Stop bot emails from signing up
Bots use disposable emails, pattern-generated addresses, and credential farms to flood your signup form. BigShield catches them all with 30+ detection checks in a single API call.
The four types of bot signups
Disposable Email Abuse
Services like Tempmail, Guerrilla Mail, and hundreds of lesser-known providers give bots unlimited email addresses. Each one passes basic format validation but leads nowhere real.
Pattern-Generated Addresses
Bots generate emails algorithmically: random strings, sequential numbers, keyboard walks, leetspeak substitutions. They look plausible at a glance but follow detectable patterns.
Credential Farms
Operators register real-looking emails on custom domains to create believable accounts in bulk. These are harder to catch with simple blocklists but show patterns in domain age and registration behavior.
IP-Based Abuse
Bot operators create hundreds of accounts from small IP ranges, datacenter addresses, or known proxy services. The emails might look different, but the infrastructure behind them is the same.
Five signal categories that catch bots
Burner Detection
Matches against 945+ known disposable email providers. Updated continuously. Catches aliases, subdomains, and newly created burner services.
Pattern Analysis
Detects bot-like patterns: sequential digits, keyboard walks, repeated characters, leetspeak, and random strings. Real humans use recognizable name patterns.
IP Velocity
Tracks accounts created per IP over 1-hour and 24-hour windows. Flags mass creation from single addresses or small ranges.
Domain Intelligence
Checks MX records, domain age, SPF/DMARC configuration, and provider classification. Freshly registered domains with no mail history are flagged.
SMTP Verification
Verifies the mailbox actually exists. Catches catch-all domains and mailboxes that were never set up to receive mail.
Implementation: validate, decide, act
const result = await bigshield.validate(email, {
ip: request.ip,
});
switch (result.fraud_decision) {
case 'block':
// Definite bot: reject signup
return res.status(400).json({
error: 'Please use a valid email address',
});
case 'verify':
// Suspicious: require additional verification
await sendVerificationEmail(email);
return res.json({ step: 'verify-email' });
case 'allow':
// Looks legitimate: proceed normally
await createAccount(email);
return res.json({ step: 'welcome' });
}BigShield vs. other approaches
| Feature | BigShield | CAPTCHAs | Email Confirmation |
|---|---|---|---|
| Blocks disposable emails | |||
| Catches pattern-generated emails | |||
| Detects IP-based abuse | |||
| User friction | None (invisible) | High (puzzle solving) | Medium (extra step) |
| Response time | Under 100ms | 5 to 30 seconds | Minutes to hours |
| Works with bots that solve CAPTCHAs | |||
| Provides risk scoring | Yes (0 to 100) | No (pass/fail) | No (pass/fail) |