Preventing automated sign-ups from bots to your app

In the same vein as the discussion on email verification upon signup (https://www.indiehackers.com/post/do-you-make-users-verify-their-email-if-so-why-31821248ad?commentId=-MB_hytFYH52EAuI1rTr), does anyone have a system in place to prevent a bot from spamming your signup form with garbage and poluting your database with useless users?

It's something that's been a concern to me. I'm sure services like Auth0 prevent this kind of stuff, but i'm wondering if there are easy solutions for those implementing a custom signup/login in their apps?

  1. 3

    For companywell.co, we limit users to work emails only. We are a B2B solution, which is why we can do this, but this drastically cuts down dummy accounts and unqualified prospects.

    The way we look at it is if the user can’t afford a $5/month inbox then they can’t afford our $50/month service. It also allows us to upsell - for example if we see 5 users from the same domain sign up for a free account we will start a conversation with the most senior person on the domain to sign up for an enterprise account. I hope this is helpful!

    1. 1

      Interesting! Do you have a way to validate if the email address is related to a business domain? Perhaps there is an API of some sort to validate the addresses?

      1. 1

        We built our own endpoint for this, but the basic gist is to first validate the email address with something like MillionVerifier (they have an API) and then we use this list to remove the free accounts:


        We also actively add to the list on our backend as we see fit. 😎

        1. 1

          Cool, I wasn’t aware of services like MillionVerifier 👍🏼

  2. 2

    There are two approaches:

    1. Honeypotting - i.e. add an field called 'email' and hide via CSS. Bots most likely will fill that. Also, where you actually expect user to fill their email, avoid calling it 'email'.
    2. Use reCaptcha - the latest one generates a score which you can use to determine, if it was filled by a user. If the score is below a certain threshold, you can send a verification email to user.
  3. 2

    Obvious answer: Use Google's CAPTCHA "I'm not a robot" service. Guessing you'd already thought of that though?

    Lo-fi hack that works: Include an extra field in the sign up, with display:none as the CSS. Call it "email". If the email field is filled in, you know it's a bot and can deal with it appropriately.

    1. 1

      I'm not sure how well the hidden field works if someone writes a custom script for your app's signup form.

      1. 2

        Oh not at all, I assumed this was drive-by sign ups from spam in some way. Google CAPTCHA ftw then

  4. 2

    I have an authentication log that tracks some basic information like IP and elements of the user agent string. I implemented the authentication log primarily to be able to send alerts to users when their account is signed into from a new device/location for user security. However, since this authentication log includes registration events I use that to block multiple registrations from the same IP/device.

    It's by no means a perfect solution, but it's a good enough solution that required very little effort to at least limit casual registration spam.

    1. 1

      Ah perfect, thanks for sharing.

  5. 1

    We have a 15 steps questionnaire before signup, so that works 😅. The main idea is to move signup as deep as you go into your app, by allowing people to get started without an account. This is usually a win in terms of conversion rates, and takes care of the bot problem nicely.
    We also send an email verification code.

    1. 1

      Lol, yes that will definitely help prevent signup abuse.

  6. 1

    Aside from adding a CAPTCHA to your signup page you can use something like this to reject signups from throw away email addresses (assuming you validate emails for your signups).

    But also, don't spend time solving problems you don't have yet. Build something spammers want to flood with bot accounts first, then solve the spam problem.

    1. 1

      Completely agree on the point about building something great before worrying about these sort of things!
      I guess a CAPTA would probably be the simplest solution to implement. I wasn’t sure if people used a system where IPs were being checked or something.

Trending on Indie Hackers
The unsolved mysterious disappearances of builders in public 🕵️ 39 comments What do you think of my landing page 19 comments Don't do this when you validate an idea. 14 comments The Notion API is here 12 comments How We Made $49 in 3 months 5 comments WTF: My Weirdest Growth Hack That Got Me 20% Bump In Revenue! 3 comments