Why do "Registration-bots" exist? What do they gain from registering on my site?

Yes, fake accounts are bad for your site. They could significantly hurt your site's reputation.

  1. When they register, your site probably sends an email to a bad address or an address that belongs to someone that didn't register on your site. That makes you look like a possible spammer.

  2. They could use the accounts to degrade performance on your site (this is one of the most concerning because if they triggered this using automated techniques it'd be very difficult to stop without inconveniencing your real users)

  3. They could use the fake accounts to skew your performance metrics in areas like abandoned carts by customers, etc.

  4. They could abuse features like refer a friend and sending wishlists to other email addresses that will then mark your emails as spam (If you have those available).

  5. When you go to send a newsletter at a later date, your list may be filled with bad addresses.

You also have to consider the things they might do that can't be anticipated.

When an online account's password is compromised, the hackers will sometimes sign the victim up for accounts on a ton of other online services. They hope that their actual nefarious activities are lost in the flood of confirmation emails. Mailchimp says this on the subject:

Sometimes, when an abuser attempts to takeover an account, they'll sign their target up for a several email lists at once. They hope that all the new emails in the target’s inbox will overwhelm them and distract them from malicious activity.

Dima Bekerman wrote a firsthand account of what that looks like. I've included the most relevant portions below, but the whole post is interesting and definitely worth a read.

I only noticed that something was odd when I opened Gmail one night and found hundreds of registration confirmations to numerous services I’d never heard of. What’s more, I was receiving a similar email every few seconds.

When most of the noise had been cleared, I found an Amazon email hidden among the junk. It informed me that my purchase—one I hadn’t made—would be delivered within 24 hours.

Diagram of the attack

If your website sends a "Welcome" email to new accounts (and it probably should), it needs to prevent bots from signing up. Otherwise you might contribute to an inbox flood. This can even get you flagged by a blacklist operator like Spamhaus, as outlined by Brian Krebs, preventing your real customers from receiving emails from you.

Instead, follow this guidance from Dima's preventative tips:

  • Filter registration bots – This tip is for site owners. Filtering registration bots can help prevent the attack described here, while also blocking any number of phony subscriptions to your service. This can be achieved by implementing Captcha as part of your registration process.