[TheCycoONE]

Do you know if they verify the sender for ARF (abuse) emails that should be coming from the recipient's hosting provider e.g. yahoo. If not this could potentially be used for targeted denial of service by submitting fake spam reports on behalf of other recipients to add them to the suppression list?

[nickphx]

If you look at the headers of email originating from mailgun, you will notice several headers they've added that include unique identifiers that identify the sending account and recipient.

ESPs receive FBLs/ARF from email providers through various delivery methods, "webhooks", ARF via SMTP..

So to pull off an attack someone would need to generate matching identifiers and know where to deliver the ARF with the forged data..

[throwaway2346mg]

I'm afraid I haven't checked this - are you a Mailgun user and want to report back on this? Alternatively, hopefully Mailgun themselves will spot this and can respond directly.