Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: How to deal with people leverage your service for hacking
11 points by kureikain on Nov 6, 2021 | hide | past | favorite | 4 comments
Hi,

I run an email forwarding service and It comes to my attention that my app is being use in an account take over attempts. Basically they registered expired domain, setup email forwards to receive email.

Due to my app have some features such as bulk import domains, auto config cloudflare DNS, and receiving email through API, it make it super easier and fast for them to receive emails. This ends up attract many of them to my services.

I cannot keep deleting accounts. They just keep coming up. They also looks like have all kind of automated selenium or so I think to do spin up and run behind VPN. I cannot block by IP or country since they all use VPN. They also use steal credit card to pay for my service which lead to me losing money and cause us a net negative.

I don't know what is an effective way to defend from those attacker? Any idea?




You could give your users a score and the higher it gets, the more features become available. VPN on/off, registered since x days, ... a bit like normal Email reputation. Also speaking about automation, a legit user probably won't mind if all features aren't available right away or additional 2FA steps are needed. That kind of approach is also in part used in perimeter-less/zero trust security.

Also I'm thinking if Selenium is used, checking timing of the requests might be helpful. (In theory it should be possible to triangulate the users with multiple API servers by the way.)


I own a service that might help you and with your use-case the free tier will probably last you a lifetime :) Check www.adscore.com - I use it for my other projects for detection and prevention of payments with stolen credit cards with very decent results. It will also help you to block automated registrations. Any questions, drop an email to support at adscore.com and I will assist you.


Would blocking (or doing some kind of JavaScript challenge/captcha) to VPN IPs help reducing the automation issue?


Javascript challange - if the bot uses headless browser then won't help much. Captcha - it costs like $1 per 1000 resolved by paid captcha resolving services. Blocking VPNs - poor man's solution, but might help. Bot operator is likely to switch to residential proxy service. There are various residential SOCKS proxy services offering routing of requests via hacked computers/home routers.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: