Startups: Private Beta Invite Authenication Problems

SMS Text

While it is incredibly beneficial to use an invite-based system while your startup is in beta, the system is highly susceptible to spammers. Here are a few things to look out for.
Spammers can create one account using false credentials, and from there create a large chain of accounts that may be used for spamming purposes.
Once you manage to get an invite for a site and create an account (we used Pownce as the basis for this article), you are usually given 5 more invites to share with your friends. When you send these invites you are shown an invite code so that if there is a problem with the email you can sign up through an invite code url. Because this url exists, anyone can send emails to false addresses and then use the invite code to create sets of new accounts. Each new account in turn recieves 5 more invites and before you know it you have a whole spammer army on your hands.
Pownce isn’t the only application susceptible to this scheme. Gmail had the same vulnerability and so does VeohTV. When Gmail was still in private beta, the person sending the invite had the ability to send invites to his or her self, or send an invite to a false address and the invite code would show up in the sent items or the message would be returned in a bounce back e-mail allowing the user to create multiple unverified accounts.
The fix to the problem is very simple and it seems that the problem is a result of simple oversight more than anything else. Pownce doesn’t have to show the sender the invite code, and Gmail didn’t have to place the invite in the sent items or allow a bounced message to display the invite code to the sender. While these steps do add convenience for the user, they can create headaches for your service. If spammers are able to create massive numbers of accounts this can be a big problem for a site that is still in beta, and will unnecessarily use resources combating a self-created and easily rectifiable problem.
Instead of this the service should allow the person inviting to revoke and reissue an invite if it doesn’t work.

Download: Social Media Strategy
Where the rubber meets the road: A look at SEJ's own social media strategy.