Block signups with spam emails
The e-mail address is often a tell-tale indicator whether someone signs up to your service with good or bad intent. For example, there is often high correlation between spam/junk sign-ups and the use of disposable e-mail domains. In this guide, we'll make use of the following Signals to reduce spam sign-ups:
- Disposable e-mail. Prevents temporary e-mail addresses.
- Multiple aliases per e-mail. Prevents variations of the same e-mail from signing up.
- Invalid e-mail.
- Generated e-mail. Castle scans for patterns of generated e-mails, such as with usernames in sequence.
- Low quality e-mail. Prevents e-mails with signs of randomness or profanities in it
- Optionally you can add another constraint to only allow e.g. 3 signups per IP per hour.
Depending on your risk stance, you may choose to either block these requests outright, or use the Castle verdict to trigger a CAPTCHA. With a CAPTCHA, you'll make sure to block bots, but will still allow humans to sign up for your service, even when using questionable e-mails. For blocking bots, you may also want to leverage Castle's bot score, which includes several other factors
Step 1. Find the spam sign-ups
Let's start by filtering out potential spam signups by creating a search for registration events with any of the above email signals + a bot score > 60.
Filter out potential spam signups
Step 2. Stop the spam sign-ups
Next, once you're happy with the filters, we'll go ahead and create a policy that will deny any sign up attempts with the filter criteria outlined in the previous step.
Simply create a new policy by clicking "create a policy" from the Explore view in the previous section
Create a Policy from the Explore view
Once you've saved the new policy, don't forget to activate it and potentially re-order it to be evaluated before your other policies for registration
Updated 5 months ago