Castle exposes a number of signals in the API response body: A list of potentially risky properties and behaviors that were detected on the event.

Example API response

{
  "action": "deny",
  "user_id": "d84bac6e-3ba8-490a-90ae-a4782b4f9f5a",
  "device_token": "eyJhbGciOiJIUzI1NiJ9.eyJ0b2tlbiI6InJtUllyb0haZFZuZFcyR1p6VzdPLWdSSkt1STciLCJxdWFsaWZpZXIiOiJBUUlDQ2pFeU1qYzFORE0wTkRVIiwiYW5vbnltb3VzIjpmYWxzZSwidmVyc2lvbiI6MC4zfQ._hCtxD77NRQhmPtmB5CP2EE1vb8KZa9j6hY1ee-SXMw",
  "risk": 0.93,
  "signals": {
    "bot_behavior": {},
    "proxy_ip": {},
    "disposable_email": {},
    "multiple_accounts_per_device": {}
  }
}

That is, this event originated from a proxy IP address (proxy_ip) where the device information indicates that the event was scripted (bot_behavior) and there are many different accounts in use on the device the event was sent from (multiple_accounts_per_device). Also, the user's email address is from a domain commonly used to create one-off addresses (disposable_email).

📘

Note: This feature is enabled for environments created after April 19, 2021. Please contact Castle support if you would like to enable this feature for environments created before this date.


List of signals

Automated activity

NameDescription
bot_behaviorBy looking at the interaction patterns on the device, Castle detects non-human, scripted behavior. This signal then indicates that a request was produced programmatically by a script or a program, rather than by human interaction.
credential_stuffingCredential stuffing is an automated attack in which stolen account credentials, in particular e-mail addresses, are used to gain unauthorized access to user accounts. Credential stuffing attacks, unlike credential cracking, do not attempt to guess any passwords with brute force, but rather leverage a list of leaked credentials.
generated_emailThis signal triggers when an attacker is either repeating the same email pattern or submitting completely random emails. The email provider may still be legitimate and non-disposable, but the full email address indicates that it was auto-generated.
high_activity_accountThis signal learns what is typical behavior for a user account and then detects anomalous bursts of requests. This is often correlated with automated attacks or abuse.
high_activity_deviceThis signal learns what is typical behavior for a device and then detects anomalous bursts of requests. This is often correlated with automated attacks or abuse.
high_activity_ipThis signal learns what is the typical rate of traffic coming from IP addresses and then detects anomalous bursts of requests. This is often correlated with automated attacks or abuse.

Anomalous behavior

NameDescription
impossible_travelThis is triggered by comparing the user's current location with their last known location and then detecting trips that are highly unlikely, or even impossible, given the time between the two events. This signal correlates with man-in-the-middle attacks, account takeovers, and offshore attacks.
multiple_accounts_per_deviceThe device, from which this event originated, has been used to log into multiple user accounts. This could indicate account abuse or promotion abuse.

Device data error

NameDescription
missing_device_dataThe data forwarded from the device to the server is empty. This is possibly due to an attacker attempting to bypass the client-side analysis, however, it could also be due to a misconfigured integration.
invalid_device_dataThe data forwarded from the device to the server could not be interpreted, most likely due to a replay attack or request tampering.

Device intelligence

NameDescription
spoofed_deviceThere is evidence that the request is not coming from a genuine device but that the device parameters have been changed or are fabricated. This includes using a device emulator that mimics the entire client context of the device or simply changing the user agent string in the browser.
headless_browserA headless browser is a browser that can be used without a graphical interface. It can be controlled programmatically to automate attacks like web scraping, fake account registrations, and credit card testing.
http_client_libraryHTTP client libraries are used to send requests to an application with relatively little effort using a command line or a script. They are frequently used in less sophisticated but high-volume automated attacks and abuse.
web_crawlerA web crawler is an application that searches and indexes documents on the Internet. It should be considered abnormal if an authenticated user is claiming to be a web crawler.

Email intelligence

NameDescription
disposable_email_domainThis signal indicates that the email address was issued by a service that issues temporary inboxes that expire after a short time. Examples of such services are Mailinator, TempMail, and Guerrilla Mail.
invalid_emailAn email address that does not conform to internet email standards, or which does not exist on the recipient's server. Examples include addresses without the @ sign, addresses that include certain special characters and/or spaces, or failed SMTP authentication attempts.

IP intelligence

NameDescription
abuse_ipAn IP address that was recently found in one of many publicly accessible abuse and spam databases.
datacenter_ipAn IP address belonging to a hosting provider, data center, or content delivery network can serve to provide anonymity, as well as be used to launch large-scale automated fraud campaigns.
proxy_ipProxy servers are used to mask the true location of a device. This signal identifies requests coming from proxy servers both by running the IP address against lists of known proxy IPs and by identifying timezone and timing anomalies that indicate that the traffic was routed through a proxy server.
tor_ipTor anonymizes internet traffic and is frequently used by fraudsters to conceal their true location. A Tor IP is an IP address that matches an entry in Tor's official list of exit nodes.

Novel user attributes

NameDescription
new_countryThis signal triggers when a user account was accessed from a new country. It only triggers once per user and country combination.
new_deviceThis signal triggers when a user account was accessed from a new device. It only triggers once per device and does not trigger for the user's first device.
new_device_typeThis signal triggers when a user account was accessed from a new device type. It only triggers once per user and device type combination.
new_ispThis signal triggers when a user account was accessed from a new Internet Service Provider. It only triggers once per user and ISP combination.
new_languageThis signal triggers when a user account was accessed from a device using a new language setting. It only triggers once per user and language combination.
new_osThis signal triggers when a user account was accessed from a new Operating System. It only triggers once per user and OS combination.