ProtonBlog(new window)

Anti-abuse and account security at Proton

Share this page

Proton Mail has automated anti-abuse systems to protect against the main types of abuse that pose significant risks to the Proton community. These systems may sometimes suspend accounts for safety reasons. Below, we discuss why accounts get suspended and how suspended accounts can be restored. Proton Mail’s anti-abuse team works 24/7, and you can always reach a real person if you have an issue with your account. 

Types of abuse and security threats

As an encrypted email service, there are three main types of abuse with significant risks to our users:

Bulk email registrations

  • How it works: Attackers sign up for many Proton Mail addresses that they then use to sign up for other services, such as social media or e-commerce websites. Attackers then violate the terms and conditions of these other services or act abusively.
  • How it affects Proton services: Services that aren’t sophisticated at combating abuse may start blocking all accounts registered with Proton Mail, and then good users cannot use these services.

Account takeovers

  • How it works: Attackers log in to many good users’ accounts by fooling them with phishing attacks(new window), cracking weak passwords, or using passwords that were leaked from a breached service in hopes that the user reused the same password on multiple accounts.
  • How it affects Proton services: Attackers can see the user’s encrypted data, use their data to impersonate them, take over other services linked to their email, or use their account to send spam(new window).

Spam

  • How it works: Attackers send spam from many Proton Mail addresses to recipients on other email services.
  • How it affects Proton services: Recipients mark these emails as spam, causing Proton Mail IP and domain reputations to fall and get blocklisted, leading to email delivery issues for good users.

Since Proton Mail launched in 2014, we’ve provided free and easy-to-use secure email to anyone who wants more privacy online. Our focus on privacy means that Proton Mail has to do things differently. Zero-access encryption(new window) prevents us from accessing user inboxes, and our focus on privacy means we don’t require a phone number to create an account (unlike most other email services). For this reason, we need to be more sophisticated in detecting abuse and securing Proton Mail accounts in a privacy-preserving way. To date, these systems have protected millions of members of the Proton community from the above risks.

Blocking bulk signups

Because of the risk posed by bulk email registration, Proton Mail’s terms and conditions can’t permit anyone to create large numbers of free email addresses (there are possibilities for paid users, which we discuss below). 

With over a million monthly signups, preventing bulk signups is too complex for human analysts to manage effectively. It requires automated systems that use machine learning models to cluster accounts controlled by the same actor. 

When a cluster of free accounts grows too large, the system sends an email alert to some of the accounts, warning them that this is against our Terms of Service. If this warning is ignored and the bulk account creation continues, the system will suspend all accounts in the cluster. 

As with any prediction system, there’s a tradeoff between false positives (blocking the accounts of good users) and false negatives (letting abusers create accounts). We try to minimize both, but inevitably, even though it’s rare, our system sometimes disables or blocks good users. We regret when this happens, but automated systems are required to prevent abuse that would otherwise impact good Proton Mail users.

If you’ve been impacted by our anti-abuse system and weren’t using Proton Mail for abusive purposes, please submit a report at https://proton.me/support/appeal-abuse

Our team of analysts is available to review reports 24/7. They will quickly investigate the situation and help restore your account. 

If you want to avoid such issues and support Proton in providing high-quality free services, consider upgrading to a paid account. Paid accounts can add custom domains and create multiple email addresses, including on premium Proton domains such as @pm.me. 

With multiple addresses, you can use a different one for each external service (for example, one for a social media site and another for a crypto exchange) to keep your identities private. This also allows you to disable any address that you no longer want to receive email or spam with. If you need secure email for your organization, we also have business encrypted email plans with multiple accounts, automated SMTP sending, and dedicated customer support.

If you’re the operator of an internet service and have seen abuse, such as bulk registrations or spam coming from Proton, please let us know at https://proton.me/support/report-abuse or email us at abuse@proton.me. Our team will carefully review each report, take appropriate action against abusers, and improve our systems to prevent future abuse.

Preventing account takeovers

Another reason our automated anti-abuse systems disable accounts is to protect users from having their accounts taken over. If we think an attacker has breached your account or is in imminent danger of being breached, we may proactively suspend your account to prevent the attacker from getting in, at least until we can get in touch with you. 

To date, Proton Mail hasn’t had any data breaches or data leaks, and we don’t ever have access to your password thanks to our use of zero-access encryption and end-to-end encryption. Still, an attacker may obtain the password of an account. This could happen if you fall for a phishing attack(new window) or reuse a password from another service that was hacked. 

To prevent account takeovers, we block accounts at risk of such attacks, which could lead to your account being disabled. If this happens to you, we might ask you to use your recovery method to change your password or get in touch with our Support team to secure your account. 

To help you monitor your account security, we built mobile push notifications to alert you of each successful login. We may require a captcha or force a verification from any saved recovery methods for suspicious logins that we’re not confident enough to block. This is for your safety. Cumulatively, these defenses have reduced compromised accounts by over 80% in the last two years.

Proton is used by some of the world’s most high-profile journalists, leaders, and international organizations that are high-value targets for attackers. We strongly recommend using two-factor authentication, which adds a layer of protection to your account, and setting up a recovery phrase, which can recover data even if you forget your password.

If you are a high-profile public figure, deal with sensitive data, or think you might be a target for cyberattacks, you can take advantage of our Proton Sentinel program(new window). It provides advanced account security, enables you to monitor login attempts more closely, and lets you speak with Proton security analysts.

If you have any issues related to account recovery or security, please contact our specialists by emailing abuse@proton.me.

Reducing spam

Proton Mail also has a sophisticated in-house system that applies similar machine-learning techniques to email, mainly to fight spam(new window) and phishing attacks(new window). This system also includes PhishGuard, which automatically adds phishing warnings to emails that are likely spoofed(new window) or are part of a phishing attack. The system automatically learns from your feedback (for example, moving an email to spam, marking an email as phishing, or moving an email from spam to inbox) so it can quickly react to new attacks and improve its decisions if you disagree with its classifications. Our anti-spam system protects the Proton community from abuse and security threats and is at least 60% more effective than widely used spam filters such as SpamAssassin.

In addition to classifying incoming emails, this system works with our other anti-abuse systems to block bulk email registrations and outgoing spam from abusive Proton Mail accounts. Due to these systems and the global team that monitors for threats 24/7, Proton Mail has high-reputation IPs and domains that provide great email deliverability for the Proton community. If you have any issues with mail delivery or spam, please email our specialists at postmaster@proton.me.

Looking forward

Abuse is an inevitable part of the internet because wherever there is freedom and opportunity, there will be bad actors trying to take advantage. And if a service has value and is easy to abuse, it will attract more abusers, and the experience and safety of users will suffer until the service has little value. 

That’s why our fight against abuse and bad actors is a critical part of our work to support freedom and privacy on the internet.

We hope these efforts will make the Proton ecosystem the most secure and easy-to-use solution for anyone who wants to interact on the internet.

Protect your privacy with Proton
Create a free account

Share this page

Dingchao Lu(new window)

Dingchao is a Director of engineering at Proton and leads the multidisciplinary Mail, Spam, and Anti-abuse group that builds sophisticated and automated solutions to protect the Proton ecosystem. Dingchao grew up in California and attained engineering degrees from Caltech and USC before joining Proton in 2014 as our first employee.

Related articles

What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
WHAT IS A CREDENTIAL-STUFFING ATTACK? Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attac
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be
Looking into the Dropbox privacy policy
Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions