Join
6
8 Comments

Someone is using my SaaS to phishing

by Giancarllo Rojas

At https://smartforms.dev I'm having a problem with a malicious user.

The guy is creating accounts non-stop(I think it's manual as he's using Gmail domains) and using SmartForms to power an ugly clone of the Facebook mobile login page.

When I realized what was going on the guy had already collected 2k Facebook accounts(I don't have the accounts data itself as we only save metadata and not the submissions itself).

The thing is, is getting tiring having to inspect and delete these accounts over time.

What I did already:

  • Implemented e-mail confirmation
  • Created a blacklist for domains(the guy just moved to things like GitHub pages, Netlify, etc)

Since I pivoted SmartForms to a more privacy-focused product it has attracted many malicious users over time. Anyone has dealt with something similar or have any idea how can I handle this issue?

Avatar for Giancarllo Rojas Giancarllo Rojas
posted to Icon for group Software as a Service
Software as a Service
 on August 15, 2020
Say something nice to GiancarlloRojas…
Post Comment
  1. 2

    Email verification should hopefully stop any bots. Manual users, while annoying, should hopefully have less impact on you. You can probably complain to Netlify and they may take him down.

    User Avatar seattlehacker
    ·
    6 years ago
    ·
    Reply
    1. 1

      Yeah, I guess that's it, I'll keep deleting the accounts manually and reporting it.

      Thanks for the reply!

      Avatar for Giancarllo Rojas GiancarlloRojas
      ·
      6 years ago
      ·
      Reply
  2. 1

    In addition to the others' suggestions, I would also email both GitHub and Netlify with links to the phishing sites published on their platforms.

    Hosts tend to take such behavior very seriously.

    User Avatar alchemist
    ·
    6 years ago
    ·
    Reply
  3. 1

    I face the same problem. Is it coming from free users? Do you think making a paid version by default would solve this?

    User Avatar wilsonbright
    ·
    6 years ago
    ·
    Reply
  4. 1

    Is recaptcha v3 a possibility here? I am working on a sign-up form now and about to try experimenting with it.

    BTW, website is terrific given the type of service

    User Avatar BigHireio
    ·
    6 years ago
    ·
    Reply
  5. 1

    Are you sure the emails are valid, you can try testing them with something like isitarealemail.com.
    But yea if it is manual it can get hard.

    I was getting spammed for a bit, rejecting invalid emails at signup helped, also saved on sending verification emails. You can also block the IP if it's just one person.

    User Avatar StephenN
    ·
    6 years ago
    ·
    Reply
  6. 1

    I am curious to know what their end game is.

    User Avatar Sun1
    ·
    6 years ago
    ·
    Reply
  7. 0

    Best way to stop them is to make them pay (remove free tier). Otherwise it's gonna be a cat and mouse game.

    User Avatar xyz_crypto
    ·
    6 years ago
    ·
    Reply
Trending on Indie Hackers
AI runs 70% of my distribution. The exact stack. User Avatar 181 comments I'm a solo founder. It took me 9 months and at least 3 stack rewrites to ship my SaaS. User Avatar 145 comments I used $30,983 of AI tokens last month in Claude code on $200/mo plan User Avatar 53 comments We could see our AI bill, but not explain it — so I built AiKey User Avatar 25 comments AI coding should not turn software development into a black box User Avatar 24 comments my reddit post got 600K+ views. here's exactly what i did User Avatar 23 comments