Assessed Signals
Opportify evaluates dozens of signals across multiple intelligence sources to produce a composite risk score. This page documents the baseline categories of signals we can assess. The actual signals evaluated for any given request depend on the inputs you provide — for example, email signals are only assessed when an email address is included, and behavioral signals require the JS Script integration.
Our signal library is dynamic and continuously expanding. The signals listed here represent the foundational categories we evaluate. We regularly add new detectors, refine scoring weights, and introduce novel signal sources without requiring any changes on your end.
For security reasons, we do not disclose the full list of signals, internal scoring weights, or detection thresholds. Publishing every signal in detail would give fraudsters a blueprint to evade detection. Our goal is transparency about what we assess, while keeping how we score it unpredictable to adversaries.
Risk Score Overview
Every analysis produces a risk score ranging from 200 (lowest risk) to 1000 (highest risk), along with a human-readable risk level:
| Score Range | Level | Interpretation |
|---|---|---|
| ≤ 300 | lowest | Very low risk — likely legitimate |
| 301–400 | low | Low risk — minor signals present |
| 401–600 | medium | Moderate risk — warrants review |
| 601–800 | high | High risk — likely fraudulent |
| > 800 | highest | Very high risk — strong fraud indicators |
The final score is a weighted composite of signals from six intelligence sources: email, IP, content, session (behavioral), velocity, and geographic consistency.
Email Intelligence Signals
Assessed when an email address is provided.
Deliverability & Mailbox
| Signal | Description |
|---|---|
| SMTP verification | Real-time probe to determine if the mailbox exists and accepts mail |
| Deliverability classification | Classified as yes, no, or unknown |
| Catch-all detection | Whether the domain accepts mail to any address |
| Mailbox full detection | Whether the mailbox is over quota |
| Reachability | Whether the domain's mail infrastructure is reachable |
Domain Classification
| Signal | Description |
|---|---|
| Disposable domain detection | Temporary/throwaway email providers |
| Free provider detection | Well-known free email services (Gmail, Yahoo, etc.) |
| Provider identification | Resolved email provider name |
| Email type classification | private, free, or disposable |
DNS & Authentication
| Signal | Description |
|---|---|
| MX record validation | Whether valid mail exchange records exist |
| SPF record validation | Sender Policy Framework presence and validity |
| DKIM configuration | DomainKeys Identified Mail selector presence |
| DMARC validation | Domain-based Message Authentication policy |
| MX relay detection | Whether the domain routes through a relay service |
| MX relay categorization | security-gateway, alias-forwarder, or transactional-relay |
Domain Enrichment
| Signal | Description |
|---|---|
| Domain age | How long the domain has been registered |
| Domain expiration | Expiry status (expired, expiring soon, recently expired) |
| Registrar identification | Domain registrar |
| SSL certificate validity | Whether the domain has a valid SSL cert |
| A record validation | Whether the domain resolves to a valid IP |
| Blocklist status | Whether the domain appears on known blocklists |
| MTA-STS / BIMI status | Email security policy indicators |
Address Structure
| Signal | Description |
|---|---|
| Plus-addressing (tag) detection | Identifies user+tag@domain patterns |
| Role address detection | Shared inboxes like info@, support@, admin@ |
| No-reply detection | Addresses matching no-reply patterns |
| Email correction | Misspelling detection and suggested corrections |
Email Risk Factors
When risk is elevated, the top contributing factors are surfaced. Examples include:
instant-bounce · no-mx-or-invalid · disposable-domain · free-provider · blocklisted-domain · new-domain · young-domain · spoofing-risk · domain-expired · domain-expiring-soon · invalid-ssl · catch-all-domain · mailbox-full · missing-auth-spf · alias-forwarder-mx · transactional-relay-mx · tagged-address · role-address · noreply-detected · provider-unknown · deliverability-unknown
IP Intelligence Signals
Assessed when a user IP address is provided.
