6
8 Comments

Someone is using my SaaS to phishing

At https://smartforms.dev I'm having a problem with a malicious user.

The guy is creating accounts non-stop(I think it's manual as he's using Gmail domains) and using SmartForms to power an ugly clone of the Facebook mobile login page.

When I realized what was going on the guy had already collected 2k Facebook accounts(I don't have the accounts data itself as we only save metadata and not the submissions itself).

The thing is, is getting tiring having to inspect and delete these accounts over time.

What I did already:

  • Implemented e-mail confirmation
  • Created a blacklist for domains(the guy just moved to things like GitHub pages, Netlify, etc)

Since I pivoted SmartForms to a more privacy-focused product it has attracted many malicious users over time. Anyone has dealt with something similar or have any idea how can I handle this issue?

  1. 2

    Email verification should hopefully stop any bots. Manual users, while annoying, should hopefully have less impact on you. You can probably complain to Netlify and they may take him down.

    1. 1

      Yeah, I guess that's it, I'll keep deleting the accounts manually and reporting it.

      Thanks for the reply!

  2. 1

    In addition to the others' suggestions, I would also email both GitHub and Netlify with links to the phishing sites published on their platforms.

    Hosts tend to take such behavior very seriously.

  3. 1

    I face the same problem. Is it coming from free users? Do you think making a paid version by default would solve this?

  4. 1

    Is recaptcha v3 a possibility here? I am working on a sign-up form now and about to try experimenting with it.

    BTW, website is terrific given the type of service

  5. 1

    Are you sure the emails are valid, you can try testing them with something like isitarealemail.com.
    But yea if it is manual it can get hard.

    I was getting spammed for a bit, rejecting invalid emails at signup helped, also saved on sending verification emails. You can also block the IP if it's just one person.

  6. 1

    I am curious to know what their end game is.

  7. 0

    Best way to stop them is to make them pay (remove free tier). Otherwise it's gonna be a cat and mouse game.

Trending on Indie Hackers
How I grew a side project to 100k Unique Visitors in 7 days with 0 audience 49 comments Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 29 comments My Top 20 Free Tools That I Use Everyday as an Indie Hacker 18 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments