ValidEmailChecker

Why is a login marked as "suspicious" on my Valid Email Checker account?

Last updated May 20, 2026Account & security

When Valid Email Checker logs a successful sign-in, the log-login-attempt edge function decides whether to mark the row as suspicious. Separately, the session-creation function decides whether to send you a "new device sign-in" email. The two checks look at slightly different signals, and both lean toward the safe side — false positives are annoying, but a missed flag on a real attacker is much worse.

How the suspicious flag is set

The flag lives in the login_history table as the is_suspicious column. After a successful login, the function reads your last five successful logins and compares the new login's device name (e.g. "MacBook Pro", "Windows PC", "iPhone") against that history. If none of the last five had this device, the new login is marked suspicious. The flag does not block the login — you are signed in either way — but it surfaces the event for review and feeds the security-email decision.

What triggers the security email

The manage-sessions function runs a stricter check before deciding whether to email you. It pulls your last 100 sessions and asks two questions:

  • New country? If the login country is not in your known-countries set, an email is always sent. Country mismatches are the strongest signal we have.
  • New subnet? Even within a known country, if the first three octets of the IP have never been seen on your account (e.g. you usually appear from 192.0.2.* and now you are coming from 198.51.100.*), we send an email.
  • Known subnet? No email. This is the common case — you signed in from the same home network as always.
  • First login ever? No email. Without history, every signal looks new and we would just spam you.

Common reasons for a "suspicious" flag that is actually fine

  • You switched browsers (Chrome to Safari) on the same machine — different user-agent, so a slightly different device label.
  • A new phone or laptop. The first login from any new hardware will look new because it is.
  • Your ISP rotated your IP into a different /24 subnet.
  • You travelled to another country. The country check fires before VEC has any reason to know you booked a flight.
  • You were on a VPN today and you are not now (or vice versa).
Suspicious vs. blocked
A suspicious flag never blocks sign-in. We let the login through and notify you. If you did not initiate it, the right move is to report it and rotate credentials immediately.

Related questions

Where do I see my login history in the dashboard?
How do I report a suspicious login on my Valid Email Checker account?
What does the active sessions list show and where does the location come from?
How do I enable two-factor authentication (2FA) on my account?
Back to all FAQs

Still stuck? Email support