FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How to deal with sign-up spam?

    Scheduled Pinned Locked Moved Solved
    Q&A
    2
    4
    257
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • danD
      dan
      last edited by

      I have self-service registration turned on. I am getting some valid users, but a bunch of spam accounts.

      What is the best way to deal with this?

      Thanks!

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @dan
        last edited by

        You have a variety of ways to approach this, with different tradeoffs around functionality, effort and cost. It also matters if the spam accounts are being signed up for by humans or bots.

        • use a webhook to prohibit bogus users from being created by setting the user.create webhook to be transactional. You'd then write a service that could examine the user object, including email address or other attributes, and return a non-200 value to fail their creation. Details on webhooks. This is available on the community plan.

        • use email verification to prevent spam users without an email inbox from using your application. Details on configuring this functionality. This is available on any paid plan.

        • use a self-service registration lambda, and examine the email address and other information for a user. If a user is obviously bogus or matches a pattern, you could return a message stating they can't register, or to call you for assistance. Details on using this lambda. This is available on any paid plan.

        • turn on CAPTCHA which will make it harder for bots to sign up. This requires an enterprise plan.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • T
          theogravity-sb
          last edited by

          There's also another kind of spam that we're noticing. At least for Google IdP accounts, scammers are adjusting their name to include malicious URLs (without even using link tags). The gmail UI will unfortunately render them as links.

          Does FA have some built-in functionality to deal with this scenario?

          danD 1 Reply Last reply Reply Quote 0
          • danD dan has marked this topic as solved
          • danD
            dan @theogravity-sb
            last edited by

            @theogravity-sb Hmmm. So the issue is that someone is registering with a gmail account they control but it looks like this:

            foo@gmail.com with a name of <Dan https://evil.com> which is being turned into a link?

            Or am I misunderstanding your question?

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post