How to deal with sign-up spam?
-
I have self-service registration turned on. I am getting some valid users, but a bunch of spam accounts.
What is the best way to deal with this?
Thanks!
--
FusionAuth - Auth for devs, built by devs.
https://fusionauth.io -
You have a variety of ways to approach this, with different tradeoffs around functionality, effort and cost. It also matters if the spam accounts are being signed up for by humans or bots.
-
use a webhook to prohibit bogus users from being created by setting the
user.createwebhook to be transactional. You'd then write a service that could examine the user object, including email address or other attributes, and return a non-200 value to fail their creation. Details on webhooks. This is available on the community plan. -
use email verification to prevent spam users without an email inbox from using your application. Details on configuring this functionality. This is available on any paid plan.
-
use a self-service registration lambda, and examine the email address and other information for a user. If a user is obviously bogus or matches a pattern, you could return a message stating they can't register, or to call you for assistance. Details on using this lambda. This is available on any paid plan.
-
turn on CAPTCHA which will make it harder for bots to sign up. This requires an enterprise plan.
-
-
There's also another kind of spam that we're noticing. At least for Google IdP accounts, scammers are adjusting their name to include malicious URLs (without even using link tags). The gmail UI will unfortunately render them as links.
Does FA have some built-in functionality to deal with this scenario?
-
D dan has marked this topic as solved on
-
@theogravity-sb Hmmm. So the issue is that someone is registering with a gmail account they control but it looks like this:
foo@gmail.com with a name of <Dan https://evil.com> which is being turned into a link?
Or am I misunderstanding your question?