What is an IP reputation score?

An IP reputation score is a numerical value (typically 0-100) that indicates the trustworthiness of an IP address based on historical behavior, threat intelligence feeds, and connection characteristics. Higher scores indicate higher risk.

How is IP reputation calculated?

IP reputation is calculated by analyzing multiple factors including: presence on threat intelligence lists, connection type (VPN, proxy, Tor), datacenter vs residential classification, historical abuse reports, and network behavior patterns.

Can IP reputation detect VPNs and proxies?

Yes, IP reputation APIs like IPBot detect VPNs, proxies, Tor exit nodes, and datacenter IPs. This information is included in the response along with specific reasons for the classification.

Is IP reputation suitable for fraud prevention?

IP reputation is a critical component of fraud prevention systems. It helps identify suspicious connections, detect account takeover attempts, prevent payment fraud, and block automated attacks from malicious infrastructure.

IP Reputation API - Risk Scoring and Threat Detection

A reputation signal you can audit: scores come with reasons and threat-list matches.

API Reference

IPBot’s risk scoring is designed to be explainable. Instead of a black box, responses include risk_reasons[] and threat_lists[] so you can build stable UI and internal policy rules.

Example

curl -s https://api.ipbot.com/8.8.8.8 | jq ‘.security | {risk_score, threat_level, risk_reasons, threat_lists}’

Pair this with caching guidance in Rate Limits.

What Is IP Reputation?

IP reputation is a trust assessment for an IP address based on its historical behavior, network characteristics, and presence on threat intelligence feeds. Unlike simple geolocation that answers “where is this IP?”, reputation scoring answers “should I trust this IP?”

Every IP address accumulates a digital footprint over time. Mail servers that send spam get blacklisted. IPs used for DDoS attacks appear on abuse databases. VPN and proxy services operate from known IP ranges. Datacenters host both legitimate services and malicious infrastructure. IP reputation aggregates these signals into actionable intelligence.

The global IP reputation and fraud detection market reached $3.2 billion in 2024 and is projected to grow at 14.8% CAGR through 2030. This growth is driven by increasing online fraud, regulatory compliance requirements, and the need for real-time risk assessment in digital transactions.

How IPBot Calculates Risk Scores

IPBot generates a risk score from 0-100 for every IP address, where 0 indicates minimal risk and 100 indicates maximum risk. Unlike black-box scoring systems, IPBot provides complete transparency about what factors contributed to the score.

Scoring Factors

Connection Type Analysis (0-30 points)

VPN detection: +15 to +25 points depending on the provider
Proxy detection: +10 to +20 points based on proxy type
Tor exit node: +25 to +30 points (highest anonymization)
Residential proxy: +20 points (often used for fraud)

Infrastructure Classification (0-25 points)

Datacenter/hosting IP: +5 to +15 points
Cloud provider ranges: +5 to +10 points
Known bulletproof hosting: +20 to +25 points

Threat Intelligence (0-45 points)

Presence on spam blacklists: +5 to +15 points per list
Abuse database entries: +10 to +20 points
Known malware infrastructure: +15 to +25 points
Recent attack source: +10 to +20 points

Response Structure

{
  "security": {
    "risk_score": 65,
    "threat_level": "medium",
    "is_proxy": true,
    "is_vpn": true,
    "is_tor": false,
    "is_datacenter": true,
    "is_crawler": false,
    "risk_reasons": ["vpn_detected", "datacenter_ip", "threat_list_match"],
    "threat_lists": ["spamhaus_drop", "abuse_ch"]
  }
}

Use Cases for IP Reputation

Fraud Prevention in E-commerce

Online fraud costs businesses over $48 billion annually. IP reputation provides a critical first-line defense by identifying suspicious connections before transactions complete.

Implementation Pattern:

async function assessTransactionRisk(ip, orderValue) {
  const response = await fetch(`https://api.ipbot.com/${ip}`);
  const data = await response.json();

  const { security } = data;

  // High-value transactions from risky IPs require additional verification
  if (orderValue > 500 && security.risk_score > 50) {
    return {
      action: "REQUIRE_VERIFICATION",
      reasons: security.risk_reasons,
      score: security.risk_score,
    };
  }

  // Block transactions from extremely high-risk IPs
  if (security.risk_score > 85) {
    return {
      action: "BLOCK",
      reasons: security.risk_reasons,
      score: security.risk_score,
    };
  }

  // VPN users may need additional friction
  if (security.is_vpn && orderValue > 200) {
    return {
      action: "SOFT_CHALLENGE",
      reasons: ["vpn_detected"],
      score: security.risk_score,
    };
  }

  return { action: "ALLOW", score: security.risk_score };
}

Key Fraud Signals:

Mismatch between billing address country and IP geolocation
Known proxy or VPN usage during high-value purchases
IP associated with previous chargebacks
Multiple accounts from same high-risk IP

Email Validation and Deliverability

Email service providers and marketers use IP reputation to validate signups and protect deliverability. Fraudulent signups from disposable email addresses often originate from anonymized connections.

