How I Prevented Signups from Temporary Emails on My Website

Samuel NwankwoSamuel Nwankwo
4 min read

A while back, I noticed a surge in fake signups on an application I was working, which was causing unnecessary spam and security risks. These accounts would clutter my database, distort analytics, and even attempt fraudulent activities. I knew I had to act fast. After extensive research and multiple trial-and-error attempts, I discovered several effective ways to block temporary emails. Here’s my journey and what worked best for me.

1. Using a Disposable Email Blacklist API

At first, I manually checked some of the suspicious email domains, and I noticed a pattern—many of them belonged to well-known disposable email services. This led me to explore APIs that automatically detect and block such emails.

These services maintain an updated list of temporary email providers and instantly validate email addresses at signup. Some of the best ones I found include:

Example Implementation in Node.js (Express):

const axios = require('axios');

async function validateEmail(email) {
    const apiKey = 'YOUR_API_KEY';
    const response = await axios.get(`https://api.mailgun.net/v4/address/validate?address=${email}&api_key=${apiKey}`);
    return response.data.is_valid && !response.data.is_disposable_address;
}

This method helped me instantly filter out junk signups before they even reached my database.

2. Maintaining a Blocklist of Disposable Email Domains

Before integrating an API, I first attempted to manually block known disposable email domains. This approach was straightforward but required constant updates as new disposable email services emerged.

Example Implementation in JavaScript:

const disposableDomains = ['tempmail.com', '10minutemail.com', 'guerrillamail.com'];

function isDisposableEmail(email) {
    const domain = email.split('@')[1];
    return disposableDomains.includes(domain);
}

While this method worked to some extent, I soon realized that maintaining a blocklist manually was inefficient. I later found a github repository that provided an extensive and regularly updated list, making my job much easier.

3. Requiring Email Verification with OTP

Even after implementing the API and blocklist, some fake accounts still slipped through. That’s when I decided to add an extra layer of protection—email verification using a One-Time Password (OTP).

My Process:

  1. When a user signed up, I sent an OTP or verification link to their email.

  2. The user had to enter the OTP or click the link within a certain timeframe.

  3. Only verified accounts were activated.

This significantly reduced fake signups because many disposable email services delete emails within a few minutes, preventing users from completing the verification process.

4. Performing an MX Record Lookup

Another trick I learned was checking the Mail Exchange (MX) records of an email’s domain. This step ensures that the email belongs to a real provider and isn't just a throwaway domain.

Think of MX records as the postal address for emails—they tell you where emails should be delivered. If a domain has valid MX records, it's like having a proper post office set up; if not, the domain might be fake or disposable

Example Implementation in Node.js:

const dns = require('dns');

function checkMXRecords(email) {
    const domain = email.split('@')[1];
    dns.resolveMx(domain, (err, addresses) => {
        if (err || addresses.length === 0) {
            console.log('Invalid email domain');
        } else {
            console.log('Valid email domain');
        }
    });
}

This method added another layer of validation, filtering out emails from domains that lacked proper mail server configurations.

5. Implementing Rate Limiting and CAPTCHA

I also noticed that bots were generating fake signups at an alarming rate. To combat this, I implemented:

  • Rate Limiting: Restricting the number of signups per IP to prevent mass account creation.

  • CAPTCHA Verification: Using Google reCAPTCHA or hCaptcha to block automated scripts.

Example Rate Limiting in Node.js:

const rateLimit = require('express-rate-limit');

const signupLimiter = rateLimit({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 5, // Limit each IP to 5 signups per window
    message: 'Too many signup attempts from this IP, please try again later.'
});
app.use('/signup', signupLimiter);

This step effectively reduced the number of bot-generated signups and improved the overall security of my platform.

Conclusion

After implementing these strategies, I saw a huge reduction in fake signups. Blocking temporary email addresses not only improved my website's security but also helped maintain a cleaner, more engaged user base. If you're struggling with spam accounts, I highly recommend trying these methods!

Have you dealt with fake signups before? What worked best for you? Let me know in the comments!

4
Subscribe to my newsletter

Read articles from Samuel Nwankwo directly inside your inbox. Subscribe to the newsletter, and don't miss out.

EmailVerification#Spam protection#cybersecuritysoftwaresecurityWeb SecuritytechtipsDigital Marketing

Written by

Samuel Nwankwo
Samuel Nwankwo

I am a software developer based in Nigeria with some years of experience in the industry. I am an expert in several programming languages, including PHP, JavaScript, and Java for Android development. When I am not coding, I enjoys playing video games and watching sci-fi movies. I am also an avid reader and enjoys learning about new technologies and programming concepts.