What is the use case for spam sign ups?

We are getting hundreds of likely spam signups per week on our application that appear to be valid google accounts using the social login provider.

We have turned on bot detection and suspicious IP throttling but I’m curious what the use case is for these spam signups?

We have a donation widget and do get some spam donations that are likely credit card tests, but I don’t know why a bot would signup hundreds of users to our app?

Are the bots testing these email/password accounts to see if they are valid?

Thanks for any insights.

Hi @joe.a,

Welcome back to the Auth0 Community!

Currently (as of August 2022), Auth0’s attack protection (brute force and suspicious IP) features only kick in on failed login attempts.

I recommend checking this article for more information on how to Enforce Email Verification by Sending the Email Verification after Each Denied Access
This article details how email verification can be implemented to prevent users from going further after registration and from signing in.

Also, I would try to Limit on IP Addresses to the Allowlist of Bot Detection.

Please let me know if this helps and if you have any follow-up questions.

Thanks,
Timotei