fix(auth): block signup spam by denylisting shared MX backends

Signup-spam bots rotate throwaway domains rapidly but funnel them through a
small number of shared catch-all mail providers. Across the current wave, 85%
of bot domains resolved to just two MX backends (smtp.215.im,
email.gravityengine.cc), while every domain differed — so the resolved MX host
is a far more durable signal than the domain itself.

Add a server-only MX validator (validateSignupEmailMx) that resolves the
domain's MX records during /sign-up/email and rejects:
  - domains with no MX record (no_mx)
  - domains whose MX backend is on the denylist (blocked_mx_backend)

Seeded with the two observed backends; extend at runtime via
BLOCKED_EMAIL_MX_HOSTS. Fail-open on DNS timeout/transient error so legitimate
users are never blocked by a resolver blip; kill switch via
DISABLE_SIGNUP_MX_VALIDATION. Returns a clean 403 (APIError), not a 500.

Author: waleedlatif1

apps/sim/lib/auth/auth.ts

@@ -85,6 +85,7 @@ import { processCredentialDraft } from '@/lib/credentials/draft-processor'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress, getPersonalEmailFrom } from '@/lib/messaging/email/utils'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
+import { validateSignupEmailMx } from '@/lib/messaging/email/validation.server'
 import { scheduleLifecycleEmail } from '@/lib/messaging/lifecycle'
 import { captureServerEvent, getPostHogClient } from '@/lib/posthog/server'
 import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
@@ -843,6 +844,15 @@ export const auth = betterAuth({
         })
       }
 
+      if (ctx.path.startsWith('/sign-up/email') && ctx.body?.email) {
+        const mxCheck = await validateSignupEmailMx(ctx.body.email)
+        if (!mxCheck.allowed) {
+          throw new APIError('FORBIDDEN', {
+            message: 'Sign-ups from this email domain are not allowed.',
+          })
+        }
+      }
+
       if (ctx.path === '/oauth2/authorize' || ctx.path === '/oauth2/token') {
         const clientId = (ctx.query?.client_id ?? ctx.body?.client_id) as string | undefined
         if (clientId && isMetadataUrl(clientId)) {

apps/sim/lib/core/config/env.ts

@@ -27,6 +27,8 @@ export const env = createEnv({
     ALLOWED_LOGIN_EMAILS:                  z.string().optional(),                  // Comma-separated list of allowed email addresses for login
     ALLOWED_LOGIN_DOMAINS:                 z.string().optional(),                  // Comma-separated list of allowed email domains for login
     BLOCKED_SIGNUP_DOMAINS:                z.string().optional(),                  // Comma-separated list of email domains blocked from signing up (e.g., "gmail.com,yahoo.com")
+    BLOCKED_EMAIL_MX_HOSTS:                z.string().optional(),                  // Comma-separated MX-host substrings blocked from signing up; matches the domain's resolved MX backend (e.g., "215.im,gravityengine.cc"). Catches throwaway domains that share a mail backend. Merged with built-in defaults.
+    DISABLE_SIGNUP_MX_VALIDATION:          z.boolean().optional(),                 // Kill switch to disable MX-based signup validation without a deploy
     TRUSTED_ORIGINS:                       z.string().optional(),                  // Comma-separated additional origins to trust for auth (e.g., "https://app.example.com,https://www.example.com"). Merged into Better Auth trustedOrigins.
     TURNSTILE_SECRET_KEY:                  z.string().min(1).optional(),           // Cloudflare Turnstile secret key for captcha verification
     SIGNUP_EMAIL_VALIDATION_ENABLED:       z.boolean().optional(),                 // Enable disposable email blocking via better-auth-harmony (55K+ domains)

