Someone is using my SaaS to phishing

At https://smartforms.dev I'm having a problem with a malicious user.

The guy is creating accounts non-stop(I think it's manual as he's using Gmail domains) and using SmartForms to power an ugly clone of the Facebook mobile login page.

When I realized what was going on the guy had already collected 2k Facebook accounts(I don't have the accounts data itself as we only save metadata and not the submissions itself).

The thing is, is getting tiring having to inspect and delete these accounts over time.

What I did already:

  • Implemented e-mail confirmation
  • Created a blacklist for domains(the guy just moved to things like GitHub pages, Netlify, etc)

Since I pivoted SmartForms to a more privacy-focused product it has attracted many malicious users over time. Anyone has dealt with something similar or have any idea how can I handle this issue?

  1. 2

    Email verification should hopefully stop any bots. Manual users, while annoying, should hopefully have less impact on you. You can probably complain to Netlify and they may take him down.

    1. 1

      Yeah, I guess that's it, I'll keep deleting the accounts manually and reporting it.

      Thanks for the reply!

  2. 1

    In addition to the others' suggestions, I would also email both GitHub and Netlify with links to the phishing sites published on their platforms.

    Hosts tend to take such behavior very seriously.

  3. 1

    I face the same problem. Is it coming from free users? Do you think making a paid version by default would solve this?

  4. 1

    Is recaptcha v3 a possibility here? I am working on a sign-up form now and about to try experimenting with it.

    BTW, website is terrific given the type of service

  5. 1

    Are you sure the emails are valid, you can try testing them with something like isitarealemail.com.
    But yea if it is manual it can get hard.

    I was getting spammed for a bit, rejecting invalid emails at signup helped, also saved on sending verification emails. You can also block the IP if it's just one person.

  6. 1

    I am curious to know what their end game is.

  7. 0

    Best way to stop them is to make them pay (remove free tier). Otherwise it's gonna be a cat and mouse game.

Trending on Indie Hackers
Micro-Communities | and why you should start one too 15 comments How We Made $49 in 3 months 14 comments Technical co-founder looking to partner up 11 comments My year-long passion project is live on Product Hunt! Coffee Chats is like if Calendly and Carrd had a baby. 5 comments I've built Billflow to $27k MRR in 18 months. AMA 5 comments 🧐 HELP! Where do Marketers and SMM hang out? 5 comments