Back to Blog
SaaS9 min readDec 10, 2024

How to Stop Fake Signups in Your SaaS Application

A complete guide to preventing bot registrations, disposable email abuse, and fake account creation using real-time email validation.

V
ValidoAPI Team

Fake signups cost SaaS products in multiple ways: they inflate your user metrics, abuse free-tier resources, pollute your analytics, and can rack up email costs when you send onboarding sequences to addresses that nobody reads. Here is a layered defence strategy.

The Anatomy of a Fake Signup

Fake signups usually fall into one of three categories: disposable email users trying to grab multiple free trials, bots harvesting accounts (for future credential stuffing or resale), and real people using personal addresses they abandon so they're not added to your marketing list.

Layer 1: Real-Time Email Validation

Block disposable emails and syntax failures at the form level. This stops the majority of drive-by abuse immediately. The key is to do this server-side (not just client-side JavaScript) so it can't be bypassed.

python
# Python / Django example
import requests

def validate_email_for_signup(email: str) -> dict:
    resp = requests.get(
        "https://api.validoapi.com/v1/validate",
        params={"email": email},
        headers={"X-API-Key": settings.VALIDOAPI_KEY},
        timeout=3,
    )
    data = resp.json()
    return {
        "allowed": data["valid"] and not data.get("is_disposable"),
        "reason": data.get("reason"),
    }

Layer 2: Email Confirmation

Even with validation, require email confirmation before activating full features. This catches cases where the email is technically valid but not owned by the person signing up, and disposable emails that slipped through if they're new enough not to be in the blocklist.

Layer 3: Rate Limiting by Domain

If you see an unusual number of signups from the same domain within a short window, rate-limit or temporarily block that domain. Attackers sometimes register a "normal-looking" domain and use it for bulk fake signups, which basic blocklists won't catch.

Layer 4: Behavioural Signals

Combine email validation with other signals: time to complete the form (bots are very fast), IP reputation, and device fingerprinting. Email validation is one layer — it works best as part of a broader fraud prevention stack.

What Not to Do

  • Don't block entire free email providers (Gmail, Yahoo, Hotmail) — this is too aggressive and will reject legitimate users
  • Don't rely solely on client-side validation — it can be trivially bypassed
  • Don't add friction for legitimate users — a 3-second real-time check is invisible; a CAPTCHA + manual review is not
#SaaS#fraud-prevention#fake-signups#developer

Start validating emails for free

200 free validations per month. No credit card required.

Get Free API Key

More Articles

Technical

How Email Validation API Works: A Complete Technical Guide

8 min readComparison

Best Email Verification API in India 2025: Comparison & Review

12 min readDeliverability

How to Reduce Email Bounce Rate Below 2%

6 min read