So far, I've tried Google Recaptcha which has reduced the rate but has not eliminated it, even at the maximum filtering level. The rate of fake sign ups is still high enough to cause email reputation problems for me. What do I do?
See what other patterns you find and ban IPs based on those.
Edit: I also remember people putting in fake fields that are not visible to the user. If they have any value in the form submission they are scripts and can be rejected.
- route throttling to something high since if they are new users they shouldn't need to hit that form more than once
- don't let the end user know that you were able to send an email. Keep it vague like "if your email exists, you should receive an email soon."
- don't use a personal email server; something like sendgrid can give you a server that is in good/neutral standing
- if you have to handle your own emails, keep up with any bounce backs and always keep an eye your server being on any blacklists to get it cleared out as soon as possible
- honeypots can be useful if the spammer(s) isn't keeping a close eye on their scripts
- put your site behind a DDoS service
- Is your site behind a CDN and if so which one?
- What is your web server tech stack? i.e. Linux, NGinx/Apache, application language and do you manage it or a 3rd party?
- Any other details such as how the form fields are generated, etc...