Email Signup Validation:

import requests

def validate_email_signup(ip_address, email):
    response = requests.get(f'https://api.ipbot.com/{ip_address}')
    data = response.json()

    security = data['security']

    # Flag signups from anonymized connections
    if security['is_tor'] or security['is_proxy']:
        return {
            'valid': False,
            'reason': 'anonymous_connection',
            'action': 'require_phone_verification'
        }

    # Datacenter IPs often indicate bots
    if security['is_datacenter'] and security['risk_score'] > 40:
        return {
            'valid': False,
            'reason': 'suspected_bot',
            'action': 'show_captcha'
        }

    # Check for threat list presence
    if security['threat_lists']:
        return {
            'valid': False,
            'reason': 'ip_on_threat_list',
            'action': 'block_signup'
        }

    return {'valid': True, 'risk_score': security['risk_score']}

Access Control and Authentication

IP reputation enhances authentication security by identifying suspicious login attempts before they succeed.

Adaptive Authentication:

async function getAuthenticationLevel(ip, userId) {
  const [ipData, userHistory] = await Promise.all([
    fetch(`https://api.ipbot.com/${ip}`).then((r) => r.json()),
    getUserLoginHistory(userId),
  ]);

  const { security, location } = ipData;

  // New location from high-risk IP = maximum friction
  const isNewLocation = !userHistory.countries.includes(location.country_code);

  if (isNewLocation && security.risk_score > 60) {
    return "MFA_REQUIRED_WITH_EMAIL_NOTIFICATION";
  }

  // VPN from new location = elevated friction
  if (isNewLocation && security.is_vpn) {
    return "MFA_REQUIRED";
  }

  // Known threat lists = block and notify
  if (security.threat_lists.length > 0) {
    return "BLOCK_WITH_ADMIN_ALERT";
  }

  // High risk score = challenge
  if (security.risk_score > 70) {
    return "CAPTCHA_REQUIRED";
  }

  return "STANDARD_AUTH";
}

API Rate Limiting and Bot Protection

IP reputation helps distinguish legitimate API consumers from abusive bots and scrapers.

function calculateRateLimit(ipData) {
  const { security } = ipData;

  // Datacenter IPs get stricter limits
  if (security.is_datacenter) {
    return { requestsPerMinute: 10, burstLimit: 20 };
  }

  // High-risk IPs get minimal access
  if (security.risk_score > 70) {
    return { requestsPerMinute: 5, burstLimit: 10 };
  }

  // Proxies get reduced limits
  if (security.is_proxy || security.is_vpn) {
    return { requestsPerMinute: 30, burstLimit: 50 };
  }

  // Normal residential traffic
  return { requestsPerMinute: 60, burstLimit: 100 };
}

Threat Intelligence Sources

IPBot aggregates data from multiple threat intelligence providers and internal analysis:

Source Type	Examples	Update Frequency
Spam Blacklists	Spamhaus, Barracuda, SpamCop	Hourly
Abuse Databases	AbuseIPDB, Blocklist.de	Real-time
Malware Feeds	Abuse.ch, PhishTank	Hourly
VPN/Proxy Lists	Commercial and community databases	Daily
Tor Exit Nodes	Tor Project official list	Every 30 minutes
Datacenter Ranges	Cloud provider IP allocations	Weekly

Explainable Risk Reasons

Every risk score includes human-readable reasons:

Risk Reason	Description	Typical Impact
`vpn_detected`	IP belongs to known VPN provider	+15-25 points
`proxy_detected`	IP is a known proxy server	+10-20 points
`tor_exit_node`	IP is a Tor exit node	+25-30 points
`datacenter_ip`	IP belongs to hosting provider	+5-15 points
`threat_list_match`	IP appears on threat intelligence feeds	+10-25 points
`spam_source`	IP has sent spam	+15-20 points
`brute_force_source`	IP used for brute force attacks	+20-25 points
`residential_proxy`	Residential IP used as proxy	+20 points

