The following definitions explain each of the IP Address Abuse Feed's data points:
| Field | Description | Possible Value | |||||||||
| ip | The abusive IP address. | string | |||||||||
| isp | ISP if one is known. Otherwise "N/A". | string | |||||||||
| organization | Organization if one is known. Can be parent company or sub company of the listed ISP. Otherwise "N/A". | string | |||||||||
| hostname | The hostname of the abusive IP address. | string | |||||||||
| country | Two character country code of IP address or "N/A" if unknown. | string | |||||||||
| city | City of IP address if available or "N/A" if unknown. | string | |||||||||
| region | Region (state) of IP address if available or "N/A" if unknown. | string | |||||||||
| timezone | Timezone of IP address if available or "N/A" if unknown. | string | |||||||||
| zipcode | Postal code of IP address if available or "N/A" if unknown. IP addresses can relate to multiple postal codes in a city, so we recommend performing analysis of similar postal codes nearby. | string | |||||||||
| asn | Autonomous System Number if one is known. Null if nonexistent. | string | |||||||||
| latitude | Latitude of IP address if available or null if unknown. | float | |||||||||
| longitude | Longitude of IP address if available or null if unknown. | float | |||||||||
| is_crawler | Is this IP associated with being a confirmed crawler from any of the following search engines, based on hostname or IP address verification: Baidu, Google, Bing, Yahoo, Yandex, Sogou, Exabot, DuckDuckGo, Facebook, Twitter, Pinterest, Naver, UptimeRobot, AppleBot, ArchiveBot, CoccocBot, YisouBot, PetalBot, ByteDance, and MailRU. |
boolean | |||||||||
| connection_type | Classification of the IP address connection type as "Residential", "Corporate", "Education", "Mobile", or "Data Center". | string | |||||||||
| is_bot | Indicates if bots or non-human traffic has recently used this IP address to engage in automated fraudulent behavior. Provides stronger confidence that the IP address is suspicious. | boolean | |||||||||
| recent_abuse | This value will indicate if there has been any recently verified abuse across our network for this IP address. Abuse could be a confirmed chargeback, account takeover attack, compromised device, fake application or registration, digital impersonation (stolen user data), bot attack, or similar malicious behavior within the past few days. | boolean | |||||||||
| is_proxy | Is the IP suspected of being from a proxy network? | boolean | |||||||||
| is_vpn | Is this IP suspected of being a VPN connection? This can include data center ranges which can become active VPNs at any time. The "proxy" status will always be true when this value is true. | boolean | |||||||||
| is_tor | Is this IP suspected of being a TOR connection? This can include previously active TOR nodes and exits which can become active TOR exits at any time. The "proxy" status will always be true when this value is true. | boolean | |||||||||
| active_vpn | Identifies active VPN connections used by popular VPN services and private VPN servers. | boolean | |||||||||
| active_tor | Identifies active TOR exits on the TOR network. | boolean | |||||||||
| public_access_point | Identifies public access points, such as airports and public buildings. These access points typically have higher abuse rates and low security protocols. | boolean | |||||||||
| abuse_velocity | How frequently the IP address is engaging in abuse across the IPQS threat network. Values can be "high", "medium", "low", or "none". Can be used in combination with the Fraud Score to identify bad behavior. | string | |||||||||
| frequent_abuser | Enterprise Data Point — Identifies IP addresses with a consistent history of abusive behavior across 6 months or more. This data point can be helpful in identifying anonymous IP addresses which are frequently used for malicious behavior, compared to an IP address that may be briefly compromised by malware and only temporarily active in a botnet or residential proxy network. | boolean | |||||||||
| dynamic_ip | Enterprise Data Point — Indicates IP addresses with dynamic assignment protocols, which means that a user on this IP address will likely be assigned a different IP address by this provider in the near future. | boolean | |||||||||
| shared_ip | Enterprise Data Point — Designates IP addresses which are likely to have more than a few users active on the IP address at the same time, such as mobile networks, corporate exit points, and similar connections. This can also include libraries, coffee shops, hotel lobbies, dormitories, hospitals and medical centers, company VPNs, etc. | boolean | |||||||||
| abuse_events | An object containing events associated with this IP address that were detected to be abusive. |
|
|||||||||
| fraud_score | The overall fraud score of the user based on the IP, user agent, language, and any other optionally passed variables. Fraud Scores >= 75 are suspicious, but not necessarily fraudulent. We recommend flagging or blocking traffic with Fraud Scores >= 90, but you may find it beneficial to use a higher or lower threshold. | float |