What is our philosophy for anti-abuse

Reading time4min

Updated

Authors
Jonni Lundy
Zeno Rocha

Assume positive intent

Most of our competitors require users to fill up a long form before you can start sending emails. Once you submit the form, you have to wait a couple days to receive a response if your account was approved or not.

This type of behavior communicates that they don't trust users, since you first need to prove that you're legit before you can experience the value of the product.

At Resend, we default to trust. We have a simple onboarding flow where users can start sending emails immediately, and add domains without waiting days for approval. We then monitor for any suspicious activity and take action only when necessary.

Questions to ask ourselves:

  • Is this product friction going to affect all users or only abusers?
  • Is this the right place to impose friction?
  • How expensive it is for an abuser to overcome this friction? For example, getting a new IP is super easy and cheap by using a VPN service. However, getting a new domain is not as much.

Accept the reality that abuse will always happen

Stripe will always have to deal with fraudulent payments. X/Twitter will always have to deal with fake accounts. That's the nature of their business.

The same is true for Resend - the email industry has been a target for phishing and spamming since the beginning of time, and will continue to be like that.

We'll never have the luxury to invest 100% of our engineering and operations time combatting abusers, so we need to be strategic about how we approach this problem.

When brainstorming solutions to prevent abusers, make sure to think about the Pareto Principle.

Questions to ask ourselves:

  • How big is this vulnerability?
  • Is this solution going to prevent 10 phishing emails or 10k phishing emails?
  • What is a good low hanging fruit that will make the biggest impact?

Understand that abusers will get more sophisticated

As we get more popular, more abusers will pay attention to Resend.

As our product grows, there will be more surface area for them to exploit.

The fact is that abusers will get more sophisticated over time, so it's important that we evolve our controls, tooling, and visibility at the same pace.

That's why it's crucial to provide weekly reports and visualize trends over time. Some anti-abuse projects will require company-wide efforts, so providing visibility to the entire team is very important.

Questions to ask ourselves:

  • What are new patterns that abusers are using?
  • Which TLDs are being used more often?
  • Which geolocation are most abusers coming from?

Don't lock people out of their accounts

The only thing worse than blocking a legit user is to also lock them out of their account. It's okay to block specific features and slow down sending, but it's not ideal to automatically remove access from people's accounts.

Questions to ask ourselves:

  • What are the alerts we can send to users when their account is marked as risky?
  • What are the features that should be blocked?
  • What error messages should users see when they interact with blocked features?

Blocking abuse is actually protecting safe senders

It's easy not to see the purpose of anti-abuse. Why spend so much time and resources on something that doesn't drive revenue? Similar to the police or any security detail, although most of the attention is on bad actors, the only reason they exist is because there is something to be protected. The goal is to create a safe space where senders don't have to “watch their shoulder” for risk or danger.

Questions to ask ourselves:

  • Is this an abuser or just a sender that needs help?
  • Are we seeing attacks and getting numb to their risk to good senders?
  • How can we reuse anti-abuse mechanisms to also help good senders improve deliverability?
PreviousHow we receive feedbackNextHow we approach marketing