How to Stop Bot Emails From Signing Up (Complete 2026 Guide)

Why Bots Target Your Signup Form

Your signup form is the front door to everything valuable in your product. Free-tier tokens, trial features, onboarding emails, support access: all of it unlocks the moment an account is created. Bots know this, and they exploit it at scale.

The economics are straightforward. A bot operator who creates 500 free accounts on an AI coding tool gets access to 500 sets of free tokens. If each account gets $10 worth of compute, that is $5,000 in stolen resources from a single afternoon of automated signups. The operator can resell that access, use it for bulk generation, or simply drain your budget for competitive reasons.

And it is not just AI apps. SaaS companies lose money to fake accounts that inflate metrics, consume onboarding resources, and generate support overhead. E-commerce platforms deal with promo code abuse from disposable email accounts. Even community platforms suffer from bot-created accounts used for spam and manipulation.

The common thread: all of these attacks start with a fake email address getting through your signup form. Block the fake email, and you block the attack. Here are five methods that work.

The Five Types of Bot Signups You Need to Catch

Before you can stop bot signups, you need to understand what they look like. Not all fake accounts are created equal, and different detection methods work better for different types.

1. Disposable Email Addresses

This is the most common type by far. Services like Tempmail, Guerrilla Mail, Mailinator, and hundreds of lesser-known providers give anyone a working email address in seconds. No registration, no verification, no trail. Our analysis of 100,000 fake signups found that 62% used disposable email domains.

2. Pattern-Generated Addresses

Bots that need addresses at legitimate providers (Gmail, Outlook) generate them algorithmically. You will see patterns like sequential digits (user12345@gmail.com), keyboard walks (qwerty.asdf@outlook.com), random character strings (xk7mq9vz@gmail.com), and leetspeak substitutions. These pass basic format validation but follow detectable patterns that real humans rarely produce.

3. Credential Farm Accounts

More sophisticated operators register custom domains and create real-looking email addresses in bulk. The individual emails might look legitimate (sarah.jones@techconsulting.io), but the domains are freshly registered, have no real mail history, and host dozens or hundreds of accounts all created within the same time window.

4. Catch-All Domain Abuse

Some operators use domains configured to accept mail for any address. They can claim to be anything@theirdomain.com and it will pass basic SMTP checks. The domain accepts everything, which is itself a signal that something is wrong.

5. Compromised Account Recycling

The hardest type to catch. Bot operators use email addresses from data breaches to create accounts on your platform. The emails are real, the domains are legitimate, and format checks find nothing suspicious. Catching these requires deeper behavioral signals like IP reputation and velocity tracking.

Method 1: Block Disposable and Burner Emails

The single highest-impact step you can take is blocking known disposable email domains. This alone eliminates the majority of bot signups.

A basic approach is maintaining your own blocklist of disposable domains. The problem: new disposable email services appear constantly. A static list goes stale within weeks. Tempmail.plus, yopmail.fr, dispostable.com: there are hundreds of active services, and the list grows every month.

BigShield maintains a continuously updated database of 945+ known disposable email providers. This includes the obvious ones (Mailinator, Guerrilla Mail) and obscure regional services that most blocklists miss entirely. The database also catches aliases and subdomains that disposable services use to evade simple domain matching.

Implementation is simple. Check the email before creating the account:

const result = await bigshield.validate(email);

if (result.signals.burner_domain.detected) {
  return res.status(400).json({
    error: 'Please use a permanent email address',
  });
}

This single check will catch the majority of bot signups. But some bots are smarter than blocklist checks. That is where the next methods come in.

Method 2: Detect Bot-Like Email Patterns

When bots create accounts at legitimate email providers, they leave fingerprints in the email addresses themselves. Humans choose email addresses that mean something to them: their name, a nickname, a word that matters. Bots generate addresses that follow statistical patterns.

Common bot patterns include:

• Random character strings: xk7mq9vz@gmail.com, ht3pw8nb@outlook.com
• Sequential numbers: testuser4821@gmail.com, account.9374@yahoo.com
• Keyboard walks: qwerty.zxcv@gmail.com, asdfgh.jkl@outlook.com
• Repeated characters: aaabbb123@gmail.com, xxxyyy@outlook.com
• Leetspeak substitutions: h4ck3r.b0t@gmail.com

BigShield's pattern analysis signal scores these characteristics and combines them with other data points. A random-looking username at a legitimate provider is suspicious. A random-looking username at a legitimate provider from a datacenter IP with three other signups in the last hour is almost certainly a bot.

We open-sourced our pattern detection library if you want to see how the detection works under the hood.

Method 3: Track IP Velocity and Reputation

Email addresses can be faked. IP addresses are harder to hide. When a single IP address creates 15 accounts in an hour, that is not a popular office with many employees signing up. That is a bot.

