[bedatadriven]

Removing user-controlled input indeed removes the incentive, but for reasons beyond my comprehension, our sign up form _still_ gets periodically blasted. Without additional countermeasures, our sending reputation would be at risk.

We apply a few strategies...

1. Require oauth-based sign up for gmail.com, hotmail.com, and live.com addresses. No emails sent until after authentication.

2. Drop obvious spam. If your name contains "http://" or "Whatsapp" or your User-Agent is "python-requests" than you get a 400.

3. Manual approval for suspicious sign ups. High Abuse IP DB scores, statistically unusual names, etc generate a help desk ticket that someone from our staff approves before an email is sent. Persistent bad actors are blocked by IP for 2 weeks.

4. Rate limiting by IP. This prevents bad actors from spamming our help desk.

All together this seems to have largely solved the problem... for now.

[imron]

> than you get a 400.

When I did this, the spammers got more creative trying other ways to get through.

Now I return a 200, and the response looks identical to a successful signup.

The only difference is nothing actually happened on the backend.

[bedatadriven]

So far all "my" spammers seem indescriminate. I have the feeling that our form is just another URL on a very very long list, and I see no evidence of adaptation.

If there was something of value (besides excellent software) behind the signup form maybe we would need different strategies.

[citrin_ru]

Signup which looks like successful but blackholed is user hostile. Majority of web form spammer don’t even try to evade filtering - why bother when there are many web forms without validation. All signup spam I’ve ever seen in email was sent via forms which allows to enter longish text in the name field with ether url or email address or phone number. Reasonable validation of user entered fields used in signup emails should stop 99% of such spam.

[imron]

> Signup which looks like successful but blackholed is user hostile

I only do it for things which are clearly not valid users.

[MayeulC]

Ah, I got a phone call yesterday because a small company I ordered something with didn't know where to send the package.

I gave them an e-mail address that contained a "+". Apparently MondialRelay silently dropped their requests. They thought they had sent me multiple e-mails. I received none.

I hate that kind of silent failure mode.

[hoseja]

Well that seems hostile on purpose. "You try holding us accountable for what we do with your email, punk? Shadowban for you!"

[marak830]

I'm so tired of these idiots. I've been slowly teaching various (non tech) co workers how to protect themselves and every time we get to email signups, I have to add a caveat about this only sometimes working, if the company has intelligent programmer.

[mzrnsh]

This is the way