Mobile Menu

./mentor.sh
    Blog

Postmortem: 25K Fake Accounts in Just Over an Hour — What We Learned

How mentor.sh was flooded with spam signups and what we did to recover — a real story of bots, email limits, and reactive defense.

August 7, 2025
Postmortem
Engineering
Postmortem: 25K Fake Accounts in Just Over an Hour — What We Learned

Recently, mentor.sh was flooded with over 25,000 fake user accounts — all created in just over an hour.

No trending post. No Hacker News spike. Just a flood of bots hammering our signup flow and filling our database with garbage.

Here's how it happened, what accidentally protected us, and what we've done since.

📈 The Bot Flood

We noticed a sudden surge in signups — an exciting metric, until we saw the details:

  • 25,000+ accounts created in a little over an hour
  • Most used disposable email providers like mail7.io
  • Many profiles included phishing URLs in the username
  • The intent seemed to be SEO abuse or malicious redirection

😅 What Accidentally Saved Us

Ironically, our savior was hitting the Mailtrap quota.

Our dev email infrastructure (Mailtrap) had reached its monthly limit — which meant no confirmation or welcome emails went out.

This prevented most spam accounts from being “activated” or having their phishing links delivered to real users. An unexpected, lucky fail-safe.

🧹 What We Did Immediately

We reacted quickly:

  • Deleted over 24,600 spam accounts
  • Enabled CAPTCHA (Cloudflare Turnstile) on the signup form
  • Blocked disposable email domains at validation
  • Rate-limited IPs showing abnormal behavior
  • Raised our Mailtrap quota temporarily to stabilize email services

We were lucky this didn’t go further — but we won’t rely on luck next time.

🔐 What We're Doing Now

To prevent this kind of event from happening again:

  • ✅ CAPTCHA is now required on all critical auth routes
  • ✅ Email domain filtering is in place for known bad actors
  • ✅ Signup spikes are now monitored and alertable
  • ✅ Passive rate limiting is being applied before DB writes
  • ✅ Suspicious patterns can trigger delayed verification or blocks

We’re also investigating browser fingerprinting and anomaly detection to proactively flag bot-like behavior.

💡 Key Takeaways

  • Email quota limits can be a hidden blessing. They slowed the blast radius.
  • Bots move faster than you think. Over 25k accounts in about an hour.
  • Post-cleanup is expensive. Even with automation, data integrity checks took time.
  • You’re never too small to get hit. This wasn’t targeted — it was automated.

✅ Final Thoughts

This wasn’t growth. This was a stress test.

We're glad it happened early in our journey — because it forced us to harden things we thought could wait.

If you're building a public-facing product, don't assume obscurity is protection. Bots don't care how big you are.

Stay safe — and secure — out there.

— The mentor.sh team