Best Practices

MSG91 enables you to completely control which countries your SMSes are sent to. With the help of our blocking & allowing capabilities, you can easily set your regional preferences and restrict your SMS traffic to the targeted countries & audience. 

Managing your SMS traffic by strictly restricting specific geographical regions can help you to:

• Prevent frauds: In case your MSG91 Auth ID is compromised, restricting permissions only to your targeted countries will reduce the chances of SMS fraud.
  
  

• Reduce SMS cost: Your SMS can end up in any of the 195 countries across the globe. Sending SMS to non-serviceable locations will only increase your overall cost. By blocking some countries, you can orient your SMS spending only to those where your targeted customers are concentrated.
  
  

• Prevent incorrect destination inputs: An input with an incorrect or incomplete country code can possibly end up in a different part of the world than intended. The best way to avoid this is by enabling the blocking of your untargeted countries.
  
  

• Enhance customer segmentation: You can improve & customize the reach of your sub-accounts used in segmenting SMS traffic. You can simply block SMS to other destinations, apart from the one that your sub-accounts are associated with. 
  
  

You can allow or block a specific country from sending SMS by following the steps below:

Step 1. Login to your MSG91 Panel and select the Settings option by clicking on the dropdown beside the username of your account on the top left. Select the Settings option. You can also access this dropdown from the bottom left if you are inside any service dashboard.

Step 2. Select the Limit Communication option and you will see the country names with their Prefixes & Statuses. You can take the required action on any specific country by clicking on Block or Unblock Action. 

You also have options for Blocking all countries and Unblocking all countries.

Apart from this, you can even add a price limit for any specific country.

To assist you in navigating and utilizing the Settings section effectively, you can refer to the below comprehensive video guide.

To check the active login session, follow the steps:

Step 1: Login to MSG91 Dashboard. 

Step 2: Click on the dropdown visible beside your company name from the top.

Step 3: Click on 'Active Sessions'

Step 4: Here you can see all the active login sessions.

Step 5: Tick the ones you think are unwanted and click on Logout all sessions.

Do you ever wonder how safe APIs are? And are they safe from the world of cyber threats? 

As with everything on the World Wide Web, APIs are not immune to external threats, and thus measures have to be taken to mitigate these issues effectively. The various forms of threats can range from MITM and API injections like XSS & SQLi, to DDoS attacks. A fact that also has to be considered is that each attack has its distinct nature. 

Bots have evolved with the internet as well, and they can create a lot of nuisance from hacking to even denying data access to credible users.

APIs need to implement a different approach to stay safe and a step ahead of these bots. Some of these are discussed as follows:

Geo- Protection

Restrictions that block access of entire countries will provide the service providers with the liberty to choose the geographical extent of the target, making it more effective and less susceptible to bots from various sources. It further empowers the choice of providing or denying access based on numerous criteria like Country code or referrer domain.

Block the outdated user agents/browsers

It is not widely influential, although some contingency can be achieved. Most of the current browsers have implemented a step to stay inactive unless the user updates the software. This is to curb the risks from the string lists attached with the default configurations in outdated agents.

Block the known threats

Known proxy sites could be the threat you might not have seen coming. Assuming that the bots are implementing higher technology can be an ignorant move. Denying access to these known proxy sites might not be very impactful but will surely discourage bots from coming after you through these portals.

We identify and block the known proxy sites and even enable you to report any when identified.

Integration using Token in OTP Widget by setting Throttle Limit will help to prevent Bot attack

For instructions, please refer to this guide: https://msg91.com/help/MSG91/how-to-integrate-the-new-login-with-otp-widget

Throttle Limit Implementation (Rate limits)

​

Implement rate limiting mechanisms to restrict the number of API requests from a particular source within a specified time frame. This prevents excessive API calls from bots or malicious actors.

To know more about the token, please refer: https://msg91.com/help/MSG91/what-is-token-and-how-to-use-it

CAPTCHA or reCAPTCHA

Implementing a Re-captcha can serve as an excellent method to deter bots, and it is not only a cost-free service but also user-friendly for the average human user. In fact, it can even be an enjoyable experience for some, resembling a puzzle. Once the login process is safeguarded, it is essential to monitor the number of login attempts, particularly originating from the same IP address.

You have the option to decide the threshold for failed attempts from a specific IP address, at which point the IP address will be blocked. By integrating CAPTCHA or reCAPTCHA into your website or application, you can effectively distinguish between human users and bots.

Monitoring and Logging

Monitor API usage and log requests, including IP addresses, user agents, timestamps, and request payloads. Analyze logs regularly to identify any unusual patterns or suspicious activities that might indicate a bot attack.

Regularly update software

Keep all software and plugins up to date, as outdated versions may contain vulnerabilities exploited by bots.

​

​

Takeaway 

With a lead and expertise in the transactional SMS biz, MSG91 has stood out to you, owing to its many great features, and security concerns are just one of them. Bots can be annoying, especially when you're trying to put your best step forward, and we ensure that you do so in the most secure way possible.

By implementing these measures, you can significantly enhance the security and resilience of your SMS APIs against bot attacks.

Please Note: MSG91 holds no liability to refund or credit any lost amount in the event of BOT Attacks.

