Skip to content

Heuristic-based monitoring to detect signup abuse via email aliasing #3431

Description

@adboio

Problem

We currently have no monitoring to catch abusive signups that exploit email aliasing. A single person can create many accounts using plus-addressing (and similar tricks) on the same underlying mailbox, e.g.:

  • adam@email.com
  • adam+1@email.com
  • adam+2@email.com
  • ...and so on

Because each variant is technically a distinct email, they all pass as unique signups today, which opens the door to trial/credit abuse and other forms of gaming.

Proposal

Set up some form of heuristic-based monitoring to flag (and eventually help prevent) this pattern. Rough ideas to explore:

  • Normalize emails before comparison: strip the +suffix from the local part (and, for providers that ignore them, dots) so adam+1@email.com and adam+2@email.com collapse to the same canonical adam@email.com.
  • Cluster signups by normalized email (and optionally by shared signals like IP, device, or domain) and surface when a canonical mailbox spawns an unusual number of accounts in a short window.
  • Alert / dashboard so the team can review suspicious clusters, rather than hard-blocking initially (avoid false positives on legitimate plus-addressing use).
  • Consider whether to escalate from monitoring to soft/hard limits once we understand the baseline.

Open questions

  • Where should normalization live (signup flow, ingestion, or a downstream job)?
  • What threshold counts as "abusive" vs. normal usage?
  • Should this block at signup or just flag for review?

Starting with monitoring/heuristics keeps us from over-blocking while we learn the real patterns.

Metadata

Metadata

Assignees

No one assigned

    Labels

    EnhancementNew feature or requestSecurityThis issue or pull request is security related

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions