How does BigShield detect fake signups?

BigShield uses multiple signals including format validation, burner/disposable domain detection (945+ known providers), MX record checks, domain reputation analysis, and SMTP verification to produce a 0-100 risk score for every email address.

How fast is the email validation API?

Tier-1 signals (format, domain, burner detection, MX records) return in under 100ms — fast enough for inline signup validation without impacting user experience.

How much can I save by blocking fake signups?

Up to 40% of signups on AI and SaaS platforms use fake or disposable emails. A single abusive account can consume $5-50 in AI tokens. Email validation costs pennies per check, potentially saving thousands in wasted compute.

What programming languages are supported?

BigShield provides 5 official SDKs for TypeScript/Node.js, Python, PHP, Ruby, and Go. All SDKs include typed responses, automatic retries with exponential backoff, and typed error classes. The REST API can also be called from any language using standard HTTP requests with Bearer token authentication.

Can I create custom validation rules?

Yes. BigShield includes a custom rules engine with 6 rule types (domain block/allow, email pattern, IP range, country, and risk threshold), 4 actions (block, allow, review, require verification), and priority ordering. Rules can be managed via the dashboard or the API.

Documentation — BigShield

Getting Started

Install the SDK and make your first validation in under a minute.

1. Install the SDK

npm

npm install bigshield

pip

pip install bigshield

Composer

composer require bigshield/bigshield

RubyGems

gem install bigshield

go get github.com/bigshield/bigshield-go

2. Get your API key

Sign up at bigshield.app and copy your API key from the dashboard. Keys start with ev_live_ for production or ev_test_ for testing.

3. Validate an email

import { BigShield } from 'bigshield';

const shield = new BigShield('ev_live_...');
const result = await shield.validate('user@example.com');

if (result.fraud_decision === 'block') {
  throw new Error('Please use a valid email address');
}

Authentication

All API requests require a Bearer token in the Authorization header.

Header format

Authorization: Bearer ev_live_...

Key formats

Prefix	Environment	Description
ev_live_	Production	Counts against your monthly quota
ev_test_	Testing	Returns mock results, no quota impact

Example requests

const shield = new BigShield('ev_live_...');

Validate Email

POST

/api/v1/validate

Validate a single email address. Returns a risk score, recommendation, and fraud decision. Pass the user's IP address and user agent for enhanced fraud detection.

Request

const result = await shield.validate('user@example.com', {
  ip: req.headers['x-forwarded-for'],       // enables IP signals
  user_agent: req.headers['user-agent'],     // stored for analysis
  fingerprint: clientFingerprint,            // device fingerprint hash
  wait: true,                                // long-poll for async signals
  webhook_url: 'https://myapp.com/webhook',
  metadata: { source: 'signup' },
});

console.log(result.fraud_decision);  // 'allow' | 'block' | 'require_verification' | 'review'
console.log(result.fraud_flags);     // ['proxy_ip', 'burner_domain']

Request body

Field	Type	Required	Description
email	string	Yes	Email address to validate
ip	string	No	User's IP address — enables IP reputation, velocity, and proxy detection signals. Auto-extracted from request headers if not provided.
user_agent	string	No	User's browser user agent string — stored for fraud analysis
fingerprint	string	No	Device fingerprint hash — enables device-based fraud detection (Phase 2)
wait	boolean	No	Long-poll until all async signals complete
webhook_url	string	No	URL to POST results when async signals finish
metadata	object	No	Arbitrary metadata to attach to the validation

Response

{
  "id": "val_a1b2c3d4",
  "email": "user@example.com",
  "status": "completed",
  "risk_score": 82,
  "risk_level": "low",
  "recommendation": "accept",
  "explanation": "Score 82 (accept): Mailbox exists (+12.8); Domain category: major_provider (+14.0); Gravatar profile exists (+4.8)",
  "fraud_decision": "allow",
  "fraud_flags": [],
  "is_role_based": false,
  "is_catch_all": false,
  "has_gravatar": true,
  "canonical_email": "user@gmail.com",
  "suggested_correction": null,
  "ip_data": {
    "ip_address": "1.2.3.4",
    "country_code": "US",
    "isp": "Comcast Cable",
    "is_proxy": false,
    "is_hosting": false,
    "is_mobile": false,
    "risk_score": 70
  },
  "signals": [
    {
      "name": "email-format",
      "tier": "tier1",
      "score_impact": 10,
      "confidence": 1.0,
      "description": "Email pattern: firstname.lastname"
    },
    {
      "name": "gravatar-check",
      "tier": "tier1",
      "score_impact": 8,
      "confidence": 0.75,
      "description": "Gravatar profile exists — real identity signal"
    }
  ],
  "created_at": "2025-01-01T00:00:00Z",
  "updated_at": "2025-01-01T00:00:00Z"
}