Integration Examples

cURL

# Get reputation data for any IP
curl -s https://api.ipbot.com/185.220.101.42 | jq '.security'

# Check specific security fields
curl -s https://api.ipbot.com/185.220.101.42 | jq '{
  risk_score: .security.risk_score,
  is_vpn: .security.is_vpn,
  reasons: .security.risk_reasons
}'

JavaScript / Node.js

class IPReputationClient {
  constructor(baseUrl = "https://api.ipbot.com") {
    this.baseUrl = baseUrl;
    this.cache = new Map();
    this.cacheTTL = 3600000; // 1 hour
  }

  async getReputation(ip) {
    // Check cache first
    const cached = this.cache.get(ip);
    if (cached && Date.now() - cached.timestamp < this.cacheTTL) {
      return cached.data;
    }

    const response = await fetch(`${this.baseUrl}/${ip}`);
    if (!response.ok) {
      throw new Error(`Failed to get reputation: ${response.status}`);
    }

    const data = await response.json();

    // Cache the result
    this.cache.set(ip, { data: data.security, timestamp: Date.now() });

    return data.security;
  }

  async isHighRisk(ip, threshold = 70) {
    const reputation = await this.getReputation(ip);
    return reputation.risk_score >= threshold;
  }

  async getThreats(ip) {
    const reputation = await this.getReputation(ip);
    return {
      isVPN: reputation.is_vpn,
      isProxy: reputation.is_proxy,
      isTor: reputation.is_tor,
      threatLists: reputation.threat_lists,
      reasons: reputation.risk_reasons,
    };
  }
}

// Usage
const client = new IPReputationClient();

const reputation = await client.getReputation("185.220.101.42");
console.log(`Risk Score: ${reputation.risk_score}`);
console.log(`Threat Level: ${reputation.threat_level}`);
console.log(`Reasons: ${reputation.risk_reasons.join(", ")}`);

Python

import requests
from functools import lru_cache
from datetime import datetime, timedelta

class IPReputationClient:
    def __init__(self, base_url='https://api.ipbot.com'):
        self.base_url = base_url
        self._cache = {}
        self._cache_ttl = timedelta(hours=1)

    def get_reputation(self, ip: str) -> dict:
        # Check cache
        if ip in self._cache:
            cached_data, cached_time = self._cache[ip]
            if datetime.now() - cached_time < self._cache_ttl:
                return cached_data

        response = requests.get(f'{self.base_url}/{ip}')
        response.raise_for_status()

        data = response.json()
        security = data['security']

        # Update cache
        self._cache[ip] = (security, datetime.now())

        return security

    def is_high_risk(self, ip: str, threshold: int = 70) -> bool:
        reputation = self.get_reputation(ip)
        return reputation['risk_score'] >= threshold

    def get_threat_summary(self, ip: str) -> dict:
        reputation = self.get_reputation(ip)
        return {
            'score': reputation['risk_score'],
            'level': reputation['threat_level'],
            'is_anonymous': reputation['is_vpn'] or reputation['is_proxy'] or reputation['is_tor'],
            'threats': reputation['threat_lists'],
            'reasons': reputation['risk_reasons']
        }

# Usage
client = IPReputationClient()

# Check if IP is high risk
if client.is_high_risk('185.220.101.42'):
    print('High risk IP detected!')

# Get detailed threat information
threats = client.get_threat_summary('185.220.101.42')
print(f"Risk Score: {threats['score']}")
print(f"Anonymous: {threats['is_anonymous']}")
print(f"Reasons: {', '.join(threats['reasons'])}")

PHP

<?php

class IPReputationClient {
    private string $baseUrl;
    private array $cache = [];
    private int $cacheTTL = 3600;

    public function __construct(string $baseUrl = 'https://api.ipbot.com') {
        $this->baseUrl = $baseUrl;
    }

    public function getReputation(string $ip): array {
        // Check cache
        if (isset($this->cache[$ip])) {
            $cached = $this->cache[$ip];
            if (time() - $cached['timestamp'] < $this->cacheTTL) {
                return $cached['data'];
            }
        }

        $response = file_get_contents("{$this->baseUrl}/{$ip}");
        $data = json_decode($response, true);

