𝗧𝗵𝗲 𝗗𝗮𝘆 𝗪𝗲 𝗙𝗶𝘅𝗲𝗱 𝗢𝘂𝗿 𝗦𝗶𝗴𝗻𝘂𝗽 𝗣𝗶𝗽𝗲𝗹𝗶𝗻𝗲

📅2 hours ago⏱2 min read

Our signup numbers grew every week. The team felt excited. But the data felt wrong. Users never returned. Email addresses looked strange. Our activation rate dropped.

I looked at the data. I did not find growth. I found noise.

The Problem

I ran a query to group signups by IP address. One IP address registered hundreds of accounts in 24 hours. It used the same browser fingerprint. A script was hitting our register endpoint. It used throwaway email domains. It was a bot, not a person.

Our signup pipeline was wide open.

The Solution

We built three layers of protection in one sprint.

Layer 1: Throttling

We used two types of rate limiting.

Per-IP throttling: We limit signup attempts from one IP in a short window.
Per-domain throttling: We limit signups from the same email domain in a longer window. This stops bots using different IPs with the same domain.

Layer 2: Blocklists

Blocked email domains: We reject any registration using disposable email domains.
Blocked user agents: We reject requests from non-browser tools. We provide no details to the attacker.

Layer 3: IP Blocklist

Some IPs are persistent. They abuse multiple parts of our system. We use a hard blocklist. These IPs are rejected for every request. The middleware stops them immediately.

The Results

Before the fix:

One IP created hundreds of accounts in a day.
Disposable domains made up most signups.
Fake accounts lowered our activation rate.
Our data was wrong.

After the fix:

Registration farming dropped to zero.
Disposable domain signups stopped.
Signup numbers showed real human intent.
Our activation rate recovered.

Lessons Learned

Signal matters more than volume. Bots make metrics like retention and revenue unreliable.
Small code fixes solve big problems. We used three simple mechanisms.
Layers are necessary. One limit is not enough. A combination covers more ground.
Control your responses. Give legitimate users feedback. Give bad actors silence.

Growth is not just about getting users. It is about getting real users. Your product decisions depend on good data. That data starts at your registration endpoint.

Source: https://dev.to/ogeobubu/the-day-we-fixed-our-signup-pipeline-3664

𝗧𝗵𝗲 𝗗𝗮𝘆 𝗪𝗲 𝗙𝗶𝘅𝗲𝗱 𝗢𝘂𝗿 𝗦𝗶𝗴𝗻𝘂𝗽 𝗣𝗶𝗽𝗲𝗹𝗶𝗻𝗲

Continue reading

𝗘𝗳𝗳𝗶𝗰𝗶𝗲𝗻𝘁 𝗗𝗮𝘁𝗮 𝗣𝗶𝗽𝗲𝗹𝗶𝗻𝗲𝘀 𝘄𝗶𝘁𝗵 𝘁𝗵𝗲 𝗢𝘂𝘁𝗯𝗼𝘅 𝗣𝗮𝘁𝘁𝗲𝗿𝗻

𝗢𝗣𝗲𝗻𝗔𝗜 𝗜𝗻 𝗣𝗿𝗼𝗱𝘂𝗰𝘁𝗶𝗼𝗻: 𝗦𝘁𝗼𝗽 𝗪𝗮𝘀𝘁𝗶𝗻𝗴 𝗠𝗼𝗻𝗲𝘆

𝗕𝘂𝗶𝗹𝗱 𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝘁 𝗗𝗮𝘁𝗮 𝗣𝗶𝗽𝗲𝗹𝗶𝗻𝗲𝘀

𝗧𝗵𝗲 𝗠𝗶𝘀𝘀𝗶𝗻𝗴 𝗗𝗡𝗦 𝗔𝗻𝗰𝗵𝗼𝗿

𝗬𝗼𝘂𝗿 𝗟𝗼𝗴𝗶𝗻 𝗙𝗼𝗿𝗺 𝗜𝘀 𝗔 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗥𝗶𝘀𝗸