How to deal with sign-up spam?
-
I have self-service registration turned on. I am getting some valid users, but a bunch of spam accounts.
What is the best way to deal with this?
Thanks!
--
FusionAuth - Auth for devs, built by devs.
https://fusionauth.io -
You have a variety of ways to approach this, with different tradeoffs around functionality, effort and cost. It also matters if the spam accounts are being signed up for by humans or bots.
-
use a webhook to prohibit bogus users from being created by setting the
user.createwebhook to be transactional. You'd then write a service that could examine the user object, including email address or other attributes, and return a non-200 value to fail their creation. Details on webhooks. This is available on the community plan. -
use email verification to prevent spam users without an email inbox from using your application. Details on configuring this functionality. This is available on any paid plan.
-
use a self-service registration lambda, and examine the email address and other information for a user. If a user is obviously bogus or matches a pattern, you could return a message stating they can't register, or to call you for assistance. Details on using this lambda. This is available on any paid plan.
-
turn on CAPTCHA which will make it harder for bots to sign up. This requires an enterprise plan.
-
