Fighting SaaS Sign-up Spam
Create a self-service SaaS and you’ll soon get people trying to abuse it.
They’re either prodding for security holes, looking for a way to send spam via our email-oriented features, or trying to create content spam.
Over the years, I’ve gradually added various protections to protect my SaaS’s sign-up form.
My solution (so far) is to use a combination of the following:
1. Add reCAPTCHA to our signup and sign-in pages
I’m no fan of reCAPTCHA and I wish we didn’t have to do add it. I list it first, but it was the most recent defence I added. It is highly effective at preventing bad operators from even being able to submit your sign-up form.
2. Run signup attempts through Akismet
If Akismet says it is bad, return a 500 HTTP code (server error), with no further explanation
3. Field name obfuscation
In your signup form’s HTML, obfuscate the names of the “email” and “password” fields.
4. Add a honeypot field
Add an invisible “honeypot” field to your signup form, something that sounds real but you don’t collect. Real users won’t fill it in, but some bots will. Field has a value? Return 500 without explanation.
5. IP address blocklist
Have a blocklist of IP addresses that you can quickly add to when necessary. For users on the blocklist, return HTTP code 500 without explanation.
6. Use some simple old-fashioned logic and regexp
- if name field contains “http://” or “https://” then return HTTP 500
- if name matches certain patterns you’ve encountered, such as “A12345678”, then return HTTP 500
- if email is from known problematic email domain, then return HTTP 500
When I posted this list of Twitter, I got some more suggestions:
7. Use MaxMind’s minFraud service
Jeff on Twitter writes, “We’ve had some success using MaxMind’s minFraud product to screen for obvious scammers looking to sign up for our payment platform.”
8. Timing checks
Sylvestre on Twitter writes, “We also measure the time taken to fill in the form (time between end of page load and click of submit button) and skip the request if time is suspiciously short.”
The important aspects of this approach are:
- have multiple protection methods
- don’t return helpful info when any of these methods is triggered.
Since doing all of this, we’ve halved our monthly trial signups – but our # of new paying customers is unaffected. Which implies that half of our trials used to be bad actors.