I am implementing an SMS registration system for my Django project. like Whatsapp or telegram messenger, users can register and login just with mobile number. and OTP code.
But i found a problem in my application.
when user enter his number, my app send an OTP to user with SMS. he can't request new OTP with SMS in less than 3 minutes. and a user can request totally 10 OTP with SMS in a day. but if a hacker write a bot to enter different mobile number, my app can't detect that.
for example a bot that has a dictionary of 10000 mobile numbers, enter this numbers one by one. my app just send OTP with sms to 10000 different mobile number. and I will have to pay a lot of many to my SMS service provider.
how can i prevent from this problem? how messengers like Whatsapp solve this problem?
There are multiple things that you could do to prevent bot spamming. You could use captcha like recaptcha from Google or if you don't want any visible input you could take look at the honypot approach (Add a field hidden for normal users by css/js that bots will fill, if input is filled ignore form).
Other thing you could do is at a rate limit on the register/login page, there is a Django app that provides this https://github.com/jsocol/django-ratelimit.