apps/sim/lib/messaging/email/validation.server.test.ts

@@ -0,0 +1,99 @@
+/**
+ * @vitest-environment node
+ */
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { mockResolveMx, envRef } = vi.hoisted(() => ({
+  mockResolveMx: vi.fn(),
+  envRef: {
+    BLOCKED_EMAIL_MX_HOSTS: undefined as string | undefined,
+    DISABLE_SIGNUP_MX_VALIDATION: false,
+  },
+}))
+
+vi.mock('dns/promises', () => ({
+  default: { resolveMx: mockResolveMx },
+}))
+
+vi.mock('@/lib/core/config/env', () => ({
+  get env() {
+    return envRef
+  },
+}))
+
+import { validateSignupEmailMx } from '@/lib/messaging/email/validation.server'
+
+const mx = (...hosts: string[]) =>
+  hosts.map((exchange, i) => ({ exchange, priority: (i + 1) * 10 }))
+
+describe('validateSignupEmailMx', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    envRef.BLOCKED_EMAIL_MX_HOSTS = undefined
+    envRef.DISABLE_SIGNUP_MX_VALIDATION = false
+  })
+
+  it('blocks the known shared spam backend 215.im', async () => {
+    mockResolveMx.mockResolvedValue(mx('smtp.215.im'))
+    const result = await validateSignupEmailMx('simuser_abc@lyi25swr.cn')
+    expect(result.allowed).toBe(false)
+    expect(result.reason).toBe('blocked_mx_backend')
+  })
+
+  it('blocks gravityengine.cc backend', async () => {
+    mockResolveMx.mockResolvedValue(mx('email.gravityengine.cc'))
+    const result = await validateSignupEmailMx('x@acgfun.eu.org')
+    expect(result.allowed).toBe(false)
+    expect(result.reason).toBe('blocked_mx_backend')
+  })
+
+  it('allows a legitimate domain (gmail)', async () => {
+    mockResolveMx.mockResolvedValue(
+      mx('gmail-smtp-in.l.google.com', 'alt1.gmail-smtp-in.l.google.com')
+    )
+    const result = await validateSignupEmailMx('real.person@gmail.com')
+    expect(result.allowed).toBe(true)
+  })
+
+  it('blocks a domain with no MX records (ENOTFOUND)', async () => {
+    mockResolveMx.mockRejectedValue(Object.assign(new Error('not found'), { code: 'ENOTFOUND' }))
+    const result = await validateSignupEmailMx('x@no-such-domain.invalid')
+    expect(result.allowed).toBe(false)
+    expect(result.reason).toBe('no_mx')
+  })
+
+  it('blocks a domain that resolves to an empty MX set', async () => {
+    mockResolveMx.mockResolvedValue([])
+    const result = await validateSignupEmailMx('x@empty.example')
+    expect(result.allowed).toBe(false)
+    expect(result.reason).toBe('no_mx')
+  })
+
+  it('fails open on a transient DNS error (does not block legit users)', async () => {
+    mockResolveMx.mockRejectedValue(Object.assign(new Error('timeout'), { code: 'ETIMEOUT' }))
+    const result = await validateSignupEmailMx('user@some-real-domain.com')
+    expect(result.allowed).toBe(true)
+  })
+
+  it('honors additional backends from BLOCKED_EMAIL_MX_HOSTS', async () => {
+    envRef.BLOCKED_EMAIL_MX_HOSTS = 'newbadhost.example'
+    mockResolveMx.mockResolvedValue(mx('mx1.newbadhost.example'))
+    const result = await validateSignupEmailMx('x@rotated-domain.top')
+    expect(result.allowed).toBe(false)
+    expect(result.reason).toBe('blocked_mx_backend')
+  })
+
+  it('respects the DISABLE_SIGNUP_MX_VALIDATION kill switch', async () => {
+    envRef.DISABLE_SIGNUP_MX_VALIDATION = true
+    mockResolveMx.mockResolvedValue(mx('smtp.215.im'))
+    const result = await validateSignupEmailMx('simuser_abc@lyi25swr.cn')
+    expect(result.allowed).toBe(true)
+    expect(mockResolveMx).not.toHaveBeenCalled()
+  })
+
+  it('allows when the email has no domain (defers to other validation)', async () => {
+    const result = await validateSignupEmailMx('not-an-email')
+    expect(result.allowed).toBe(true)
+    expect(mockResolveMx).not.toHaveBeenCalled()
+  })
+})

