from Hacker News

Ask HN: How do you manage registration spam?

by kulor on 9/13/24, 8:52 AM with 25 comments

I've been running digital marketing on a few projects and all seem to suffer from many "spam" signups.

I can only assume the main intent is to find exploits with email and billing systems but there's a long list of other nefarious activity that could be at play.

I've set up a custom tool to monitor and prevent suspicious signups (looking at email deliverability, light identity checks and some AI with tuned prompts). Captchas don't seem to cut it as abusers don't seem to be bots.

Is this a problem other people are facing and if so how do you manage it, if at all?

  • by didgetmaster on 9/15/24, 12:44 PM

    The problem might be with your service. Do you force users to sign up before you share any details with them?

    I routinely provide fake info when a website that I think MIGHT be something I am interested in, but refuses to give me enough info to know for sure, until I give them a bunch of personal info. NO THANKS!

    Sometimes I tell them my name is Bob. I live at 123 Main St. My email is bob@nowhere.com. If that works to get me in the door, then I can look around to see if I want to become a real customer.

  • by sdwolfz on 9/13/24, 1:22 PM

    Automatically delete new accounts that have not verified their email within 24h.

    Automatically delete verified accounts that have not made a purchase in the first month.

    Automatically delete accounts that have not generated a "lead" in the first year.

    Replace "lead" with whatever makes sense for your system.

    Also maybe put Cloudflare WAF on your signup flow and set it to a high security level.

  • by abernard1 on 9/17/24, 2:05 PM

    Some of this can be fixed with architecture, some with tech practices.

    In no specific order:

    - Create a concept of an "enrollment" that is different than an "account." It allows record-keeping for the steps leading up to a malicious account created.

    - Require mobile phone validation if possible if you're a consumer-facing company. This makes it much more difficult to create fake accounts without a phone farm.

    - Get a good WAF and put your `/enrollments` endpoint behind it. Serve the `/enrollments` endpoint exclusively from the CDN associated with your WAF. Having that page served behind the WAF/CDN allows you to block traffic with rules if you can identify patterns to the malicious behavior

    - Separate the writes into the enrollments data store/database from any reads and your main production database. Make conversion of an enrollment to account process async, with a rate-limited architectural queue that can be paused if necessary

  • by elemcontrib on 9/15/24, 5:39 PM

    My take on it is that if someone is genuinely interested in signing up for a service then they'll verify their email as part of the signup process. I enforce verification at signup. This eliminates 100% spam. It becomes a policy decision and not a technical one.

  • by freitasm on 9/17/24, 7:46 PM

    I run a forum, so there is a higher chance of spam attempts.

    We confirm emails before creating an account. Visitors fill out a form with their email address and receive an email containing a URL with a hash of their salted email, which is the actual registration form.

    Emails will not be sent to temporary email addresses, which we check using the DeBounce API. We also don't send emails if the IP address is a proxy, which is checked against another API. We also check the StopForumSpam API.

    The request and registration forms are protected with Cloudflare Turnstile.

    We also block registrations from a list of countries that are not a focus of our content.

    I used to have Google reCaptcha v3, which returns a score. Scores above a specific value were rejected. I stopped using Google's service when they unveiled plans to charge with a low threshold for the free tier.

    If you want to use the forum, you will register. If not, good.

  • by cranberryturkey on 9/13/24, 8:56 AM

    I have the same issue. it only happens on one site of mine but I get like 2-4 new accounts with gibberish as username and first and last name. Just random shit.

    I don't know how to outright ban this. I do require verification of email but they never verify. They all use different IPs so they are doing proxy rotation. It was 10-20 a day now its down to 2-4 a day.

  • by yread on 9/17/24, 12:48 PM

    Yep, we get tons of what looks like coded messages. "I want to know your price" in various languages, SEO spam and such. I send it to myself as email and I had to replace anything that resembles a URL otherwise my emails would get marked as spam

  • by rozenmd on 9/17/24, 2:11 PM

    I use a mix of honeypot fields, Cloudflare turnstile and straight up blocking certain domains from signing up.

  • by ezekg on 9/14/24, 3:48 PM

    I get a ton of spam, but honestly I don't think about it at all. Not worth your time.

  • by anovikov on 9/17/24, 12:29 PM

    Yeah i have a contact form and i have many dozens of absolutely spammy requests each day, many of them looking legit, but obvious auto-generated to catch my attention because they appear to be coming from genuine clients at first glance. Kept wonder why is someone (apparently many people or entities!) are doing this. What is the upside? What are they trying to achieve, let's say i bite and waste my time replying to it, then what?

  • by decremental on 9/17/24, 12:25 PM

    Use Cloudflare's Turnstile captcha. It's leagues ahead of Google's or hCaptcha. Users never have to click on stupid images, and it works great. You're not going to be able to stop people manually signing up but depending on how they're doing it, you might curb some of it.

    These guys have loads of email addresses and can just use a VPN to switch to a new IP in seconds. Often accompanied with a completely fresh browser session that you're going to have a hard or impossible time correlating with past attempts.

    Parse the domain portion of the email address and check that against a blacklist of throwaway and fishy email domains. Manually blacklist domains as needed. You can find blacklists hosted on GitHub. Use the Public Suffix List to parse the domain to make sure you don't accidentally ban an entire obscure TLD. Parse down the email domain to remove any subdomain when checking against the blacklist.

    If you're really serious, you can use an API provided by SendGrid to check for suspicious email addresses. You can also look into MaxMind minFraud.

    Ban IP addresses. Not every spammer is highly sophisticated and sometimes a single, fixed IP will be responsible for many spam attempts spanning months at a time.

    Devise a way to fingerprint browers. This can be as simple as a random hash set to some innocuous cookie name. Ban offenders by those too. It's not always going to work but a lot of spammers aren't terribly sophisticated and you'll be able to catch them even if they're IP hopping.