Block signups with spam emails

The e-mail address is often a tell-tale indicator whether someone signs up to your service with good or bad intent. For example, there is often high correlation between spam/junk sign-ups and the use of disposable e-mail domains. In this guide, we'll make use of the following Signals to reduce spam sign-ups:

  • Disposable e-mail. Prevents temporary e-mail addresses.
  • Multiple aliases per e-mail. Prevents variations of the same e-mail from signing up.
  • Invalid e-mail.
  • Generated e-mail. Castle scans for patterns of generated e-mails, such as with usernames in sequence.
  • Low quality e-mail. Prevents e-mails with signs of randomness or profanities in it
  • Optionally you can add another constraint to only allow e.g. 3 signups per IP per hour.

Depending on your risk stance, you may choose to either block these requests outright, or use the Castle verdict to trigger a CAPTCHA. With a CAPTCHA, you'll make sure to block bots, but will still allow humans to sign up for your service, even when using questionable e-mails. For blocking bots, you may also want to leverage Castle's bot score, which includes several other factors

Step 1. Find the spam sign-ups

Let's start by filtering out potential spam signups by creating a search for registration events with any of the above email signals + a bot score > 60. Click here to see it for your own data.

Filter out potential spam signups

Filter out potential spam signups

Step 2. Stop the spam sign-ups

Next, once you're happy with the filters, we'll go ahead and create a policy that will deny any sign up attempts with the filter criteria outlined in the previous step.

Once you've saved the new policy, don't forget to activate it and potentially re-order it to be evaluated before your other policies for registration