Block signups with spam emails

The e-mail address is often a tell-tale indicator whether someone signs up to your service with good or bad intent. For example, there is often high correlation between spam/junk sign-ups and the use of disposable e-mail domains. In this guide, we'll make use of the following Signals to reduce spam sign-ups:

  • Disposable e-mail. Prevents temporary e-mail addresses.
  • Multiple aliases per e-mail. Prevents variations of the same e-mail from signing up.
  • Invalid e-mail.
  • Generated e-mail. Castle scans for patterns of generated e-mails, such as with usernames in sequence.
  • Low quality e-mail. Prevents e-mails with signs of randomness or profanities in it
  • Optionally you can add another constraint to only allow e.g. 3 signups per IP per hour.

Depending on your risk stance, you may choose to either block these requests outright, or use the Castle verdict to trigger a CAPTCHA. With a CAPTCHA, you'll make sure to block bots, but will still allow humans to sign up for your service, even when using questionable e-mails. For blocking bots, you may also want to leverage Castle's bot score, which includes several other factors

Step 1. Find the spam sign-ups

Let's start by filtering out potential spam signups by creating a search for registration events with any of the above email signals + a bot score > 60.

Filter out potential spam signups

Filter out potential spam signups

Step 2. Stop the spam sign-ups

Next, once you're happy with the filters, we'll go ahead and create a policy that will deny any sign up attempts with the filter criteria outlined in the previous step.

Simply create a new policy by clicking "create a policy" from the Explore view in the previous section

Create a Policy from the Explore view

Create a Policy from the Explore view

Once you've saved the new policy, don't forget to activate it and potentially re-order it to be evaluated before your other policies for registration