Blog/Guides

Protecting Your Free Trial from Abuse

Fake signups and trial farmers can ruin your metrics and inflate your bills. Here is how to stop them at the door.

We've all been there. You launch your SaaS on Product Hunt, and the notifications start rolling in. The graph goes up and to the right. You pop the champagne. 🥂

Then you actually look at the database. [email protected], [email protected], [email protected].

Half your "growth" is just one person trying to bypass your 14-day limit, or a bot farm looking for vulnerabilities.

It’s easy to dismiss these as just "noise," but they have a tangible cost to your business. You think your conversion rate is 2% because you have 1,000 signups and 20 paid users. But if 400 of those signups are fake, your actual conversion rate is over 3%. You're making product decisions based on bad data. Not to mention the infrastructure bloat—paying tiered pricing for [email protected] to sit in your system and do nothing.

So, naturally, you try to stop them. The first thing everyone does is reach for the blocklist.

You grab a list of known disposable domains—Mailinator, Guerrilla Mail, 10MinuteMail—and you slap a check in your signup controller. There are plenty of open-source lists on GitHub, and the implementation usually looks something like this:

const disposableDomains = new Set([
  'mailinator.com',
  'guerrillamail.com',
  'sharklasers.com',
  // ... insert 5,000 more domains here
]);

if (disposableDomains.has(emailDomain)) {
  throw new Error("Please use a permanent email address.");
}

This works for the "classic" offenders. It catches the low-hanging fruit and stops the casual trial abuser.

But here is the problem with static lists: the internet moves fast. New disposable domains are registered every single day. By the time you update your blocklist.json, the abusers have moved on to a new domain. You are essentially playing a game of whack-a-mole where the moles are infinite and your mallet is always a week out of date.

If you want to catch the sophisticated stuff without turning your signup form into a fortress, you might need something more dynamic. Verification APIs monitor these changes in real-time, detecting new disposable domains as they appear.

Ultimately, you built your product for real humans, not bots or free-loaders. Keeping your user base clean means you can focus your energy on the people who actually want to pay you. If you ever get tired of updating that JSON file manually, we're here to help. 😉

← Back to all posts