Connection & Network Type
| Signal | Description |
|---|---|
| Connection type classification | enterprise, wired, mobile, vpn, tor, open-proxy, cloud-provider, satellite |
| Trusted provider detection | Known legitimate infrastructure providers |
| Reverse DNS resolution | Whether the IP has a valid PTR record |
Geolocation
| Signal | Description |
|---|---|
| Country, region, city | Geographic location of the IP |
| Continent & coordinates | Broad and precise location data |
| Timezone | Timezone associated with the IP |
| Phone/currency/language codes | Regional metadata |
WHOIS & Network Registration
| Signal | Description |
|---|---|
| ASN identification | Autonomous System Number and name |
| Organization details | Registered organization for the IP range |
| RIR source | Regional Internet Registry (ARIN, RIPE, APNIC, etc.) |
| Contact records | Abuse, admin, and tech contacts |
Blocklist & Reputation
| Signal | Description |
|---|---|
| Blocklist presence | Whether the IP is flagged on known blocklists |
| Active abuse reports | Number of active reports |
| Blocklist sources | Number of independent sources reporting the IP |
IP Risk Factors
ip-blocklisted · active-abuse-reports · tor-exit-node · open-proxy · vpn · cloud-hosting · no-reverse-dns · satellite-network · mobile-network · missing-whois · missing-asn · trusted-provider
Behavioral (Session) Signals
Assessed only when the Opportify JS Script is integrated on your pages. These signals are not available for API-only integrations that do not include the client-side script — in those cases, risk scoring relies on the other signal categories (email, IP, content, velocity, and geo).
Bot & Automation Detection
| Signal | Description |
|---|---|
| Automation tools detection | Detects headless browsers, Puppeteer, Selenium, Playwright, and similar tools |
| Honeypot interaction | Hidden fields filled by bots but invisible to real users |
| Bot agent detection | User agent strings associated with known bot frameworks |
| User agent consistency | Compares declared UA with actual browser capabilities |
Human Interaction Analysis
| Signal | Description |
|---|---|
| Typing speed analysis | Detects inhuman typing speeds or absence of typing |
| Interaction provenance | Classifies input method as legitimate, password-manager, or bot based on event patterns |
| Form interaction presence | Whether the user interacted with the form at all |
| Mouse/pointer behavior | Detects stuck or absent pointer movement |
| Submit timing | Time between page load and form submission (instant-submit, rapid-submit) |
Device Context
| Signal | Description |
|---|---|
| User agent parsing | Browser, engine, OS, device type, CPU architecture |
| Screen & viewport | Resolution, color depth, pixel ratio, orientation |
| Hardware capabilities | CPU cores, device memory |
| Storage APIs | LocalStorage, SessionStorage, IndexedDB availability |
| User preferences | Color scheme, reduced motion, contrast settings |
| Device fingerprint consistency | Detects drift between sessions |
Session Behavioral Factors
honeypot · automation-tools · typing-speed-anomaly · suspicious-mouse · device-drift · sdk-ua-mismatch · content-gibberish · instant-submit · rapid-submit · no-device-fingerprint · no-form-interaction · multiple-pageloads · automation-hint · password-manager-fill
content-gibberish vs Content Analysiscontent-gibberish in the session factors refers to real-time client-side detection of gibberish-like typing patterns as the user interacts with the form. The Content Analysis section below covers server-side post-submission text analysis on the final field values. Both contribute to the overall score independently.
Content Analysis Signals
Assessed on text fields (names, subject, message) submitted with the form.
| Signal | Description |
|---|---|
| Gibberish detection | Scores text fields for random/nonsensical character patterns |
| Spam content detection | Identifies common spam patterns in message content |
Content is analyzed independently per field (names, subject, message) with individual gibberish and spam scores.
Velocity Signals
Assessed across submission history for the same identifiers.
| Signal | Description |
|---|---|
| Short-window frequency | Submissions within 1-minute and 5-minute windows |
| Medium-window frequency | Submissions within a 1-hour window |
| Long-window frequency | Submissions within a 24-hour window |
| Anomaly detection | Flags when frequency exceeds adaptive thresholds |
Geographic Consistency Signals
Cross-references geographic data from multiple sources to detect inconsistencies.
| Signal | Description |
|---|---|
| IP country vs. declared country | Compares the IP's geolocation with user-provided country |
| Email domain country | Country associated with the email domain |
| Phone country code | Country derived from phone number prefix |
| Session country | Country from session/device context |
| Consistency score | Overall geographic alignment assessment |
Why We Don't Disclose Everything
We intentionally withhold some details about our signal assessment:
-
Security through unpredictability — Publishing every signal and its exact weight would allow adversaries to craft submissions that specifically evade each check. By keeping parts of our detection logic opaque, we maintain an information asymmetry that works in your favor.
-
Continuous improvement — Our team constantly ships new detectors and adjusts scoring models based on emerging fraud patterns. Documenting every internal change would be impractical and would create stale documentation that misleads integrators.
-
Responsible disclosure — Certain detection techniques are more effective when their existence isn't publicly known. Once a technique is documented, sophisticated attackers will attempt to circumvent it.
What we commit to: transparency about the categories of signals assessed, clear API response documentation, and actionable risk factors in every response so you always understand why a submission was scored the way it was.