the public API key.
Please let us know if you have any additional questions.