Response fields

Field	Type	Description
fraud_decision	string	`allow`, `review`, `require_verification`, or `block`
fraud_flags	string[]	Specific fraud indicators detected (e.g. `proxy_ip`, `burner_domain`, `hosting_ip`)
ip_data	object	IP intelligence data (when IP is provided): country, ISP, proxy/hosting/mobile flags
risk_score	number	0–100 risk score (higher = more legitimate)
recommendation	string	`accept`, `review`, or `reject`
explanation	string	Human-readable summary of the top 3 scoring factors
is_role_based	boolean	Whether the email is a role-based address (info@, admin@, noreply@)
is_catch_all	boolean	Whether the domain accepts all email addresses (catch-all)
has_gravatar	boolean	Whether a Gravatar profile exists for the email
suggested_correction	string \| null	Suggested corrected email if a domain typo was detected (e.g. gmial.com → gmail.com)
canonical_email	string \| null	Normalized email form (dots removed for Gmail, plus tags stripped)
signals	array	Individual signal results with scores, confidence, and descriptions

Fraud Detection

BigShield runs 35+ detection checks — 21 email validation signals and 14 detection layers — to detect fake signups with 99% confidence. Pass the user's IP address to unlock the full suite including proxy detection, IP velocity, device fingerprinting, and behavioral analysis.

Fraud decisions

Decision	Score	Suggested action
allow	61–100	Proceed with signup normally
review	41–60	Allow but flag for manual review or reduced limits
require_verification	26–40	Require email verification, CAPTCHA, or phone verification
block	0–25	Block the signup — almost certainly fraudulent

Fraud flags

Flag	Description
proxy_ip	IP is a known VPN or proxy
hosting_ip	IP belongs to a datacenter or hosting provider
ip_velocity_1h	Multiple accounts created from this IP in the last hour
ip_velocity_24h	Many accounts created from this IP in the last 24 hours
burner_domain	Email uses a known disposable/burner domain
catch_all	Domain accepts all email addresses (catch-all)
suspicious_pattern	Email local part matches bot-like patterns (e.g. user12345)
honeypot_match	Email matches a known spam trap or honeypot pattern
typo_domain	Domain is a typo-squat of a major provider (e.g. gmial.com)
domain_velocity_1h	Unusual number of signups from this domain in the last hour

Example integration

const result = await shield.validate(email, {
  ip: req.headers['x-forwarded-for'],
  user_agent: req.headers['user-agent'],
});

switch (result.fraud_decision) {
  case 'allow':
    await createAccount(email);
    break;
  case 'review':
    await createAccount(email, { flagged: true });
    break;
  case 'require_verification':
    await sendVerificationEmail(email);
    break;
  case 'block':
    return res.status(400).json({ error: 'Signup blocked' });
}

// Check specific fraud flags
if (result.fraud_flags?.includes('proxy_ip')) {
  await logSuspiciousSignup(email, 'proxy');
}

Batch Validation

POST

/api/v1/validate/batch

Validate multiple emails in a single request. Maximum batch size depends on your plan (5 for Free, 25 for Starter, 100 for Pro/Enterprise). IP and user agent are shared across all emails in the batch.

Request

const { results, total, completed } = await shield.batchValidate(
  ['user1@gmail.com', 'fake@tempmail.com', 'real@company.org'],
  {
    ip: req.headers['x-forwarded-for'],
    user_agent: req.headers['user-agent'],
  },
);

const blocked = results.filter(r => r.fraud_decision === 'block');
console.log(`Blocked ${blocked.length} of ${total} emails`);

Request body

Field	Type	Required	Description
emails	string[]	Yes	Array of email addresses to validate
ip	string	No	Shared IP address for fraud detection
user_agent	string	No	Shared user agent string
fingerprint	string	No	Shared device fingerprint hash
webhook_url	string	No	URL for batch completion notification

Get Validation

GET

/api/v1/validation/:id

Retrieve a previous validation result by ID. Useful for polling async results.

const result = await shield.getValidation('val_a1b2c3d4');

Domain Score

GET

/api/v1/domain-score?domain=example.com

Public

Free, public domain reputation lookup. No authentication required. Returns the domain category, trust score, and flags based on static data. For full DNS-based analysis (MX, SPF, DMARC, DKIM, DNSBL), use the authenticated /api/v1/validate endpoint instead.

