Based on some recent experience maintaining a public-facing website, I would figure out if the spammers are actually getting anything useful. If not, they're probably just probing for a weakness and will quit in a few hours (or maybe days) when they learn there's nothing to be gained. This happened to me on a few occasions. Also, if all the requests are coming from the same IP, you could block that IP for a week and they'll probably quit.
However, I will also volunteer this: I've recently been working with AWS Cognito and it might be another option. It supports signing up with an email address which Cognito will verify (when configured to do so). The AWS free tier includes up to 50,000 monthly active users. Cognito also allows people to log in with Facebook/Google/Apple/Amazon, and adding Github would probably be pretty easy. I haven't personally gotten this far yet, but I think these users are also included in the 50,000 free tier limit. In about a month, I should have time to work on this if it sounds viable and desirable to whomever would make that decision. On Wednesday, October 14, 2020 at 3:01:55 AM UTC-5, Tony Garnock-Jones wrote: > > I get bounces and delivery-delay notifications from the package-server > account signup/login system. > > I am seeing a vast number of failed and delayed registration/login > emails to suspicious-looking email addresses recently. > > I suspect we might be under spammer attack :-( > > We could do a few things: > > 1. switch to "log in with github", "log in with google", etc. > > 2. add a dumb domain-specific captcha like "(foldl + 0 '(1 2 3)) = ?" > > 3. add recaptcha > > I don't very much like 3 because eww, who wants to help train > murderbots? I don't know if 2 will help, either in the short or long > term. Picking 1 will turn people off and is generally a bit exclusionary. > > But I think 1 is likely the best option all around. Get someone else to > do the expensive heavy lifting. > > Tricky problem. (Hard to imagine what the spammers are getting out of > this, if even they're there... Perhaps step 0 is to keep better logs of > what's going on in the system.) > > Tony > -- You received this message because you are subscribed to the Google Groups "Racket Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/7db135fb-ce92-4879-b1ca-4a0824b1d924o%40googlegroups.com.