FXA Account Creation Abuse Detection

Tracks the time between account creation request per IP address.

1. Sample Configuration

filename = 'fxa_abuse.lua'
message_matcher = "Type == 'logging.fxa.auth_server.nginx.access' && Fields[request] =~ '^POST /v1/account/create'"
ticker_interval = 60
preserve_data = true

message_variable = "Fields[http_x_forwarded_for]"
-- max_items = 25000 -- maximum number of unique items to track

alert = {
  disabled = false,
  prefix = true,
  throttle = 5,
  modules = {
    email = {recipients = {"trink@mozilla.com"}},
  },
  thresholds = {
    min_count   = 200, -- minimun number of entries before triggering an alert (default 50)
    -- max_mean    = 1.0 -- maximum average amount of time, in seconds, between requests that is considered abusive
  }
}

source code: fxa_abuse.lua