Request

curl "https://bigshield.app/api/v1/domain-score?domain=example.com"

Query parameters

Param	Type	Required	Description
domain	string	Yes	Domain to look up (e.g. `gmail.com`)

Response

{
  "domain": "example.com",
  "category": "unknown",
  "trust_score": 50,
  "is_major_provider": false,
  "is_free_provider": false,
  "is_trusted": false,
  "is_spam_tld": false,
  "tld_penalty": 0,
  "note": "For full DNS-based analysis with MX/SPF/DMARC/DKIM/DNSBL checks, use the authenticated /api/v1/validate endpoint."
}

Response fields

Field	Type	Description
domain	string	The queried domain
category	string	`major_provider`, `free_provider`, `trusted_domain`, `education`, `government`, or `unknown`
trust_score	number	0-100 trust score (higher = more trustworthy)
is_major_provider	boolean	Gmail, Outlook, Yahoo, iCloud, etc.
is_free_provider	boolean	Free email providers (easy throwaway account creation)
is_spam_tld	boolean	TLD commonly associated with spam (.xyz, .top, .tk, etc.)

Feedback

POST

/api/v1/feedback

Submit feedback on validation results to improve accuracy over time. Report false positives (legitimate emails flagged as spam) or false negatives (spam emails that got through) to help tune the scoring engine.

Request

curl -X POST https://bigshield.app/api/v1/feedback \
  -H "Authorization: Bearer ev_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "feedback": "false_positive",
    "notes": "This is a legitimate customer"
  }'

Request body

Field	Type	Required	Description
email	string	Yes*	Email address the feedback is about
validation_id	string	Yes*	Validation ID to attach feedback to (* provide email or validation_id)
feedback	string	Yes	`false_positive`, `false_negative`, or `correct`
notes	string	No	Optional notes for context

Response

{
  "success": true,
  "message": "Feedback recorded"
}

Usage

GET

/api/v1/usage

Get current usage statistics for the authenticated API key.

const usage = await shield.getUsage();

console.log(`${usage.usage.total} / ${usage.usage.limit} validations used`);
console.log(`Plan: ${usage.plan}`);

Risk Scoring

Every validation returns a risk_score from 0 to 100. Higher scores mean the email is more likely legitimate.

How it works

Base score starts at 50
Each signal adjusts the score: score_impact x confidence
Final score clamped to 0-100
Score maps to a fraud_decision for actionable results

Risk levels

Level	Score Range	Meaning
very_low	85-100	Very likely legitimate
low	70-84	Likely legitimate
medium	50-69	Uncertain — consider review
high	30-49	Likely fake or disposable
very_high	0-29	Almost certainly fake

Recommendations

Recommendation	Score	Suggested action
accept	71+	Allow signup, provision resources
review	50-70	Allow with manual review or reduced limits
reject	0-49	Block signup or require verification

Signal Tiers

Signals are grouped into tiers based on speed and complexity. Tier 1 runs synchronously; Tier 2 and 3 run asynchronously.

Tier 1 — Instant
<100ms

Run synchronously on every request. Always included in the initial response.

email-format — Validates email syntax, detects role-based addresses (info@, admin@)
domain-reputation — Checks MX, SPF, DMARC, DKIM, and DNSBL blacklists; classifies domain category
burner-detection — Matches against 72,000+ known disposable email providers
smtp-validation — Verifies mailbox exists via SMTP, detects catch-all domains with local part quality analysis
email-pattern — Detects bot-like patterns: hex strings, keyboard walks, UUID, hash, and long local parts
honeypot-detection — Catches spam traps, honeypot prefixes, and typo-squat domains
domain-velocity — Tracks signup volume per domain with z-score anomaly detection
gravatar-check — Checks for Gravatar profile existence as a real-person identity signal
domain-age — RDAP lookup to flag freshly-registered domains used for abuse
email-tumbling — Detects dot tricks, plus-tag variants, and fuzzy duplicates
threat-intel — Cross-customer email reputation from aggregate flagging data
cross-signal — Flags when unknown domain + non-personal email pattern combine
ip-reputation — Detects proxies, VPNs, and datacenter IPs
requires IP
ip-history — Tracks accounts per IP, flags high velocity
requires IP

Tier 2 — Fast async
<10s

Run asynchronously via the background worker. Skipped if Tier 1 score is decisive (<30 or >85).

google-search — Checks for online presence associated with the email
hibp-lookup — Checks if the email appears in known data breaches
name-extraction — Extracts and validates name from email local part

Tier 3 — Extended
Async

Advanced signals for deeper analysis.

social-presence — Checks for social media accounts linked to the email
behavioral — Analyzes signup patterns and velocity
payment-association — Checks for payment method associations

Error Handling

Errors return JSON with error, code, and status fields.