        // Cache result
        $this->cache[$ip] = [
            'data' => $data['security'],
            'timestamp' => time()
        ];

        return $data['security'];
    }

    public function isHighRisk(string $ip, int $threshold = 70): bool {
        $reputation = $this->getReputation($ip);
        return $reputation['risk_score'] >= $threshold;
    }
}

// Usage
$client = new IPReputationClient();
$reputation = $client->getReputation('185.220.101.42');

echo "Risk Score: " . $reputation['risk_score'] . "\n";
echo "VPN: " . ($reputation['is_vpn'] ? 'Yes' : 'No') . "\n";

Comparison: IPBot vs Competitors

Feature	IPBot	MaxMind minFraud	IPQS	Sift
Free Tier	Yes	No	Limited	No
API Key Required	No	Yes	Yes	Yes
Risk Score	0-100	0-99	0-100	0-100
Explainable Reasons	Yes	Limited	Yes	Limited
VPN Detection	Included	Separate product	Included	Included
Tor Detection	Included	Separate product	Included	Included
Real-time Threat Lists	Yes	Yes	Yes	Yes
CORS Enabled	Yes	No	Yes	No
Response Time	Under 50ms	Under 100ms	Under 100ms	Under 150ms
Pricing	Free tier available	From $50/mo	From $99/mo	Custom

Best Practices

1. Use Risk Thresholds Appropriately

Different actions require different thresholds:

const THRESHOLDS = {
  BLOCK: 85, // Very high confidence of malicious
  REQUIRE_MFA: 60, // Elevated risk, verify identity
  SHOW_CAPTCHA: 40, // Moderate risk, prove human
  LOG_ONLY: 20, // Low risk, just monitor
};

2. Combine with Other Signals

IP reputation is one component of a comprehensive fraud detection system:

function calculateOverallRisk(ipData, userBehavior, deviceFingerprint) {
  const ipRisk = ipData.security.risk_score * 0.3;
  const behaviorRisk = userBehavior.anomalyScore * 0.4;
  const deviceRisk = deviceFingerprint.riskScore * 0.3;

  return ipRisk + behaviorRisk + deviceRisk;
}

3. Handle VPNs Thoughtfully

Not all VPN users are malicious. Consider context:

function assessVPNRisk(ipData, context) {
  if (!ipData.security.is_vpn) return "low";

  // Privacy-conscious users in sensitive contexts
  if (context.isPrivacySensitive) return "acceptable";

  // High-value transactions from VPNs need verification
  if (context.transactionValue > 1000) return "high";

  // Account creation from VPN is suspicious
  if (context.isNewAccount) return "elevated";

  return "moderate";
}

4. Cache Appropriately

IP reputation changes slowly. Cache for at least 1 hour:

// Recommended cache TTLs
const CACHE_TTL = {
  HIGH_RISK: 1800000, // 30 minutes for high-risk IPs
  MEDIUM_RISK: 3600000, // 1 hour for medium-risk
  LOW_RISK: 86400000, // 24 hours for low-risk
};

Frequently Asked Questions

What is the difference between IP reputation and IP geolocation?

IP geolocation determines the physical location of an IP address (country, city, coordinates). IP reputation assesses the trustworthiness of an IP based on its history and characteristics. Both are useful for different purposes - geolocation for localization and compliance, reputation for security and fraud prevention.

How often is reputation data updated?

IPBot updates threat intelligence feeds hourly, Tor exit node lists every 30 minutes, and VPN/proxy databases daily. Risk scores are calculated in real-time based on the latest available data.

Can IP reputation be spoofed?

The IP address itself cannot be spoofed in a TCP connection due to the three-way handshake. However, attackers can use previously unknown IPs or rotate through IP addresses. This is why IP reputation should be one component of a multi-layered security approach.

Should I block all VPN traffic?

Not necessarily. Many legitimate users use VPNs for privacy, especially in countries with internet restrictions. Instead of blanket blocking, consider requiring additional verification for high-risk actions from VPN IPs.

How do I handle false positives?

Build an appeals process and monitor your block rates. If legitimate users are frequently flagged, adjust your thresholds or add exceptions for specific use cases. Use risk scoring as one input rather than the sole decision factor.

Get Started

Start using IP reputation scoring in your application:

# Quick test
curl https://api.ipbot.com/185.220.101.42 | jq '.security'

Resources:

API Reference - Complete endpoint documentation
Rate Limits - Caching and usage guidelines
Code Examples - Integration samples in multiple languages
Proxy Detection - Deep dive into VPN/proxy detection