An Authentication Token is a unique identifier that allows users to prevent fraudulent behavior and Limit the number of unnecessary OTP requests. 

• This provides you with the ability to set a throttle limit.

• Throttling can be used to protect your system from unnecessary OTP requests by setting a limit on the number of requests that are allowed to submit in a given amount of time. 

• You can set this limit using a token system, which will allow you to specify the throttling limit for each token. To set the throttling limit, you first need to create a token. This can be done by following these steps:

Step 1 - Select the OTP section from the dashboard.

Step 2 - Select the Token option from the sidebar and click on Generate New Token.

Step 3 - Enter the token name in the pop-up appearing on your screen. Once done, your token will be generated.

Step 4 - Click on the Settings (⛭) icon corresponding to any token & you can apply Additional Settings to it.

• To set the Throttle Limit for your token, simply enter the limit you require.

​

Throttle limit is used to define how many times a user can request for OTPs via API in a specific time duration. Throttle limit can be defined as number of hits per 300 seconds. 

For example- We have set a restriction of 3 OTP requests per 300 seconds for a specific user in the settings below. If the limit is surpassed, the user's IP address will be blocked for 86400 seconds.

Step 5 - In the tab next to Additional Settings (IPs), you will find the list of IP addresses for which the hits are coming from the OTP Widget. 

​

• Here, you will find the different statuses of the IPs & can take the required action on them (like manually whitelisting & permanently blocking).
  

Normal- You will see this status if the users have requested OTPs within the specified throttle limit.

Temporary Block- When the number of OTP requests from a user exceeds the throttle limit, this status will appear, and the user will be blocked for a specified duration. The user's block will be lifted automatically after that duration.

Permanent Block- In case you identify any IP address as spam, you have the option to permanently block it.

Whitelisted- You can add genuine IP addresses to the whitelist to prevent them from being blocked in the future.

• To manually add any IP, click on the plus (+) icon. Enter the IP address as per the required status/type.

Step 6 - In order to Enable/Disable any Token, you can click on the Vertical dots (⠇) from the Actions.

​

Please take note of the following:-

​

→ It is not advisable to use a Token in the OTP API since it will lead to your Server IP getting blocked (once the Throttle Limit is surpassed), instead of the User IP.

​→ However, if you still want to use it, you can pass the token value in the request's additional parameter "tokenAuth" or in the headers as "token".

​

-> You do not need to use both Token and Authkey in the OTP API, as the Auth Token already supports it.

-> It is highly recommended to use tokens with OTP Widgets only as this will help you to prevent BOT ATTACKS and this will block your end-user IP.

For instructions on integrating Tokens with OTP Widgets, please refer to this guide: https://msg91.com/help/MSG91/how-to-integrate-the-new-login-with-otp-widget

Here are the best practices that need to be followed for bulk SMS messaging;-

SENDER ID:- 

• ID should be such that it either defines your company name (eg Flipkart) or your content (eg VERIFY for OTP).

• ID cannot be a person's name or related to government authorities/firms, banks, the stock market, etc. For eg (SBIONL,  IRCTC, LICIND). If you still wish to use one, you or your client need to provide us with a letterhead signed by the organization stating that you are allowed to use their Sender IDs.

• For stock market messages, your user must be registered with SEBI and should be able to provide a SEBI certificate.
  
  
  

MARKETING:-

• Any kind of promotion, marketing, sales, offers, or invitations can only be sent through a transactional route or to DND numbers only if the recipients are your registered users.
  
  
  

CONTENT:-
​

• The message should share proper information and not contain any spam content or keywords belonging to the category. For eg. greetings, personal messages,  etc.

NOTE: If sent without a country code, submission and deduction depend on the detected country based on the starting number: For, 91xxxxxxxxxx, etc

To prevent untargeted and undesired SMS traffic to countries with higher pricing, you can take measures that also aid in addressing bot attacks and spamming. There are two approaches to achieve this:

1. Limit by Country (Prefix)

2. Limit by Price

Please follow the steps outlined below:-

Step 1. Login to your MSG91 account and select the Settings option from the username dropdown.

Step 2. Select the 'Limit Communication' option from the sidebar. 

In the 'Limit' field on the right, set a maximum price above which you wish to block the SMS requests from your account and click on the Save button. 

All SMS API requests whose country price is more than the set price will be blocked.

MSG91 provides a security feature that allows access only through whitelisted IP addresses. If you add a Team member to your MSG91 account, you will have an option to add an IP address (IPv4 / IPv6) by which the member can log in. They will be denied access if they attempt to access the account using any other IP address.

Below mentioned steps will guide you further with it:

1. Login to your MSG91 account and click on the settings icon

2. Click on the All users section from the sidebar and then click on Invite user.

3. Now you can mention the email address of the member you want to invite and select their roles (Owner, Admin, or User) post which you can whitelist the IP address for that member (IPv4 / IPv6). Please make sure to hit Enter once you add the IP address. You can add multiple IP addresses as well.

4. You can click on Invite once you have whitelisted desired IP addresses. You can also whitelist the login IP addresses of existing members as well. You can click on the pencil icon under the action heading and add the IP address to be whitelisted from there.