IP reputation scoring adds another layer of detection. BigShield checks whether the signup IP belongs to:

• Datacenter ranges: AWS, GCP, Azure, DigitalOcean. Real users rarely sign up from cloud servers.
• Known proxy services: Commercial proxy networks used to rotate IP addresses and evade rate limits.
• VPN endpoints: While many legitimate users use VPNs, signup traffic from VPN exit nodes correlates strongly with abuse.
• Tor exit nodes: Almost exclusively associated with automated abuse in the context of account creation.

IP velocity tracking monitors how many accounts are being created from each IP address over 1-hour and 24-hour windows. Normal patterns look like one or two signups per IP per day. Bot patterns look like dozens or hundreds.

The combination of IP reputation and velocity is powerful. Even if a bot uses different email addresses for every signup, the underlying infrastructure stays the same.

Method 4: Verify the Email Actually Exists

A surprising number of bot-submitted email addresses do not actually exist as working mailboxes. The bot generates an address, submits it to your form, and never checks if the mailbox is real. Basic format validation says the email looks valid. SMTP verification says it does not exist.

SMTP verification works by connecting to the recipient's mail server and asking if the mailbox exists, without actually sending a message. For most mail servers, this returns a definitive answer. The mailbox either exists or it does not.

There are edge cases. Some domains are configured as catch-all servers that accept mail for any address. Gmail and some large providers do not reliably respond to SMTP probes. BigShield handles these cases by combining SMTP results with other signals rather than relying on SMTP alone.

SMTP verification is particularly effective against bots that use randomly generated addresses at legitimate domains. The address format looks valid, but no one ever created the mailbox.

Method 5: Layer Multiple Signals Together

No single signal catches every type of bot signup. Disposable email blocking misses bots using Gmail. Pattern analysis misses well-crafted credential farm addresses. IP reputation misses bots using residential proxies. The solution: layer multiple signals and combine their scores.

This is the core idea behind BigShield's 15-signal approach. Each signal contributes to an overall risk score from 0 to 100. A legitimate user with a Gmail address, a residential IP, and a human-looking username scores high (low risk). A suspicious address from a datacenter IP with three other recent signups scores low (high risk).

The layered approach catches attacks that any single method would miss:

• Disposable email + any IP = caught by burner detection
• Gmail + datacenter IP + high velocity = caught by IP signals
• Custom domain + residential IP + random username = caught by pattern analysis + domain age
• Real-looking email + VPN + no online presence = caught by Tier 2 deep analysis

The more signals you check, the harder it becomes for bots to evade detection. Each additional signal narrows the gap that attackers can exploit.

Putting It All Together: A Practical Implementation

Here is how a complete implementation looks in practice. This example uses BigShield's API to validate emails at signup with a tiered response based on the risk score:

import { BigShield } from 'bigshield';

const shield = new BigShield(process.env.BIGSHIELD_API_KEY);

async function handleSignup(email: string, ip: string) {
  // Validate the email with all available signals
  const result = await shield.validate(email, { ip });

  // Decision based on risk score (0 = highest risk, 100 = lowest risk)
  if (result.fraud_decision === 'block') {
    // Score below 30: almost certainly fake
    return {
      success: false,
      error: 'Please use a valid email address to sign up.',
    };
  }

  if (result.fraud_decision === 'verify') {
    // Score between 30-70: suspicious, require verification
    await sendVerificationEmail(email);
    return {
      success: true,
      requiresVerification: true,
    };
  }

  // Score above 70: looks legitimate
  const user = await createAccount(email);
  return { success: true, user };
}

This gives you three tiers of response. Obvious bots are blocked immediately. Suspicious signups are required to verify their email (which real users can do, but bots usually will not). Legitimate-looking signups proceed without friction.

The key insight: you do not need to block every suspicious signup outright. Adding a verification step for borderline cases catches most bots while avoiding false positives on real users. Most bot operators will not bother confirming email verification links because it breaks their automation flow.

For more implementation patterns, check out our guide on building a signup form that prevents fraud and our API documentation.

What About CAPTCHAs?

CAPTCHAs are the traditional answer to bot prevention, but they have significant drawbacks for signup forms. They add visible friction that reduces conversion rates. Modern bot operators use CAPTCHA-solving services that defeat them for fractions of a cent per solve. And CAPTCHAs do nothing to catch disposable emails or pattern-generated addresses.

Email validation works differently. It is invisible to the user (no puzzles to solve), it runs in under 100ms (no waiting), and it catches the actual mechanism of abuse (fake email addresses) rather than trying to distinguish humans from bots through a visual challenge.

That said, CAPTCHAs and email validation are not mutually exclusive. For high-value signups, you might use both: a CAPTCHA to slow down automated form submission and email validation to catch the fake addresses that get through. But if you are choosing one approach, email validation gives you more protection with less user friction.

Ready to stop bot signups? BigShield validates emails with 30+ detection checks for 99% confidence in under 100ms. See how it works for bot prevention, or start free and try it on your signup form today.