How IP Quality Scores Are Calculated

• High-Risk Connections
• IP Type
• Recent Behavior Patterns

Let’s explore each of these and how they impact IP quality scores.

IP Abuse Reports

If an IP has been found to be engaging in malicious or fraudulent behavior, it can and should be reported in a few ways. Gather evidence and document why you believe an IP address is bad, and report it to the network and authorities.

Report IP To Network

In many regions, networks that provide internet service must legally provide mechanisms to report IP addresses  for their behavior that are under their management.

To find out what network an IP address is on and how to contact them, visit Whois.com’s free domain and IP lookup tool. *Note that this tool provides information about the network the IP address is on, not the risk score or geolocation. If you know the network of the IP address, you can find the phone or email to contact them and report an IP.

Report IP To Authorities

In the United States, the FBI and Internet Crime Complaint Center (IC3) protect people from cybercrime and fraud. If you believe you’ve been the victim of fraud, and you know the IP address of the perpetrator, contact federal law enforcement officers.

Contact your local FBI Field Office

File a complaint with the IC3

How fraud reports impact IP risk scores: Once an IP address has been credibly reported for fraud, the fraud score increases dramatically, resulting in an unsafe rating.

IP Block List Status

IP block lists are specialized databases that catalog potentially harmful internet addresses, enabling network administrators to filter and block suspicious traffic. These lists are dynamically maintained through continuous monitoring and data collection, identifying IPs associated with malicious activities such as spam, hacking attempts, or distributed denial-of-service (DDoS) attacks.

While some block lists may incorporate reports from law enforcement, many are independently curated by cybersecurity organizations and internet service providers to actively protect network infrastructure and users.

Organizations can implement these block lists at different network levels, such as firewalls, email servers, and web applications, to automatically prevent potential security threats from accessing their systems.

How block lists  impact IP risk scores: IP addresses on block lists have been identified as risky or fraudulent, and their pervasiveness on a network or a region may impact other IP addresses.

Historical IP Behavior

Not every shady IP address has been added to a block list or reported. However, before that happens, they exhibit tell-tale signs of fraudulent activities. Three of the more common signs that an IP’s behavior may be suspicious include:

• IP User Diversity: IPs will have a median range of online identities associated with them, so those IP addresses with an abnormally high number of individual users can be seen as more risky. 
• Interaction Velocity: The number and speed of interactions with web servers can indicate bot activity or malicious script running. 
• Historical Cases of Fraud: The IP has instances of known or suspected fraud associated with an it.

How historical behavior  impacts IP risk scores: The more an IP’s behavior deviates from the norm, the riskier it can appear to the average network.

Location

When assessing an IP address’s geographic risk, analysts evaluate two critical factors: its alignment with user data patterns and the regional fraud rates. This analsyis

Geolocation Consistency

Does the IP address’s location match with the user-provided location data? While this does not always indicate fraud, it can be a strong signal. For example, if an IP address, shipping addresses and phone numbers are all from different locations, that may be a seen as riskier behavior.

Regional Fraud Rates

Just like historical IP data, online fraud rates from a region help determine IP risk scores. How this is weighted and the specificity of the region being evaluated will help determine how an IP address is viewed. 

How region impacts IP risk scores: An IP address that primarily operates outside its geographic region or if an IP is within a region known for fraud may result in a higher initial fraud score.

Associated Devices

According to Parks Research, the average US household has 17 connected devices. While many households are far below or above this number, there is a range that is seen as “normal.” If an IP address has an inordinate number of devices or an atypical diversity of devices, that can be a strong indicator that some type of fraudulent activity is occurring. 

How associated devices impact IP risk scores: The correlation between the number of devices and the likelihood of fraud is too high to ignore; IPs with an inordinate number  of devices are marked as riskier.

Network Reputation

Just like IPs, networks have reputations. Some networks can be seen as too permissive for what online behavior they permit, while others are known for strict adherence to their conduct policies. A network should be judged based on its geolocation, looking at the network it’s hosted on and assessing its propensity for fraud. This will often have a geographic component; however, there are multiple networks within regions and networks that span several regions. 

How network reputation impacts IP risk scores: A network with a bad reputation for fraud will have all of its IP addresses assessed as riskier than those on the average network.

High-Risk Connections

Proxies, VPNs and TOR networks all have legitimate uses. However, bad actors use them for illegitimate activities because they mask a user’s real IP address location, making it safer for them to commit their crimes. Because of this, every IP using a proxy or arriving through a VPN or TOR exit node has an increased fraud score.

Proxies

Proxies are intermediaries between users and the internet, masking the original IP address. They are increasingly used for fraudulent activities, especially residential proxies because those addresses are considered less risky.

Fraud likelihood: High

VPNs (Virtual Private Networks)

VPNs encrypt internet traffic and route it through remote servers, hiding the user’s real IP address and location. This effectively anonymizes a user, giving them the ability to act maliciously and avoid being identified.

Fraud likelihood: Moderate to high

TOR (The Onion Router) Network

TOR routes traffic through multiple volunteer-operated servers, making it extremely difficult to trace the origin of the connection. TOR is often associated with illicit activities due to its strong anonymity features.

Fraud likelihood: Extremely high

How high-risk connections impact IP risk scores: All of these connections are known to be at least somewhat risky and are graded negatively for their safety.

IP Address Type

Similar to the type of connection, the type of IP address can indicate a higher or lower likelihood of fraud and are accounted for in generating an IP score.

Residential IP

Residential IPs are assigned by internet service providers (ISPs) to home users. They are generally considered more legitimate and less likely to be involved in fraudulent activities. However, the rise of residential proxies has increased their potential for misuse.

Fraud likelihood: Low to moderate

Data Center IP

These IPs originate from cloud providers and data centers. Businesses often use them for online operations, but they are also favored by fraudsters and bot attacks because of their accessibility and low cost.

Fraud likelihood: High

Hosting Provider IP

Like data center IPs, hosting provider IPs are associated with web hosting services and used by websites and online applications. In most risk models, fraud scoring may be specific to the reputation of the hosting provider and scrutinized more than residential IP addresses.

Fraud likelihood: Moderate to high

How IP address type impacts IP risk scores: Though residential IPs are getting more and more scrutiny, they are generally seen as safe compared to data centers and hosting providers.

Recent IP Behavior Patterns

How an IP behaves online can be evaluated for patterns consistent with fraudulent activities. User logins, transaction data, protocol uses and data transfer activity can all be signs an IP address may be up to no good. 

• Logins: Multiple failed logins or successful logins from distant locations in quick succession.
• Transaction Data: Sudden changes in frequency or volume, transactions from unusual locations, or sequences of small transactions followed by a large one, often indicative of card testing.
• Protocol Usage: Unexpected use of protocols like SSH from unfamiliar IP addresses, unusual port access attempts, or communication with known malicious IP addresses.
• Data Transfers: Large data transfers at odd hours or unexpected outbound traffic to unfamiliar destinations.

How IP behavior patterns impact IP risk scores: The more variant an IP’s behavior is the more likely it is to be seen as suspicious.