apps/sim/lib/messaging/email/validation.server.ts

@@ -0,0 +1,93 @@
+import type { MxRecord } from 'dns'
+import dns from 'dns/promises'
+import { createLogger } from '@sim/logger'
+import { getErrorMessage } from '@sim/utils/errors'
+import { env } from '@/lib/core/config/env'
+
+const logger = createLogger('EmailValidationServer')
+
+/**
+ * Mail backends abused by signup-spam botnets. The bots rotate throwaway
+ * domains rapidly but funnel them through a small number of shared catch-all
+ * mail providers, so the resolved MX host is a far more stable signal than the
+ * domain itself. Matched as a case-insensitive substring against each MX
+ * exchange. Extend at runtime via `BLOCKED_EMAIL_MX_HOSTS`.
+ */
+const DEFAULT_BLOCKED_MX_HOSTS = ['215.im', 'gravityengine.cc'] as const
+
+const MX_LOOKUP_TIMEOUT_MS = 3000
+
+function getBlockedMxHosts(): string[] {
+  const extra =
+    env.BLOCKED_EMAIL_MX_HOSTS?.split(',')
+      .map((h) => h.trim().toLowerCase())
+      .filter(Boolean) ?? []
+  return [...DEFAULT_BLOCKED_MX_HOSTS, ...extra]
+}
+
+export interface SignupEmailCheck {
+  /** Whether the email may proceed to signup. */
+  allowed: boolean
+  /** Machine-readable block reason, present only when `allowed` is false. */
+  reason?: 'no_mx' | 'blocked_mx_backend'
+}
+
+/**
+ * Server-side signup email validation backed by an MX lookup.
+ *
+ * Rejects domains that resolve to no mail server (`no_mx`) or to a denylisted
+ * catch-all backend (`blocked_mx_backend`). Designed to be fail-open: any DNS
+ * timeout or transient resolver error allows the signup through so legitimate
+ * users are never blocked by an infrastructure blip. Only a definitive
+ * "domain has no MX" answer (`ENOTFOUND` / `ENODATA`) blocks.
+ *
+ * Server-only — imports `dns/promises`. Never import from client code.
+ */
+export async function validateSignupEmailMx(email: string): Promise<SignupEmailCheck> {
+  if (env.DISABLE_SIGNUP_MX_VALIDATION) return { allowed: true }
+
+  const domain = email.split('@')[1]?.toLowerCase()
+  if (!domain) return { allowed: true }
+
+  let records: MxRecord[]
+  try {
+    records = await Promise.race([
+      dns.resolveMx(domain),
+      new Promise<never>((_, reject) =>
+        setTimeout(() => reject(new Error('mx_lookup_timeout')), MX_LOOKUP_TIMEOUT_MS)
+      ),
+    ])
+  } catch (error) {
+    const code = (error as NodeJS.ErrnoException).code
+    if (code === 'ENOTFOUND' || code === 'ENODATA') {
+      logger.info('Blocked signup: domain has no MX record', { domain })
+      return { allowed: false, reason: 'no_mx' }
+    }
+    logger.warn('MX lookup failed; allowing signup (fail-open)', {
+      domain,
+      error: getErrorMessage(error),
+    })
+    return { allowed: true }
+  }
+
+  if (!records || records.length === 0) {
+    logger.info('Blocked signup: domain has no MX record', { domain })
+    return { allowed: false, reason: 'no_mx' }
+  }
+
+  const blocked = getBlockedMxHosts()
+  const match = records.find((record) => {
+    const exchange = record.exchange.toLowerCase()
+    return blocked.some((host) => exchange.includes(host))
+  })
+
+  if (match) {
+    logger.info('Blocked signup: denylisted MX backend', {
+      domain,
+      exchange: match.exchange,
+    })
+    return { allowed: false, reason: 'blocked_mx_backend' }
+  }
+
+  return { allowed: true }
+}