• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

How to deal with sign-up spam?

Scheduled Pinned Locked Moved Solved
Q&A
2
4
1.2k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    dan
    last edited by 4 Feb 2025, 20:17

    I have self-service registration turned on. I am getting some valid users, but a bunch of spam accounts.

    What is the best way to deal with this?

    Thanks!

    --
    FusionAuth - Auth for devs, built by devs.
    https://fusionauth.io

    D 1 Reply Last reply 4 Feb 2025, 20:21 Reply Quote 0
    • D
      dan @dan
      last edited by 4 Feb 2025, 20:21

      You have a variety of ways to approach this, with different tradeoffs around functionality, effort and cost. It also matters if the spam accounts are being signed up for by humans or bots.

      • use a webhook to prohibit bogus users from being created by setting the user.create webhook to be transactional. You'd then write a service that could examine the user object, including email address or other attributes, and return a non-200 value to fail their creation. Details on webhooks. This is available on the community plan.

      • use email verification to prevent spam users without an email inbox from using your application. Details on configuring this functionality. This is available on any paid plan.

      • use a self-service registration lambda, and examine the email address and other information for a user. If a user is obviously bogus or matches a pattern, you could return a message stating they can't register, or to call you for assistance. Details on using this lambda. This is available on any paid plan.

      • turn on CAPTCHA which will make it harder for bots to sign up. This requires an enterprise plan.

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      • T
        theogravity-sb
        last edited by 11 Feb 2025, 19:05

        There's also another kind of spam that we're noticing. At least for Google IdP accounts, scammers are adjusting their name to include malicious URLs (without even using link tags). The gmail UI will unfortunately render them as links.

        Does FA have some built-in functionality to deal with this scenario?

        D 1 Reply Last reply 12 Feb 2025, 20:22 Reply Quote 0
        • D dan has marked this topic as solved on 12 Feb 2025, 20:20
        • D
          dan @theogravity-sb
          last edited by 12 Feb 2025, 20:22

          @theogravity-sb Hmmm. So the issue is that someone is registering with a gmail account they control but it looks like this:

          foo@gmail.com with a name of <Dan https://evil.com> which is being turned into a link?

          Or am I misunderstanding your question?

          --
          FusionAuth - Auth for devs, built by devs.
          https://fusionauth.io

          1 Reply Last reply Reply Quote 0
          3 out of 4
          • First post
            3/4
            Last post