Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How do you manage registration spam?
23 points by kulor 78 days ago | hide | past | favorite | 25 comments
I've been running digital marketing on a few projects and all seem to suffer from many "spam" signups.

I can only assume the main intent is to find exploits with email and billing systems but there's a long list of other nefarious activity that could be at play.

I've set up a custom tool to monitor and prevent suspicious signups (looking at email deliverability, light identity checks and some AI with tuned prompts). Captchas don't seem to cut it as abusers don't seem to be bots.

Is this a problem other people are facing and if so how do you manage it, if at all?




The problem might be with your service. Do you force users to sign up before you share any details with them?

I routinely provide fake info when a website that I think MIGHT be something I am interested in, but refuses to give me enough info to know for sure, until I give them a bunch of personal info. NO THANKS!

Sometimes I tell them my name is Bob. I live at 123 Main St. My email is bob@nowhere.com. If that works to get me in the door, then I can look around to see if I want to become a real customer.


You are way too nice. Sometimes I sign up with fuck@off.com, address is 666 nunya business street, anonymousville, united states of handsoffmydata. If I can get their CEOs details or whatever, I sign up with that. Same for newsletter popups.

If they force an email verification, 9/10 times I just leave. For the 1/10 times I'll give a pseudonymous email, and if the service then proves to be useful I /might/ give more info. Usually if I'm actually buying something.


I'm glad I'm not the only one doing this


Automatically delete new accounts that have not verified their email within 24h.

Automatically delete verified accounts that have not made a purchase in the first month.

Automatically delete accounts that have not generated a "lead" in the first year.

Replace "lead" with whatever makes sense for your system.

Also maybe put Cloudflare WAF on your signup flow and set it to a high security level.


If you make it too difficult to signup ... no-one will. If you make it too easy, you get a lot of useless signups. Don't make people sign-up to get basic info. Recently noticed a customer-site had the 'sign-in-with-google' popup. Accidentally mis-clicked the close button, 1 minute later: "Thanks for signing up". And off-course, no way to delete my account.


Here's a uBlock filter to defeat 'sign-in-with-google' auto-popups

||accounts.google.com/gsi/*$xhr,script,3p


Does this visually block the text+images from showing up, or does it block the network request altogether?


That filter blocks the request outright. A cosmetic filter would have a CSS selector in it after a couple of # signs, and would apply to the site containing the popup.


Some of this can be fixed with architecture, some with tech practices.

In no specific order:

- Create a concept of an "enrollment" that is different than an "account." It allows record-keeping for the steps leading up to a malicious account created.

- Require mobile phone validation if possible if you're a consumer-facing company. This makes it much more difficult to create fake accounts without a phone farm.

- Get a good WAF and put your `/enrollments` endpoint behind it. Serve the `/enrollments` endpoint exclusively from the CDN associated with your WAF. Having that page served behind the WAF/CDN allows you to block traffic with rules if you can identify patterns to the malicious behavior

- Separate the writes into the enrollments data store/database from any reads and your main production database. Make conversion of an enrollment to account process async, with a rate-limited architectural queue that can be paused if necessary


My take on it is that if someone is genuinely interested in signing up for a service then they'll verify their email as part of the signup process. I enforce verification at signup. This eliminates 100% spam. It becomes a policy decision and not a technical one.


I run a forum, so there is a higher chance of spam attempts.

We confirm emails before creating an account. Visitors fill out a form with their email address and receive an email containing a URL with a hash of their salted email, which is the actual registration form.

Emails will not be sent to temporary email addresses, which we check using the DeBounce API. We also don't send emails if the IP address is a proxy, which is checked against another API. We also check the StopForumSpam API.

The request and registration forms are protected with Cloudflare Turnstile.

We also block registrations from a list of countries that are not a focus of our content.

I used to have Google reCaptcha v3, which returns a score. Scores above a specific value were rejected. I stopped using Google's service when they unveiled plans to charge with a low threshold for the free tier.

If you want to use the forum, you will register. If not, good.


I have the same issue. it only happens on one site of mine but I get like 2-4 new accounts with gibberish as username and first and last name. Just random shit.

I don't know how to outright ban this. I do require verification of email but they never verify. They all use different IPs so they are doing proxy rotation. It was 10-20 a day now its down to 2-4 a day.


I don't suppose it's a problem that can be fully solved; just an ongoing arms race. The hardest part is not deterring genuine users at such a decisive consideration stage.


That's why I don't want to add a captcha.


Just accept it if they don't verify it anyway.

Make sure to have good KPIs not using the pure number of accounts. I think its absolutly valid to have it like that.

IF you really don't want to use a captcha, why not write something very basic specific to your page?

Those are probably spam bots filling out a basic form.


If you are OK with running a Google service, how about Recaptcha V3? No captcha to fill in, just validate the score it generates on the backend.


Is that the same one that sometimes asks you to click on motor cycles and zebra stripes in a loop and you never come out? (this happens often especially if you're on a somewhat uncommon IP address, like an IPv6 /48 with just a few customers on it)


That’s V2. V3 is always invisible and only returns a score. It’s not unusual to redirect low scorers to a v2 challenge, but afaict you have to set that up by hand.


Yep, we get tons of what looks like coded messages. "I want to know your price" in various languages, SEO spam and such. I send it to myself as email and I had to replace anything that resembles a URL otherwise my emails would get marked as spam


I use a mix of honeypot fields, Cloudflare turnstile and straight up blocking certain domains from signing up.


I get a ton of spam, but honestly I don't think about it at all. Not worth your time.


Yeah i have a contact form and i have many dozens of absolutely spammy requests each day, many of them looking legit, but obvious auto-generated to catch my attention because they appear to be coming from genuine clients at first glance. Kept wonder why is someone (apparently many people or entities!) are doing this. What is the upside? What are they trying to achieve, let's say i bite and waste my time replying to it, then what?


Its about mass and leads to 99% to some scam. I don't think thats a lot of people but someone writes software for this type of thing and others buy it and they then do all the same thing.

Sometimes just an impression (visit of your page) can get you money.


Use Cloudflare's Turnstile captcha. It's leagues ahead of Google's or hCaptcha. Users never have to click on stupid images, and it works great. You're not going to be able to stop people manually signing up but depending on how they're doing it, you might curb some of it.

These guys have loads of email addresses and can just use a VPN to switch to a new IP in seconds. Often accompanied with a completely fresh browser session that you're going to have a hard or impossible time correlating with past attempts.

Parse the domain portion of the email address and check that against a blacklist of throwaway and fishy email domains. Manually blacklist domains as needed. You can find blacklists hosted on GitHub. Use the Public Suffix List to parse the domain to make sure you don't accidentally ban an entire obscure TLD. Parse down the email domain to remove any subdomain when checking against the blacklist.

If you're really serious, you can use an API provided by SendGrid to check for suspicious email addresses. You can also look into MaxMind minFraud.

Ban IP addresses. Not every spammer is highly sophisticated and sometimes a single, fixed IP will be responsible for many spam attempts spanning months at a time.

Devise a way to fingerprint browers. This can be as simple as a random hash set to some innocuous cookie name. Ban offenders by those too. It's not always going to work but a lot of spammers aren't terribly sophisticated and you'll be able to catch them even if they're IP hopping.


> Use Cloudflare's Turnstile captcha.

Is that the one that sends you into an endless loop while on a 3g connection?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: