Methods and systems of classifying suspicious users are described. A processor may determine whether a domain name, of an email address of a user that requested to access a network, is valid. The processor may classify the user as a suspicious user if the domain name is invalid. If the domain name is valid, the processor may determine a likelihood that the email address is a script-generated email address. The processor may classify the user as a suspicious user if the email address is likely to be a script-generated email address. If the email address is unlikely to be a script-generated email address, the processor may identify abnormal usage behavior exhibited by the user based on a reference model. The processor may classify the user as a suspicious user if abnormal usage behavior is identified, and may reject a subsequent request from the user to access the network.