Anti-fraud and rate limits

Every signup hits a server route at /api/waitlist/subscribe with three layers of defense: IP rate limiting, email validation, and referral attribution checks. The subscribers.ip_address column stores the source IP for the audit trail.

Rate limits: 5 signups per IP per minute, 30 per IP per hour. Excess requests get a 429 response. Limits are per-page, so a single bad actor can't poison your whole account. Pro and Elite plans can request custom limits via support.

Email validation runs against a maintained list of disposable-domain providers (mailinator.com, guerrillamail.com, etc.) and refuses obvious typos. We also check MX records for the domain — no MX, no signup.

For referral attribution, we require a 24-hour cooldown between same-IP signups using the same ?ref= code. This prevents someone from tabbing through their own link in incognito to farm the leaderboard. Suspicious patterns are flagged in the dashboard but not auto-blocked, so you stay in control.