{
  "error": "Rate limit exceeded",
  "code": "rate_limited",
  "status": 429
}

Error codes

Code	HTTP Status	Description
invalid_email	400	Email format is invalid
unauthorized	401	Invalid or missing API key
quota_exceeded	403	Monthly validation quota exceeded
rate_limited	429	Too many requests — check rate limits for your plan
internal_error	500	Server error — retry with exponential backoff

SDK error handling

import { BigShield, AuthError, RateLimitError, BigShieldError } from 'bigshield';

try {
  await shield.validate('test@example.com');
} catch (err) {
  if (err instanceof AuthError) {
    // Invalid or missing API key (401)
  } else if (err instanceof RateLimitError) {
    // Rate limit exceeded (429)
    console.log(`Retry after ${err.retryAfter} seconds`);
  } else if (err instanceof BigShieldError) {
    // Other API error
    console.log(err.code, err.status, err.details);
  }
}

Plans & Rate Limits

Plan	Validations/mo	Rate Limit	Batch Size	Price
Free	1,500	10/min	5	$0
Starter	5,000	60/min	25	$29/mo
Pro	50,000	200/min	100	$99/mo
Enterprise	Custom	1,000/min	100	Contact us

SDK Reference

Official SDKs for TypeScript, Python, PHP, Ruby, and Go wrap the REST API with typed methods, automatic retries, and error classes.

Installation

npm

npm install bigshield

pip

pip install bigshield

Composer

composer require bigshield/bigshield

RubyGems

gem install bigshield

go get github.com/bigshield/bigshield-go

Configuration

import { BigShield } from 'bigshield';

// Simple — just pass your API key
const shield = new BigShield('ev_live_...');

// Advanced options
const shield = new BigShield({
  apiKey: 'ev_live_...',
  baseUrl: 'https://bigshield.app',  // default
  timeout: 30000,                     // request timeout in ms
  retries: 2,                         // retry on 5xx errors
});

Async support (Python)

The Python SDK includes an async client for use with asyncio frameworks like FastAPI, Django Channels, or Starlette.

Async client

from bigshield import AsyncBigShield

client = AsyncBigShield("ev_live_...")
result = await client.validate("user@example.com")

Polling for async results

When Tier 2 signals run asynchronously, poll for the completed result using waitForCompletion / wait_for_completion.

const initial = await shield.validate('user@example.com');

if (initial.status === 'partial') {
  const final = await shield.waitForCompletion(initial.id, {
    interval: 1000,   // poll every 1s
    maxAttempts: 30,   // give up after 30s
  });

  console.log(final.risk_score); // Updated with all signals
}

Available methods

All 5 SDKs implement the same methods with language-idiomatic naming conventions. PHP and Ruby use snake_case method names matching Python. Go uses PascalCase with context.Context and functional options.

Method	TypeScript	Python / PHP / Ruby	Go
Validate email	validate()	validate()	Validate(ctx, ...)
Batch validate	batchValidate()	batch_validate()	BatchValidate(ctx, ...)
Get result	getValidation()	get_validation()	GetValidation(ctx, ...)
Poll completion	waitForCompletion()	wait_for_completion()	WaitForCompletion(ctx, ...)
Usage stats	getUsage()	get_usage()	GetUsage(ctx)
Health check	health()	health()	Health(ctx)
Webhook	registerWebhook()	register_webhook()	RegisterWebhook(ctx, ...)

SDK details

SDK	Package	Requirements	Dependencies
TypeScript	bigshield	Node.js 18+	None (uses fetch)
Python	bigshield	Python 3.8+	httpx
PHP	bigshield/bigshield	PHP 8.0+	ext-curl (stdlib)
Ruby	bigshield	Ruby 3.0+	net-http (stdlib)
Go	bigshield-go	Go 1.21+	None (stdlib only)

Documentation

Getting Started

1. Install the SDK

2. Get your API key

3. Validate an email

Authentication

Key formats

Example requests

Validate Email

Request

Request body

Response

Response fields

Fraud Detection

Fraud decisions

Fraud flags

Example integration

Batch Validation

Request

Request body

Get Validation

Domain Score

Request

Query parameters

Response

Response fields

Feedback

Request

Request body

Response

Usage

Risk Scoring

How it works

Risk levels

Recommendations

Signal Tiers

Tier 1 — Instant <100ms

Tier 2 — Fast async <10s

Tier 3 — Extended Async

Error Handling

Error codes

SDK error handling

Plans & Rate Limits

SDK Reference

Installation

Configuration

Async support (Python)

Polling for async results

Available methods

SDK details

Tier 1 — Instant
<100ms

Tier 2 — Fast async
<10s

Tier 3 — Extended
Async