Fighting SaaS Sign-up Spam

Create a self-service SaaS and you’ll soon get people trying to abuse it.

They’re either prodding for security holes, looking for a way to send spam via our email-oriented features, or trying to create content spam.

Over the years, I’ve gradually added various protections to protect my SaaS’s sign-up form.

My solution (so far) is to use a combination of the following:

1. Add reCAPTCHA to our signup and sign-in pages

I’m no fan of reCAPTCHA and I wish we didn’t have to do add it. I list it first, but it was the most recent defence I added. It is highly effective at preventing bad operators from even being able to submit your sign-up form.

2. Run signup attempts through Akismet

If Akismet says it is bad, return a 500 HTTP code (server error), with no further explanation

3. Field name obfuscation

In your signup form’s HTML, obfuscate the names of the “email” and “password” fields.

4. Add a honeypot field

Add an invisible “honeypot” field to your signup form, something that sounds real but you don’t collect. Real users won’t fill it in, but some bots will. Field has a value? Return 500 without explanation.

5. IP address blocklist

Have a blocklist of IP addresses that you can quickly add to when necessary. For users on the blocklist, return HTTP code 500 without explanation.

6. Use some simple old-fashioned logic and regexp

  • if name field contains “http://” or “https://” then return HTTP 500
  • if name matches certain patterns you’ve encountered, such as “A12345678”, then return HTTP 500
  • if email is from known problematic email domain, then return HTTP 500

When I posted this list of Twitter, I got some more suggestions:

7. Use MaxMind’s minFraud service

Jeff on Twitter writes, “We’ve had some success using MaxMind’s minFraud product to screen for obvious scammers looking to sign up for our payment platform.”

8. Timing checks

Sylvestre on Twitter writes, “We also measure the time taken to fill in the form (time between end of page load and click of submit button) and skip the request if time is suspiciously short.”

Summary

The important aspects of this approach are:

  1. have multiple protection methods
  2. don’t return helpful info when any of these methods is triggered.

Since doing all of this, we’ve halved our monthly trial signups – but our # of new paying customers is unaffected. Which implies that half of our trials used to be bad actors.