How To Prevent Bot Signups on your SAAS
The internet is like the Wild West. It’s full of bots and spammers. You can’t block them all, but you can definitely make it harder for them to abuse your service. 1 out of every 5 founders I have talked to has been a victim of a bot attack. It’s not fun. It’s not easy to recover from and It’s definitely not cheap.
It’s not If you will get attacked, it’s when. So you need to be prepared. A signup form is the first line of defense. It’s like a bodyguard at a club. It’s the first thing that a bot will see and try to interact with. So you need to ensure that your signup form is as secure as possible. Yet you also need to make sure that it’s not too hard for a human to use. You don’t want to scare away potential customers.
How to identify a bot Signup attack on your SAAS?
- You get a lot of signups from the same IP address.
- There is a sudden spike in signups for no apparent reason.
- You get a lot of signups from an unusual email provider.
- The email address doesn’t look like a real email address.
Why do people use spam bots?
The simple answer to this question is People Like Free Stuff and they will abuse the 💩 out of anything that is remotely free. Before moving to the solution, let’s assess if you are likely to have a spam attack.
You are offering a free service to new signups
This is the most common reason why people use spam bots. You are offering a free trial, credits, or a free plan. This is a great way to get new users, but it’s also a great way to get spammed.
You require a credit card to signup
This one came as a surprise to me too. Hackers and spammers will buy a bunch of credit card details from the dark web and use your SAAS to test whether the credit card details are valid. Pretty much like a credit card validator.
You are in a competitive market
People will DDOS your service to see if they can take you down. This practice is pretty common during High Sale periods like Black Friday sales.
You provide Infrastructure or Data as a Service
Spammer or Competitors will abuse your service to steal your data or use your infrastructure for their own benefit. This is something I have personally faced in my past Startup. Where a competitor was trying to steal our data by abusing our service.
How do spam bots harm your SAAS?
- Loss of Money and Resources.
- Possible downtime for your service.
- Destroy your email deliverability.
- This can result in a spike which can get you blacklisted from third-party services or payment processors.
How to prevent bot Signups?
Now, that we have established that you are likely to get a spam attack, let’s discuss how to prevent it. There are a few things that you can do to prevent spam attacks. I will be covering the ones that I have personally used and have worked for me.
Use Recaptcha at the lowest sensitivity
Use Recaptcha at the lowest sensitivity on site. This will prevent most of the bots from signing up. But will not interrupt the real users from signing up. It might pop up a few times, but it’s worth it.
Enable Cloudflare protection in a non-intrusive setting
A more advanced way is to use Cloudflare Bot Management to protect your site. This will not only protect your Signup form but also your entire site against spam bots as well as scrapers. It’s a paid service, but it’s worth it if you are a data-driven company.
Use the Cloudflare WAF rule to limit Signup hits to a few requests per second.
You can use Cloudflare WAF to limit the number of requests per second to your signup API route. A good rule of thumb is to limit it to 5 requests per second or whatever is the maximum number of requests you expect from a real user. This service is free to use and can be used to protect your entire API routes. It returns a 429 error if the limit is exceeded and gives you enough time to block the IP address.
Configure your webserver(Nginx or apache) to log IPs. Run a cron or manually do it via Kibana to identify recurring hits on signup and block that IP via Cloudflare
This is a manual process, but it’s a good way to identify recurring hits and patterns on your signup form. You can use Kibana to identify the IP addresses that are hitting your signup form. You can then block those IP addresses via Cloudflare or Nginx.
Note: This is good practice in general to log API hits for all routes. Not only this will give you a better understanding of your users, but also help you resolve any issues that might arise in the future.
Remove Signup via email and use social logins. Outsource the bot detection.
A lot of startups are moving away from email-based signup and are using social logins instead. Not only, this is a good way to reduce bot/spam signups, but also a good way to increase your conversion rate. You can either use Firebase or Auth0 to handle your social logins. Both of these services are easy to integrate and can get you up and running in no time.
Use a blacklist of known temporary email providers
A lot of spam bots use temporary email providers to signup. You can use a blacklist of known temporary email providers to prevent them from signing up. You can use this very useful list list to get you started and then add more as you go along.
Use Mobile number verification
Even in today’s world, Phone numbers are difficult to fake. Using a mobile number verification service like Twilioor Firebase reduces bot Sign Ups and gets you a better way to communicate with your users. This method is highly recommended for B2B SAAS but can be used for B2C SAAS as well.
Add an unseen extra field or honey-pot
A lot of bots will fill out the form without reading it. So you can add an extra field that is not visible to the user. You can use this field as a honeypot to identify bots and you can block that IP address.
Common advice that doesn't stop bot Singups
There is a lot of advice out there that doesn’t work. Let’s talk about the most common ones and why they don’t work.
Ask Custom Questions
A lot of people will tell you to ask custom questions to identify bots. This is a bad idea. Bots are getting smarter and more innovative. Also, it’s super difficult to process the answers to these questions. I think personally it’s a waste of time and resources.
Double opt-in
Sending an email to verify the email address is a good idea but not always. If there is a bot attack, you will get a lot of emails that can make your email deliverability worse. Also, modern temporary email providers provide an inbox that can be accessed via an API. So, you can’t really verify the email address.
GeoIP blocking
This is a good idea, if you are 100% you don’t want users from a certain country. But, if you are doing this to block bots it won’t work. It just takes a few minutes to use a proxy or VPN to change your IP address.
Conclusion
Even if you are getting started with your SAAS, it’s a good idea to use some sort of protection. In my experience, Mid-Early-stage startups are more likely to get attacked by bots. So, it’s a good idea to protect your SAAS from the start.
Prevention is always better than cure. Don’t wait for the attack to happen. Use the above methods to protect your SAAS and protect your relationship with your users and your 3rd party services. Still confused? Feel free to get in touch with me. I will be happy to help you out.