How does BigShield detect fake signups?

BigShield uses multiple signals including format validation, burner/disposable domain detection (945+ known providers), MX record checks, domain reputation analysis, and SMTP verification to produce a 0-100 risk score for every email address.

How fast is the email validation API?

Tier-1 signals (format, domain, burner detection, MX records) return in under 100ms — fast enough for inline signup validation without impacting user experience.

How much can I save by blocking fake signups?

Up to 40% of signups on AI and SaaS platforms use fake or disposable emails. A single abusive account can consume $5-50 in AI tokens. Email validation costs pennies per check, potentially saving thousands in wasted compute.

What programming languages are supported?

BigShield provides 5 official SDKs for TypeScript/Node.js, Python, PHP, Ruby, and Go. All SDKs include typed responses, automatic retries with exponential backoff, and typed error classes. The REST API can also be called from any language using standard HTTP requests with Bearer token authentication.

Can I create custom validation rules?

Yes. BigShield includes a custom rules engine with 6 rule types (domain block/allow, email pattern, IP range, country, and risk threshold), 4 actions (block, allow, review, require verification), and priority ordering. Rules can be managed via the dashboard or the API.

Solution8 min readMarch 10, 2026

Real-Time Threat Intelligence: How to Build a Feed for Signup Fraud

How threat intelligence feeds work for email and signup fraud detection: data sources, update frequency, blocklist vs scoring approaches, and whether to build your own or use an existing service.

Fraud moves fast. A domain that was registered yesterday could be flooding your signup form today. An IP range that was clean last week might be hosting a botnet this week. Staying ahead of signup fraud requires real-time threat intelligence, continuously updated data about malicious domains, IPs, email providers, and attack patterns.

In this article, we will cover how threat intelligence feeds work for signup fraud, what data sources feed into them, the critical difference between blocklist and scoring approaches, and how to decide whether to build your own feed or use an existing service.

What Is a Threat Intelligence Feed?

A threat intelligence feed is a continuously updated stream of data about known threats. In the context of signup fraud, that means data about:

Domains used for disposable or temporary email addresses
IP addresses associated with botnets, proxies, VPNs, and datacenter hosting
Email naming patterns used in automated account creation
Device fingerprints linked to known fraud campaigns
Newly registered domains (which correlate strongly with fraud)

The value of a threat intelligence feed is timeliness. Static blocklists go stale within days. A good feed updates hourly or faster, incorporating new threats as they are observed across the network.

Data Sources for Signup Fraud Intelligence

Community Blocklists

Open-source blocklists are a good starting point. Projects like disposable-email-domains on GitHub maintain lists of known burner email providers. Spamhaus and other anti-abuse organizations publish IP blocklists. These are free and well-maintained, but they have a lag: a new disposable email service might operate for days or weeks before it appears on a community list.

DNS and WHOIS Data

Monitoring new domain registrations (via zone file access or passive DNS feeds) is one of the most effective data sources. Domains registered in the last 30 days are disproportionately used for fraud. You can also track MX record changes, SPF/DKIM configuration, and WHOIS privacy status as signals.

Honeypot and Trap Networks

Deploying honeypot signup forms (fake forms that real users never see, but bots discover through link crawling) generates a pure stream of fraudulent traffic. Every email and IP that hits a honeypot is, by definition, malicious. This data is extremely high-quality but requires infrastructure to collect.

Cross-Customer Telemetry

This is where services like BigShield have a structural advantage. When we detect a fraudulent signup for one customer, that intelligence immediately benefits all customers. A newly discovered malicious domain gets flagged across the entire network within minutes. No individual company can build this kind of cross-platform visibility on its own.

IP Intelligence Providers

Services like MaxMind, IPinfo, and IPQualityScore provide enriched IP data including geolocation, ISP identification, proxy/VPN detection, and risk scores. These form the backbone of IP reputation scoring, and most serious fraud detection systems integrate at least one IP intelligence provider.

Blocklist vs. Scoring: A Critical Design Decision

There are two fundamentally different approaches to using threat intelligence, and the choice between them has major implications for your false positive rate.

