How to stop fake signups (without annoying real users)

May 13, 2026 · 8 min read

Fake signups quietly corrupt a product. They inflate your user count, skew activation and retention metrics, burn free-tier resources, and poison every email campaign with addresses that bounce or never open. The goal isn't to block everyone — it's to stop the junk without adding friction for real users. Here's a layered defense that does exactly that.

Why fake signups happen

Most fake signups aren't malicious — they're people who want what's behind your signup wall without committing a real identity. The rest are abuse: trial farming, referral fraud, and bots. The two share one trait — a throwaway or fake email address.

Layer 1: block disposable email addresses

This is the highest-leverage, lowest-friction filter. Disposable email services hand out temporary inboxes that expire in minutes. A user with a real intent to use your product almost never signs up with one.

Reject them at the form with an offline check — no latency, no cost, no impact on legitimate users:

Terminalbash
npm install @isdisposable/js
signup.tstypescript
import { isDisposable } from '@isdisposable/js';

if (isDisposable(email)) {
  return { error: 'Please use a permanent email address.' };
}

This single check removes the largest category of fake signups. Not sure if an address qualifies? Look it up in the disposable domain checker.

Layer 2: require email verification

Send a confirmation link and don't mark the account active until it's clicked. This costs a real user ten seconds and stops anyone using a fake address on a domain they don't control. Combined with Layer 1 — which removes disposable domains the user does control — most fake signups are now gone.

Layer 3: rate-limit and detect bots

For automated abuse, rate-limit signups per IP and add an invisible bot check (a modern CAPTCHA or a honeypot field). Keep it invisible — a visible CAPTCHA on every signup is friction real users feel.

Layer 4: catch suspicious patterns server-side

Plus-addressing abuse (name+1@, name+2@), bursts of signups from one domain, or addresses on domains with no MX record are all signals. The isDisposable API returns MX validity and a risk score so you can flag these without writing the heuristics yourself:

risk.tstypescript
import { createIsDisposable } from '@isdisposable/js';

const client = createIsDisposable({ apiKey: process.env.ISDISPOSABLE_KEY });
const result = await client.check(email);

if (result.score > 70) {
  // Hold for review instead of auto-approving.
}

What NOT to do

  • Don't block whole categories of real providers — that costs you real users.
  • Don't put a visible CAPTCHA in front of every signup; reserve it for suspicious traffic.
  • Don't rely on regex alone — a fake address is usually syntactically perfect.

Summary

Stopping fake signups is a stack, not a single switch: block disposable emails, require verification, rate-limit bots, and score the rest. The first layer — disposable-email detection — removes the most fake signups for the least friction, and it's free to add today.

Block disposable emails today

isDisposable is free and open source — add it to your signup flow in one line.

Read the quickstartGet a free API key

Keep reading

How to block disposable emails in Next.jsDetect temporary email addresses in Node.js