𝗧𝗵𝗲 𝗗𝗮𝘆 𝗪𝗲 𝗙𝗶𝘅𝗲𝗱 𝗢𝘂𝗿 𝗦𝗶𝗴𝗻𝘂𝗽 𝗣𝗶𝗽𝗲𝗹𝗶𝗻𝗲
Our signup numbers grew every week. The team felt excited. But the data felt wrong. Users never returned. Email addresses looked strange. Our activation rate dropped.
I looked at the data. I did not find growth. I found noise.
The Problem
I ran a query to group signups by IP address. One IP address registered hundreds of accounts in 24 hours. It used the same browser fingerprint. A script was hitting our register endpoint. It used throwaway email domains. It was a bot, not a person.
Our signup pipeline was wide open.
The Solution
We built three layers of protection in one sprint.
Layer 1: Throttling
We used two types of rate limiting.
- Per-IP throttling: We limit signup attempts from one IP in a short window.
- Per-domain throttling: We limit signups from the same email domain in a longer window. This stops bots using different IPs with the same domain.
Layer 2: Blocklists
- Blocked email domains: We reject any registration using disposable email domains.
- Blocked user agents: We reject requests from non-browser tools. We provide no details to the attacker.
Layer 3: IP Blocklist
Some IPs are persistent. They abuse multiple parts of our system. We use a hard blocklist. These IPs are rejected for every request. The middleware stops them immediately.
The Results
Before the fix:
- One IP created hundreds of accounts in a day.
- Disposable domains made up most signups.
- Fake accounts lowered our activation rate.
- Our data was wrong.
After the fix:
- Registration farming dropped to zero.
- Disposable domain signups stopped.
- Signup numbers showed real human intent.
- Our activation rate recovered.
Lessons Learned
- Signal matters more than volume. Bots make metrics like retention and revenue unreliable.
- Small code fixes solve big problems. We used three simple mechanisms.
- Layers are necessary. One limit is not enough. A combination covers more ground.
- Control your responses. Give legitimate users feedback. Give bad actors silence.
Growth is not just about getting users. It is about getting real users. Your product decisions depend on good data. That data starts at your registration endpoint.
Source: https://dev.to/ogeobubu/the-day-we-fixed-our-signup-pipeline-3664