The Blocklist Approach

Simple binary logic: if a domain, IP, or email matches the list, block it. This is easy to implement and reason about. The problem is that it is brittle. Blocklists cannot handle nuance. A VPN IP is suspicious but not definitive. A newly registered domain might be a startup, not a scammer. Blocklists force you to choose between catching fraud (aggressive lists with high false positives) and protecting legitimate users (conservative lists that miss new threats).

The Scoring Approach

Instead of binary block/allow, each intelligence signal contributes a weighted score. A disposable email domain contributes -25 points. A datacenter IP contributes -15 points. A brand-new domain contributes -10 points. These signals stack, and the final score determines the action.

This approach handles nuance naturally. A signup from a VPN IP with a Gmail address and a 10-year-old domain? Probably fine. A signup from a VPN IP with a disposable email domain registered yesterday? Block it. The scoring approach lets multiple weak signals combine into a strong signal without any individual signal being a dealbreaker.

BigShield uses the scoring approach exclusively. Every piece of threat intelligence is a signal with an impact and a confidence level, never a binary block.

Update Frequency Matters More Than Size

A common mistake is optimizing for blocklist size when you should be optimizing for freshness. A list of 10,000 burner domains updated daily outperforms a list of 100,000 domains updated monthly. Here is why:

Fraudsters adapt. When a disposable email service gets added to major blocklists, attackers switch to a new one. The window between a new fraud tool appearing and it being widely blocked is where most damage happens. Cutting that window from days to hours is worth more than catching every historical domain.

Practical update frequencies for different data types:

Disposable email domains: Daily minimum, hourly preferred
IP reputation: Hourly (IPs change hands and behavior quickly)
Domain age data: Weekly (historical, does not change)
Active campaign fingerprints: Real-time (minutes)
Device fingerprint blocklists: Real-time (as new fraud is detected)

Building Your Own vs. Using a Service

When to Build Your Own

Building your own threat intelligence feed makes sense when you have domain-specific fraud patterns that generic services do not cover, when you need complete control over the data pipeline, or when you are operating at a scale where the marginal cost of external services becomes significant. You will need engineers dedicated to maintaining data pipelines, monitoring feed quality, and tuning signal weights.

When to Use a Service

For most teams, using a service is the better choice. The cross-customer intelligence advantage alone is hard to replicate. You also get maintained infrastructure, ongoing research into new fraud techniques, and engineering time back to focus on your core product.

The honest truth: building a comprehensive threat intelligence feed from scratch is a multi-month project that requires ongoing maintenance. If fraud prevention is not your core product, the opportunity cost of building it yourself is steep.

The Hybrid Approach

Many teams end up with a hybrid approach. They use a service like BigShield for broad coverage and supplement it with custom rules specific to their platform. For example, an e-commerce company might add custom signals for known reseller email patterns, while a SaaS company might add signals for free trial abuse patterns. This gives you the best of both worlds: comprehensive baseline intelligence plus domain-specific customization.

Measuring Feed Quality

Not all threat intelligence is created equal. Here are the metrics that matter:

Precision: What percentage of flagged signups are actually fraudulent? A feed that flags 50% of legitimate users is worse than no feed at all.
Recall: What percentage of actual fraud does the feed catch? A feed that only catches 20% of fraud is not pulling its weight.
Latency: How quickly does new threat data propagate? Measure the time between a new fraud technique appearing in the wild and your feed catching it.
False positive rate by category: Break down false positives by signal type. If your IP reputation data is generating most of your false positives, you know where to tune.

Getting Started

If you are just getting started with threat intelligence for signup fraud, here is a practical roadmap:

Start with open-source disposable email domain lists. They are free and catch the obvious stuff.
Add basic IP intelligence (at least datacenter vs. residential detection).
Implement domain age checking. Block or flag signups from domains less than 30 days old.
Track your own fraud data. Every confirmed fraudulent account is intelligence you can use.
When the manual effort exceeds a few hours per week, evaluate a service like BigShield that handles all of this (and more) through a single API call.

BigShield's threat intelligence is built on all of the sources described above, cross-referenced across thousands of customers, and updated in real-time. If you want the protection of a comprehensive threat intelligence feed without building the infrastructure, check us out at bigshield.app.