At around 2am last night, I got woken up by a PagerDuty call due to our database being unresponsive.
I immediately restarted the database and it was back up in a few minutes.
While waiting for the database to come back up, I noticed that our sign ups were being overwhelmed with spam.
The usual approach to this problem is to add a CAPTCHA. Since we’re already using a honeypot, it felt like a natural next step.
Another approach is to rate limit on the server side, but that would degrade the user experience for legitimate users.
That’s when it clicked for me that we have to make the client-side request expensive for the spammer.
We’ve released and deployed elm-hashcash with the most simple implementation appending a counter to the email address and checking if the sha256 of it has a certain number of leading zeros (difficulty).
Happy spamming, Domen