Ban Evasion

When companies ban or suspend accounts, users often just create a new account. Honeypot can help identify ban evasion using the behaviors feature.

For example, one strategy would be to use the unique operation to detect the number of emails, phone numbers, or user IDs for a given handprint.

An example behavioral configuration, which you can add from the Behaviors page in the Honeypot UI, is shown below:

{
    "name": "unique_emails_by_handprint_30d",
    "operation": "unique",
    "group_by": "handprint_id",
    "fields": [
        "event_properties.email"
    ],
    "window_duration_seconds": 2592000,
    "filters": []
}

You can swap handprint_id with any valid user identifier.

Whenever your backend code tracks an event, for example, with:

Javascript

// Load your honeypot
honeypot.setup({ url: 'https://<your-honeypot-url>/js' })

// Track an individual event
const results = await honeypot.track("Some event", {"email": "a@example.com"})

Python (Vanilla)

from honeypot import honeypot

results = honeypot(url)
    .set_ip(ip)
    .track("Some event", {"email": "a@example.com"})

The response would include all associated emails for the given handprint_id. An example response is shown below:

{
    "behaviors": {
        "unique_emails_by_handprint_30d": {
            "values": [
                "a@example.com",
                "b@example.com",
                "c@example.com",
                "d@example.com"
            ],
            "unique": 4,
            "timestamp": "2025-06-02:45:49.407Z",
            "remaining_window_seconds": 2591981
        }
    },
    // ... other properties
}

Your backend could then check the ban status for not only the user's current email, but all previous emails associated with their device or handprint.

If you prefer to use another field besides email, you can do that too. For example, you could use your own user IDs, phone numbers, etc. Read more about the behaviors feature for additional information.