Outbound email abuse (spam with malicious links) #484
Description
Description
Spammers are abusing the internal emailing system to send messages containing malicious external links. This exposes users to phishing attempts and risks TutorCruncher’s email reputation.
Although the LLM spam check provides visibility into who is sending spam, this solution would add a preventative layer of security by blocking such emails from being sent in the first place. It will proactively prevent messages with non-TutorCruncher links, adding defense in depth.
This change would prevent spam from leaving the system, discourage spammers since their attempts would fail, and protect users from phishing attempts. It also complements the existing LLM spam checks, which provide visibility into spammers, by adding a proactive prevention layer that stops abuse before it reaches users.
Impact
Without this measure, users could be tricked into clicking harmful links, TutorCruncher’s email system risks being undermined by spam, and there is an increased chance that mail providers will flag legitimate TutorCruncher emails as spam.
Proposed Solution
When writing/sending an email, the system should filter out any links that are not TutorCruncher-owned (for example, tutorcruncher.com). If a non-TutorCruncher link is detected, the email should not be sent and the sender should see an error message making it clear that only TutorCruncher links are permitted.