search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

Allow hook into external API to reduce spam signups #655

Open mooreds opened 4 years ago

mooreds commented 4 years ago

Allow hook into external API to reduce spam signups

Problem

People sign up for FA user accounts with a spam server email account. These accounts are then used to, for example, post commercial off topic links to forums.

It'd be great if there was an integration with FusionAuth to prevent that.

Solution

There are some APIs which can tell you if an email address is bogus. I just googled for "bogus email address api" and saw 2-3 of them. No experience with any of them, so there may need to be an evaluation.

Ideally it'd be a tenant or application level configuration setting to turn on this check. Then on registration, if a user was using a 'bogus' email address, the registration would be rejected with a 400 error and the appropriate errors message.

Alternatives/workarounds

Allow spam accounts and manage outside of FA.

You could build an external system using webhooks on user registration to call out to a bogus email API and if it returned true, lock the user account.

Additional context

Came out of this slack conversation: https://fusionauth.slack.com/archives/CG00HG935/p1590678473034500

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

jerryhopper commented 4 years ago

my 2 cts: use a existing standard like DNSBL!

Its dns-based, and there are several providers. ( see: https://www.dnsbl.info/ )

Some technical info on how to query dnsbl : https://www.spamhaus.org/faq/section/DNSBL%20Usage#366

edit: here is a java implementation : https://gist.github.com/aikar/b8a16c09845bdeb7b954

robotdan commented 3 years ago

In https://github.com/FusionAuth/fusionauth-issues/issues/905 will be adding CAPTCHA which helps a little.

We will also be adding a config for blocked domains, but this will be more oriented to limit self service sign up from using your corporate domain, etc.

We have discussed sourcing some data and then getting a email / domain quality score that can be configured to reject signups. We can use this issue to track that effort.