Ask HN: How to deal with a spam/automation attack on a small startup?
Hi HN,
We run a SaaS web app that's a productivity tool used by hundreds of small to mid size businesses. While emails aren't a core part of the service, transactional emails that alert and remind users of project activity are a big part in getting users active and using the platform.
Recently, we've had malicious users sign up under domains of Chinese email providers (frequently used by spammers), and automate sending thousands of invitations to bogus emails from the same domains. While this hasn't affected our servers or performance overall, it has resulted in our AWS SES bounce rates going exorbitantly high. Our account is now on probation.
We've deleted accounts, blocked IPs, and tried adding filtering and firewalls, but we're scratching our head on a good way to eliminate the potential for this issue going forward without being a detriment to the user experience for our regular users.
Have you experienced this with your company at all? And any suggestions to help fix this? Is there any recourse to finding out who is behind this and their motives?
Would greatly appreciate your help. Thanks so much in advance.
We experienced similar attacks and the easiest solution that fixed the problem was to completely block China and some other countries at the firewall level. We are a B2B app in the US and never had a paying customer from Asia. It's been a year since we did this and the spam attempts have ceased since then.
If you have API endpoints, I would recommend implementing rate limiters on them. They are easy to implement in code.
Read more about rate limiters & how to implement them here: https://konghq.com/blog/how-to-design-a-scalable-rate-limiti...
My advice would be a mixture of:
A: A good captcha, which doesn't rely on the typical 'distorted image' setup. Some good questions can work there, as can an anti spam honeypot question and a script to measure how quickly a user fills in the form (to block those who do this inhumanly fast).
B: Integration with an spam blacklisting service. Stuff like Stop Forum Spam or what not used to work pretty well for me in the past, though there were a few false positives.
Either way, the key is that your sign up process should be as 'unique' as possible, since the majority of spammers are either robots or sweatshop type mass submission setups, and they don't want to put in effort to crack 'bespoke' solutions here.