Keeping our free tier sustainable by preventing abuse

Thanks for this writeup. Whenever people complain about some service removing or making it harder to try out a free tier, I think they don&#x27;t realize the amount of abuse that needs to be managed by the service providers.<p><i>&quot;Why do things suck?&quot;</i> Because parasites ruined it for the rest of us.<p>&gt; <i>We have to accept a certain amount of abuse. It is a far better use of our time to use it improving Geocodio for legitimate users rather than trying to squash everyone who might create a handful of accounts</i><p>Reminds me of Patrick McKenzie&#x27;s &quot;The optimal amount of fraud is non-zero&quot; [1] (wrt banking systems)<p>Also, your abuse-scoring system sounds a bit like Bayesian spam filtering, where you have a bunch of signals (Disposable Email, IP from Risky Source, Rate of signup...) that you correlate, no?<p>[1] <a href="https:&#x2F;&#x2F;www.bitsaboutmoney.com&#x2F;archive&#x2F;optimal-amount-of-fraud&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bitsaboutmoney.com&#x2F;archive&#x2F;optimal-amount-of-fra...</a>

Free tier and free trial abuse is a huge problem, but also a huge opportunity.<p>We have seen customers where free tier abusers created 80k+ accounts in a day and cost millions of dollars. We have also seen businesses, like Oddsjam add significant revenue by prompting abusers to pay.<p>The phycology of abuse is also quite interesting, where even what appears to be serious abusers (think fake credit cards, new email accounts etc.) will refuse a discount and pay full price if they feel they &#x27;got caught&#x27;

Great writeup. Simple heuristics very often work wonders. The fraudsters are out there and try to pinch holes in your shield. Some time ago we were running a mobile service provider and had some issues with fraudulent postpaid subscribers - however the cost of using background checking services was substantial. We solved it quite effectively by turning the background checks on when the level of fraud went over a certain threshold which made them go away for some weeks. We kept this on and off pattern for a very long time with great success as it lowered the friction to sign up significantly when turned off…

When sites use an AI generated image like this and don&#x27;t bother to spend 10 seconds looking to make sure it looks okay (UIGN SIGN UPP? AISK ANACIS?) it makes me question whether that same level of care was put into writing the article.

I get why they don&#x27;t want to share their detection mechanics for potential fraudulent signups, but that is a very interesting topic to learn and discuss.

Apple‘s mail privacy protection creates disposable addresses with host icloud.com. It’s not as hassle free and can’t be automated, but this could definitely be used to create a lot of free accounts. But I don’t see them banning this domain I guess?

How does an address API get it&#x27;s info? Presumably addresses don&#x27;t change often right? When they do, how does a service like this update it&#x27;s records?

Makes me wonder how easy &#x2F; hard it is to turn this kind of feature into a standalone product?<p>IE, send email, IP, browser agent, and perhaps a few other datapoints to a service, and then get a &quot;fraudulent&quot; rating?

very cool, I wasn&#x27;t expecting to find this so interesting. I yesterday for the first time thought about the &quot;abuse the free tier&quot; actors. I was trying to use a batching job service which limited free-tier batch sizes to 5, which was so low that it took away the point from using the automated job in the first place. I think the little info box explained that they keep the limit low to prevent abuse, and I started thinking about other ways they could prevent that abuse. Your post was very topical. thanks for sharing!

Where can we get a blocklist of those throwaway email domains?<p>or perhaps a really big whitelist of good ones? that would be extremely helpful!

so you implemented some sort of machine learning?