Blocking Known Bad Actors at Signup
By MailChannels | 4 minute read
In the battle against spam, phishing, and scripted email abuse, prevention starts before the account is even created. While captchas and rate limiting stop generic bots, savvy attackers often slip through with recycled IPs, disposable emails, and reused behavioral patterns.
Blocking known bad actors at signup is a proactive way to reduce abuse, protect your infrastructure, and maintain IP reputation—especially in shared hosting environments.
Why Blocking at Signup Matters
Once an abusive account is active, it can do significant damage in minutes:
- Send spam through PHP mail or SMTP
- Abuse email-sending privileges to trigger blacklists
- Host phishing kits or redirect pages
- Consume support and resource overhead
Stopping bad actors before they enter your system is far more effective than reactive cleanup.
What Are “Known Bad Actors”?
Known bad actors include:
- IPs or IP ranges linked to previous abuse
- Domains used for spam or fake signups
- Devices or browsers that have engaged in abusive behavior
- Email addresses from disposable or “burner” providers
- Traffic coming from anonymized proxies or botnets
These patterns are often repeated across platforms, making them detectable if you monitor the right signals.
Signals to Look for During Signup
To block abuse, monitor for:
| Signal Type | Examples |
| IP Reputation | Blacklisted IPs, known proxy/VPN usage, TOR exit nodes |
| Email Domain | mailinator.com, dispostable.com, domains with no MX |
| Device Fingerprint | Same user agent, screen size, canvas hash as prior abusers |
| Geo Anomalies | Traffic from regions associated with prior abuse incidents |
| ASN Patterns | Bulk signups from hosting/cloud ASNs (e.g., OVH, Hetzner) |
Tools and Tactics to Block Bad Actors
1. Use IP Reputation Services
Real-time threat intelligence can stop abuse before it starts. Recommended services include:
These can be used to score IP addresses during signup and reject or flag high-risk traffic.
2. Block Disposable Email Domains
Use a disposable email detection API or maintain your own list of throwaway domains. Some popular blocklists:
- BlockDisposableEmails.com
- Kickbox Disposable Email List
- Open-source GitHub repos (updated daily)
Tip: Also validate DNS (no MX = no email delivery) for custom domain signups.
3. GeoIP and ASN Filtering
Most abuse comes from predictable sources:
- Data centers known for spam
- Countries with high botnet activity
- Cloud ASNs like OVH, DigitalOcean, or Hetzner
Block or challenge traffic from these locations if not relevant to your customer base.
4. Device and Browser Fingerprinting
Bots often reuse the same headless Chrome configurations or Selenium-driven browsers. Fingerprinting tools can detect:
- Screen resolution
- Timezone and language mismatch
- Canvas/WebGL hashes
- Browser inconsistencies
Services like FingerprintJS can help identify recurring offenders even if IPs and emails change.
5. Behavioral Velocity Checks
Look for speed-based anomalies:
- Signups completed in <1 second
- Repeated field values or submission patterns
- Mass account creation from a single source
Use hidden form fields or honeypots to catch scripts that don’t render JavaScript.
Block or Flag? Use Risk Scoring
Not every suspicious signup should be blocked. A risk scoring model allows flexibility:
| Risk Score | Action |
| High | Block outright |
| Medium | Require CAPTCHA or review |
| Low | Allow, monitor activity |
You can also delay privilege grants (e.g., SMTP access) based on score.
Combine Signup Filtering with Outbound Protection
Even the best signup filters won’t catch everything. Some attackers still slip through. That’s why smart hosting providers also use:
- SMTP relay services to detect and block spam at send-time
- Outbound email throttling for new or high-risk accounts
- Anomaly detection based on email behavior, not just signup metadata
Services like MailChannels automatically identify spam campaigns and prevent them from damaging your IP reputation.
Summary
Blocking known bad actors at signup is essential for reducing abuse and protecting shared infrastructure. By leveraging reputation data, disposable email blocklists, fingerprinting, and behavioral analysis, you can stop attacks before they start.
Want to stop abuse before it ever leaves your network?
Try MailChannels to automatically filter and protect your outbound email.
