Hey everyone, everyday I see some randomly generated users on my website
Their names and emails are randomly generated due to weird syntax
Example:
name: ozMQinpg
email: [email protected]
I am confused who and why creates those fake users
How can I protect my website from those random users?
Would be grateful for your help
Best regards
You need to must verify email interface and also keep the email as unique in database table and validation also. The. You Will be able to prevent the fake random users to register.
Untill they didn't verify the email do not registered that user into your database.
Laravel already supports this out of the box. Just make sure it’s enabled:
use Illuminate\Contracts\Auth\MustVerifyEmail;
class User extends Authenticatable implements MustVerifyEmail
{
// ...
}
https://laravel.com/docs/12.x/verification
https://github.com/Propaganistas/Laravel-Disposable-Email
// App\Console\Kernel.php
protected function schedule(Schedule $schedule) {
$schedule->call(function () {
\App\Models\User::whereNull('email_verified_at')
->where('created_at', '<', now()->subHours(24))
->delete();
})->daily();
}
Finally implement Cloudflare to fight off bots https://www.cloudflare.com/application-services/products/bot-management/
I have a question, I also wanna to add those validation rules:
'email' => [..., 'email:rfc,dns', ...],
what do you think?
Very much allowed as stated here in the docs https://laravel.com/docs/12.x/validation#rule-email
Note that DNS verification requires network requests to external servers, it brings unpredictable delays to your app (from milliseconds to seconds).
Yea. But that is where the use of a decent hosting comes in (VPS, cloud, managed hosting like Laravel Forge, Vapor, etc.), instead of having to use shared hosting with slow DNS resolvers.
Also, it is a sign up (validating one email at a time) not bulk verification.. So using email:rfc,dns in production is generally fine, as long as one is using it in the right context.
I would suggest 2FA authentication. Also AI is hitting many websites looking for answers. The Freecad website had to take measures against bots hitting the site.
AI doesn't actually answer, AI compiles answer from sources, other websites.
But AI doesn't create an account, so you have spamming happening to your site.
Careful or you may encounter a DDoS attack.
I know laracasts had a similar problem a while back, but I am not sure how @jeffreyway is handling it.
@dmytro_shved It’s not people. It’s bots. And if your website just lets people create an account with a simple form submission, then you’re going to get picked as a target.
You need to add deterrents in place that aren’t too much friction for a genuine user attempting to create a single account, but annoying for something trying to create multiple. So things like rate limiting, adding a CAPTCHA to your registration form, etc.
Depending on what mail service you use to send the verification email, you could go one step further. Most mail services will send a webhook if an email bounces, so if the verification email bounces then you know it’s fake, and could have a webhook listener that just automatically deletes the associated account and blocks the address from being used to create any new ones.
Thanks, I'll try to add this behaviour, I am using Mailgun for sending mails
I have a question, what do you mean by
... blocks the address from being used to create any new ones
I mean how should I block that email? Should I create separate table for bounced_emails and then create vlidation rule that checks if email is in the black list? Or there is another way to block email?
You could have a boolean field like "is_blocked".
Please or to participate in this conversation.