A good old Honey Pot helped us at All Quiet "a lot" with those attacks. Basically all attacks are remediated by this. No need for Cloudflare etc.

▲

grey-area 9 hours ago | parent | next [-]

Can you expand on that? A separate honey pot sign up page invisible to real users, or something else?

▲

mads_quist 9 hours ago | parent [-]

You add "hidden" inputs to your HTML form that are named like "First Name" or "Family Name". Bots will fill them out. You will either expect them to be empty or you fill by JavaScript with sth you expect. It's of course reverse-engineerable, but does the trick.

▲

alexjurkiewicz 8 hours ago | parent | next [-]

Doesn't that break password manager autofill?

▲

grey-area 8 hours ago | parent | prev | next [-]

Thanks, I’ve seen scripted attacks bypass this sort of hidden input unfortunately (perhaps human assisted or perhaps just ignoring hidden fields).

▲

jaggederest 7 hours ago | parent | next [-]

They often do actually ignore truly hidden fields (input type=hidden) but if you put them "behind" an element with css, or extremely small but still rendered, many get caught. It's similar to the cheeky prompt injection attacks people did/do against LLMs.

	▲	grey-area 6 hours ago \| parent [-]
		Thanks.

▲

mads_quist 8 hours ago | parent | prev [-]

Sure, it's really basic of course.

▲

bevr1337 8 hours ago | parent | prev | next [-]

Do you test this against password managers? Seems like this approach could generate false positives

▲

imhoguy 6 hours ago | parent | prev [-]

Watch out, it may break accessibility of your service. If somebody fills these fields I would add extra verification e.g. accessible CAPTCHA.

▲

hrmtst93837 5 hours ago | parent | prev [-]

Honeypots work until the bot starts posting to every field. Dropping traffic scrubbing also means you lose the abuse reporting and IP reputation feed that a service like Cloudflare gives you, so a trick that filters one class of signup spam turns into you handling the rest of the mess yourself.