I started a new project recently and am in the early stages of the project.
I created a signup page and deployed it to production yesterday for a quick test of the associated email routines.
This was still "bare bones" with no form security which i intended to add today (honey pot / CSRF etc)
This morning i have had 43 registrations in the system!
Apart from anything else, how do they find a new site so fast!
It's just scary!
Applying security now!
honeypot, CSRF and cloudflare here i come!
In my opinion, the most important security is having a captcha and a rate limiter 
(rate limiter check is done before captcha check)
Could also tighten up any API endpoints as may be using those rather than the form itself to pass the submission (consider using routes for those). Also insure those endpoints can only run if they are accessed from the host IP. Do all your validation server side and use error responses with alerts on the front end. Have hidden inputs for firstName / lastName and if these get populated have a Condition send back an error response. Capture the offenders host and build your own blacklist within your DB to then lookup and deny against existing records as a Step in your Actions etc. One other thing you could do is have a confirmation of the submission on a followup page so when the form is submitted it directs to this page. The User then validates what they are submitting and then the submission is executed. Most bots won't figure that out as they think the first form was submitted and will then go off looking for other forms...
Thanks for the security feedback guys but I am pretty sure i can deal with the security side of things, i was generally commenting on how quick and intensive bots are getting if you do leave off security.
The real question was how on earth can bots find a newly launched, part written site within hours and inject so much crap.
Wish Google could get in and index sites that fast!
They use sites like Daily Domain Brian:
We see Google index our new content within one hour and new domains within 12 - 24 hours in the majority of circumstances providing all meta tags are in place with accessibility and responsiveness being provided for. Our most recent application was at the top of Google for its purpose within 24 hours and above sites that have been in the business for years (even beating some of our own previous developments). We put this down to its accessibility features and full responsive nature. Also the inclusion of many other meta tags besides the defaults such as:
<meta name="geo.region" content="">
<meta name="geo.placename" content="">
<meta name="geo.position" content="">
<meta name="ICBM" content="">
<meta property="og:locale" content="">Yes, i get that but didnt expect it with this one as the domain has actually been registered but unused for about 2 years, they found the new site within hours.
Must be more to it than that.
This is the first time i have used Digital Ocean/Docker in a while, did wonder if they have found how to monitor new deployments to DO?
No I don't think so Brian. We use Digital Ocean for dozens of sites and all are bot free so can't lay the issue on their door step. However each is proxied behind Cloudflare (mostly on the free tier). Am sure Cloudflare plays a huge part in this resilience to bots.
Using the most basic of servers or even a local box with something like ZMap and a decent connection could do the entire IPv4 range in about 30 - 45 minutes or so (with a couple of filters and a little higher speed could get that right down to under ten minutes or less). So probably best to use an IPv6 address (DO provide these) as that is a lot harder and near on impossible to scan in full... That may help to alleviate the situation.
Not worred about it, as i said in original post, i was aware that the registration form had not been secured (it's secure now), i was just suprised at the volume and speed of intrusion.
I guess the answer to my original question has been answered, yes it's out of control and the industry seen not only happy to allow it but to offer services to enable it.
I guess I have achieved what i intended, to stimulate a bit of chat on an otherwise quiet Saturday afternoon.
Every HTTPS certificate issuance is publicly logged in something called Certificate Transparency Logs, that's how they can find out
It's like filling a room with goodies then publicising the door code.
Thankfully a few security additions have stopped the looting.