Subscription bombing and how to mitigate it
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Security attack vector with practical mitigation steps for developers.
Suga detected subscription bombing via inactive accounts with gibberish names, using Resend and PostHog to trace bots that sign up then request password resets within 60 seconds. Bots mimic human typing with uniformly random one-character-per-second delays and originate from diverse countries like India and Brazil. The low-volume, global pattern evades typical bot detection.
Implement adaptive bot detection and mandatory email verification before triggering any sign-up emails.
As a senior engineer building authentication systems, you need to design defenses against low-and-slow attacks that exploit email-based workflows and evade simple rate limiting.