<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Jaime trejo</title>
    <description>The latest articles on DEV Community by Jaime trejo (@jaime_trejo_7).</description>
    <link>https://dev.to/jaime_trejo_7</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4001203%2Fd85e88e9-fa34-4d7d-bdf2-12179470137a.png</url>
      <title>DEV Community: Jaime trejo</title>
      <link>https://dev.to/jaime_trejo_7</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/jaime_trejo_7"/>
    <language>en</language>
    <item>
      <title>55,000 fake signups in one night: a bot-detection post-mortem</title>
      <dc:creator>Jaime trejo</dc:creator>
      <pubDate>Wed, 24 Jun 2026 20:23:42 +0000</pubDate>
      <link>https://dev.to/jaime_trejo_7/55000-fake-signups-in-one-night-a-bot-detection-post-mortem-2d50</link>
      <guid>https://dev.to/jaime_trejo_7/55000-fake-signups-in-one-night-a-bot-detection-post-mortem-2d50</guid>
      <description>&lt;p&gt;We sell bot detection. Last night I opened our database and found 555 pages of fake signups. This is the honest write-up: what broke, why it's embarrassing, how we fixed it in one night — and the accidental circuit breaker that saved our email domain.&lt;/p&gt;

&lt;p&gt;The discovery&lt;/p&gt;

&lt;p&gt;Tuesday, 11pm. I open the Supabase table editor to check something unrelated and the developers table feels… heavy. Every row has the same name: "🎁 Dene Hemen! 5K Lira Bonusunu Yakala" — Turkish for "Try it now! Grab the 5,000 Lira bonus." Casino spam. I scroll. Page 2. Page 40. Page 555.&lt;/p&gt;

&lt;p&gt;55,388&lt;br&gt;
FAKE SIGNUPS&lt;/p&gt;

&lt;p&gt;58,618&lt;br&gt;
JUNK VERIFICATION LOGS&lt;/p&gt;

&lt;p&gt;12&lt;br&gt;
REAL ACCOUNTS (OUCH)&lt;/p&gt;

&lt;p&gt;Yes you read the third number right. We're early. For a few minutes our growth chart looked incredible, as long as you didn't read the names. The irony was not lost on me: bots flooded the signup form of a bot-detection product.&lt;/p&gt;

&lt;p&gt;-Root cause #1 — no rate limiting on signup&lt;/p&gt;

&lt;p&gt;Our public API endpoints had per-plan rate limiting from day one. Our marketing site signup? A honeypot field and good intentions. Honeypots only catch bots polite enough to render your form — these ones POSTed the endpoint directly, thousands of times, and never even saw the hidden field.&lt;/p&gt;

&lt;p&gt;A honeypot is a screen door. Rate limiting is the lock. We had the screen door.&lt;/p&gt;

&lt;p&gt;-Root cause #2 — we dogfooded wrong (the embarrassing one)&lt;/p&gt;

&lt;p&gt;Here's the part that stings. Our signup did call our own bot-detection API on every registration. So why didn't it catch 55,000 bots?&lt;/p&gt;

&lt;p&gt;Because we called it with just a userId — no behavioral signals. useHUMA scores behavior: mouse movement, keystroke cadence, scroll rhythm, touch patterns. Given zero signals, the engine returned a neutral score. Neutral cleared our threshold. Every bot passed.&lt;/p&gt;

&lt;p&gt;We installed our own security camera and pointed it at the wall. If you dogfood your product, dogfood it the way you tell customers to use it — or it's decoration.&lt;/p&gt;

&lt;p&gt;-Root cause #3 — every fake signup sent a real email&lt;/p&gt;

&lt;p&gt;Each registration fired a verification email. 55K signups = 55K attempted sends to fake addresses — the kind of bounce storm that gets a sending domain blacklisted. What saved us? Our email provider's free-tier daily cap. The limit we'd been mildly annoyed by quietly refused to send the flood. Domain reputation: intact.&lt;/p&gt;

&lt;p&gt;Sometimes the constraint you resent is the circuit breaker you never installed.&lt;br&gt;
The fix (same night)&lt;/p&gt;

&lt;p&gt;Four changes, shipped before going to bed:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Per-IP rate limit on signup (5/min) — reusing the same
atomic counter our API already used. ~12 lines.&lt;/li&gt;
&lt;li&gt;Lifecycle emails (drip, trial reminders) now filter
email_verified = true. Spam rows never get emailed again.&lt;/li&gt;
&lt;li&gt;Deleted 113K junk rows (after pattern-matching them safely).&lt;/li&gt;
&lt;li&gt;A weekly habit: one SQL count query. Monitoring you don't
look at is monitoring you don't have.
Update, same week: shipped. Our signup now collects full behavioral signals client-side and scores them on every registration — and a submission carrying no signals at all gets rejected outright. Our own form finally uses useHUMA the way we tell customers to. The camera points at the door.&lt;/li&gt;
&lt;/ol&gt;

</description>
      <category>security</category>
    </item>
  </channel>
</rss>
