What to do about spam sign-ups

Why am I getting sign-ups that don't look like real users? What's the point?

Sometimes Ghost sites (just like every other type of site out there) suddenly start getting lots of sign-ups. Super cool, right? Did you just go viral? Then, you look at them, and the email addresses don't look real, or the locations don't make sense. And yeah, you didn't go viral, you're just getting spam signups.

I suspect that many of these spammy-looking sign-ups are a setup for comments link spam.  (There's a tremendous number of attempts to place links on websites for SEO purposes.  The Ghost forum gets multiple sign-ups every day that appear to be nothing than SEO link spam.)  I suspect that these accounts will be allowed to 'age' a bit (because some anti-spam systems are triggered by new accounts – although not on Ghost), and then will attempt to post comments with links.  

Magic links are generally better than passwords for anti-spam, because they require the spammy account-maker to use a real email address, and click the link to validate the account. Unfortunately, they are apparently not enough.

Interestingly, the recent outbreak in sms-to-email-gateway sign-ups appears to be making requests for magic links in an automated way, as the requests are showing a url (/membership/) that doesn't exist on many Ghost sites. That suggests the account spammers are running a script, not manually signing up. Did the account spammers also set up automation to click magic links? Hard to say.

There's work in progress to put a CAPTCHA in front of Ghost sign-ups. Hopefully that'll help discourage spammers from hitting Ghost sites.

What do I do about spam sign-ups?

If you can identify a pattern in the domain used to sign-up, block it.

Otherwise...

• Delete any user that looks suspect. (If you're paying Ghost Pro, you'll want to do that anyway, since otherwise it'll bump up your cost when you get enough of them.) 👉See this interesting use of Make shared by Magnus over on the Ghost forum.
• Turn comments to 'paid members only'.  This isn't going to stop spam sign-ups, but it'll reduce the chances of problem comments actually getting posted, meaning that the payout for the spammer should be exactly $0.
• Turn off your free plan.  Set your Ghost access to 'paid members only' (under /ghost > settings > access ).  Then offer a tier that is "paid", but costs $1/year (or something equally silly), with a multi-year free trial or 100% discount offer.  The point here is to run users through Stripe validation & a credit card entry, hopefully making it enough of a pain for spammers to sign up that they won't. If you do this, you also need to switch post access from "paid members" to "specific tiers" and to your "real" paid tier, so that your free-replacement (but nominally "paid") tier gets treated differently from your real paid tier, if you have gated content.

Ugh. That's all I've got.  I don't love any of that.