SaaS trial abuse from botnets/spammers

After speaking to a couple of fellow saas entrepreneurs, turns out there’s been this trend lately: spammers use scripts/bots/fake-IPs to register hundreds of fake trial accounts using fake emails and then abuse the apps, especially the ones that have some sort of email-sending capabilities. Anyone experienced anything like that?

Happened to us for the second time over the last 10 months and we’re still under attack. @ian did you notice anything like that after saasifying helpspot?

I actually blogged about our experience along with a list of things you should check: https://www.jitbit.com/alexblog/250-saas-startups---beware-of-spammers/

This REALLY concerns me.

I saw your post, terrifying!

We haven’t seen anything like that so far, though right now we’re requiring CC to sign up so that filters out all these spammers usually. At least, i’ve never seen any go that far since there’s easier targets. We’ll manually build a saas trial for people who don’t want to give us a cc but that wouldn’t be spammers contacting sales like that.

We still get a fair amount of fake trials for the download version which doesn’t require a cc, but I assume that’s people hacking it and using it illegally. I don’t bother tracking them down.

With Snappy I believe we did have this happen. We put in a 1000 email limit or something like that and then the trial would shutdown. This seemed to discourage them enough, though I don’t think it was as large an operation as you seem up against, so maybe it would still e worth it for them? Perhaps something like https://siftscience.com to try and stop them up front. We’ll probably do something with them eventually just to keep our trial stats cleaner.

Yeah, right, totally forgot you’re requiring CC upfront.

Thanks for the SoftScience link man, checking them out.

Don’t know if this will work for you. But it’s worked decently well for me. It’s by no means perfect - but it was enough to deter spammers.

1. Require email verification before trial account is activated [this is now default and done by most]

2. Block people from using disposable email addresses - you can get a list of these from https://github.com/martenson/disposable-email-domains/blob/master/disposable_email_blacklist.conf

3. Require manual check if more than X accounts are created using email addresses from the same domain. Obviously this check should not work for know domains like gmail.com, yahoo.com etc

4. Require manual check if more than X accounts are created from the same IP address.

It’s important to strike a good balance between making the life of spammers difficult with keeping the real users from being annoyed by false positives.

Those are all trial users, right?

Would limiting the number of emails trials can send help?

Yeah, these are all trial users, limiting the number of emails does help - but then they register hundreds of trial accounts - then we implemented an IP block - they started using proxies - we ban the proxies - they switch to a botnet… It’s a never ending game. I mean, we are winning eventually, just wanted to warn everyone here I guess

Thanks @akash these are all good ideas, we’ll install a disposable mailbox filter… Ideally I don’t want to do anything that affects conversions (like adding a captcha or email verification etc).

I hear ya on being opposed to captcha, yet the latest version of Google’s captcha usually validates without even requiring any input from the user (I believe it may check recent login cookies). Just a thought in case you continue to get hassled (I feel your pain!)

https://www.google.com/recaptcha/intro/index.html

That’s scary as hell, @jitbit.

My plugins have been a source of abuse in the past and it’s hard to play whack-a-mole with the IP addresses. @akash’s suggestions are solid ones that are definitely worth trying. Disposable accounts suck.

on a side note: a report from Incapsula: 49% of web traffic is from bots
https://www.incapsula.com/blog/bot-traffic-report-2015.html