How does BigShield detect fake signups?

BigShield uses multiple signals including format validation, burner/disposable domain detection (945+ known providers), MX record checks, domain reputation analysis, and SMTP verification to produce a 0-100 risk score for every email address.

How fast is the email validation API?

Tier-1 signals (format, domain, burner detection, MX records) return in under 100ms — fast enough for inline signup validation without impacting user experience.

How much can I save by blocking fake signups?

Up to 40% of signups on AI and SaaS platforms use fake or disposable emails. A single abusive account can consume $5-50 in AI tokens. Email validation costs pennies per check, potentially saving thousands in wasted compute.

What programming languages are supported?

BigShield provides 5 official SDKs for TypeScript/Node.js, Python, PHP, Ruby, and Go. All SDKs include typed responses, automatic retries with exponential backoff, and typed error classes. The REST API can also be called from any language using standard HTTP requests with Bearer token authentication.

Can I create custom validation rules?

Yes. BigShield includes a custom rules engine with 6 rule types (domain block/allow, email pattern, IP range, country, and risk threshold), 4 actions (block, allow, review, require verification), and priority ordering. Rules can be managed via the dashboard or the API.

Industry5 min readApril 14, 2026

Top Malicious Domains: March 2026 Threat Report

Monthly threat intelligence report covering the top burner and disposable email domains detected by BigShield in March 2026, plus emerging fraud patterns.

March 2026 at a Glance

In March 2026, BigShield processed over 3.2 million email validations across our customer base. Of those, 11.4% were flagged as high-risk (score below 30), up from 9.8% in February. Disposable email usage climbed for the third consecutive month, and we observed several new domain patterns worth highlighting.

Here are the key numbers:

Total validations: 3,218,409
High-risk emails blocked: 366,899 (11.4%)
New disposable domains detected: 47
Top fraud vector: Aged Gmail accounts (created 7-14 days prior)

Top 10 Disposable Domains by Volume

These are the domains that appeared most frequently in flagged signup attempts:

tempmail.lol - 18,340 attempts (up 42% from February). This service launched in late 2025 and has quickly become the go-to for bot farms targeting AI product free tiers.
guerrillamail.com - 14,207 attempts. A longstanding player that remains stubbornly popular despite being on every blocklist.
mailnesia.com - 11,893 attempts. Significant spike this month, likely due to a popular fraud tutorial circulating on Telegram.
yopmail.fr - 9,654 attempts. Consistent volume. The French domain sometimes catches teams off guard who only block .com disposables.
throwbin.io - 8,411 attempts. New to the top 10 this month. Offers API-based throwaway inboxes, making it popular with automated scripts.
trashmail.net - 7,829 attempts. Steady month over month.
10minutemail.com - 6,245 attempts. Down 15% from February, possibly due to increased blocking.
emailondeck.com - 5,978 attempts. Offers "stealth" mode that randomizes the sending domain, but BigShield catches the underlying infrastructure.
burnermail.cc - 5,412 attempts. First appearance in our top 10.
fastmail.temp - 4,887 attempts. Not to be confused with the legitimate Fastmail service. This is a new .temp TLD abuser that appeared mid-March.

Emerging Patterns

The ".temp" TLD Surge

March saw a notable increase in disposable services registering under newer TLDs, particularly .temp, .email, and .life. We added 12 new domains across these TLDs to our blocklist. The pattern is clear: as traditional .com disposable domains get blocked, providers are migrating to TLDs that feel more "legitimate" at first glance.

Domain Aging Tactics

We are seeing a more sophisticated approach where fraud operators register domains 30-60 days before using them. These aged domains pass basic registration-date checks that look for domains less than 7 days old. BigShield's multi-signal approach catches these because domain age is only one of 20+ signals. An aged domain with no web presence, no SPF/DKIM records, and traffic exclusively from datacenter IPs still gets flagged.

Gmail Dot Trick Abuse

The Gmail dot trick (where j.ohn@gmail.com and jo.hn@gmail.com deliver to the same inbox as john@gmail.com) saw a 28% increase in abuse this month. Automated tools now generate hundreds of dot-variation signups per base account. BigShield normalizes these addresses before scoring, collapsing all variations to the canonical form.

Subaddress Farming

Plus-addressing (user+tag@domain.com) abuse continued to grow, with an average of 34 subaddress signups per base email among flagged accounts. While plus-addressing is a legitimate feature for real users, the volume and pattern of automated subaddress creation is a clear fraud signal.

Industry Breakdown

Fraud attempts were not evenly distributed across industries:

AI/ML SaaS (free tiers): 38% of all flagged attempts. Token abuse remains the primary motivation.
Fintech: 22% of flagged attempts. Account creation for money laundering and promotion abuse.
E-commerce: 18% of flagged attempts. Coupon and referral program exploitation.
Developer tools: 14% of flagged attempts. CI/CD minute abuse and free-tier resource consumption.
Other: 8% of flagged attempts.

For more context on how these patterns impact AI companies specifically, see our analysis where we analyzed 100,000 fake signups.

New Additions to the BigShield Blocklist

This month we added 47 new domains to our disposable email database, bringing the total to 963. Notable additions include:

14 new .temp TLD services
8 regional disposable providers (3 from Southeast Asia, 3 from Eastern Europe, 2 from South America)
6 "privacy email" services that are being repurposed for fraud
19 micro-services with fewer than 1,000 monthly users each, collectively generating significant fraud volume

Recommendations

Based on this month's data, here are three things you should consider:

Review your TLD policies. If you are only blocking .com disposable domains, you are missing a growing segment of the threat landscape.
Normalize email addresses. Gmail dot tricks and plus-addressing should be collapsed to canonical forms before checking for duplicates.
Do not rely solely on domain blocklists. The 47 new domains we added this month were actively being used for fraud before they appeared on any public blocklist. Multi-signal detection (behavioral analysis, IP reputation, pattern matching) catches what blocklists cannot.

To build your own supplementary detection, our guide on building a real-time threat intelligence feed walks through the architecture.

Looking Ahead to April

We expect disposable domain volume to continue climbing through Q2 2026, particularly targeting AI products. The sophistication of domain aging tactics is increasing, and we are investing in additional signals around DNS pattern analysis and mail server fingerprinting to stay ahead.

These threat reports are published monthly. If you want this data for your own signup traffic, not just industry aggregates, BigShield gives you per-validation signal breakdowns in your dashboard. See your own threat landscape at bigshield.app.