Your checkout service has about 50 milliseconds to decide whether a request is a customer or an attack. It cannot read a threat-intel report. It needs a number and a threshold: below 30, proceed; above 80, block; in between, challenge.
That is the entire job of an IP risk score. But compressing reality into one integer is dangerous when it is done opaquely — so this post walks through how the compression actually works: which signals feed the score, how they are weighted, and how to pick thresholds that fit your product.
The Five Signal Groups
The 40+ signals behind the score cluster into five groups. Each group answers a different question about the IP in front of you.
| Signal group | Question it answers | Example signals |
|---|---|---|
| Anonymization | Is the user hiding their network identity? | is_vpn, is_proxy, is_residential_proxy, is_tor, provider attribution |
| Infrastructure | Is this a machine pretending to be a person? | datacenter ASN, hosting ranges, server port fingerprints, crawler identity |
| Abuse history | Has this IP misbehaved recently? | blocklist presence, spam reports, attack-source feeds, abuse-report recency |
| Location integrity | Does the geography make sense? | registry vs. observed location mismatch, latency triangulation, impossible-travel priors |
| Network behavior | Does the traffic pattern fit the IP type? | session diversity, churn rate, mobile-carrier anomalies, new-IP age |
The grouping matters because signals within a group are correlated, and signals across groups are not. An IP that is a VPN and on a datacenter ASN is mostly one fact expressed twice. An IP that is a VPN and on three abuse blocklists and geolocating inconsistently is three independent reasons to worry — and the score should rise much faster.
Weighting: Not All Signals Are Equal
A naive score adds a fixed penalty per flag. That fails in both directions: it over-punishes privacy-conscious VPN users and under-punishes fresh attack infrastructure that is not on any list yet.
Production scoring uses weights shaped by base rates — how often each signal appears in fraudulent versus legitimate traffic:
- Tor exit node carries a heavy weight. The legitimate-use base rate on commercial flows is tiny.
- Residential proxy carries an even heavier weight. There is essentially no privacy use case for renting someone's home IP.
- Consumer VPN alone carries a modest weight. Millions of legitimate users browse through VPNs every day.
- Datacenter ASN is moderate alone, but multiplies when combined with anonymization, because a real person almost never originates traffic from a cloud server.
- Blocklist presence decays with time — a report from yesterday matters far more than one from last quarter.
Corroboration is the second half: independent groups firing together push the score super-linearly, while a lone medium signal keeps the score in the gray zone where it belongs.
What the Response Looks Like
A score you cannot explain is a score you cannot defend in a chargeback dispute or a support escalation. Every GeoIPHub lookup therefore returns the verdicts, the score, and the named evidence together:
curl "https://api.geoiphub.com/v1/lookup?ip=102.129.235.17" \
-H "Authorization: Bearer YOUR_API_KEY"
{
"ip": "102.129.235.17",
"country": "ZA",
"city": "Johannesburg",
"asn": 62240,
"asn_org": "Clouvider Ltd",
"is_datacenter": true,
"is_vpn": true,
"vpn_provider": "PrivateVPN",
"is_proxy": false,
"is_residential_proxy": false,
"is_tor": false,
"abuse_reports_30d": 4,
"risk_score": 81,
"risk_factors": [
"vpn_verified_by_handshake",
"datacenter_asn",
"abuse_reports_recent",
"geo_registry_mismatch"
]
}
Four independent factors, spanning three signal groups, produce a score of 81 — block territory for most checkout flows. The same VPN flag without the abuse history and geo mismatch would have landed in the 40s: challenge, not block.
Turning Scores Into Decisions
Thresholds are product decisions, not data decisions. The score tells you how suspicious the network is; your thresholds encode how much friction your business can afford. A sensible starting matrix:
Three rules of thumb when tuning:
- Tune per flow, not per site. A withdrawal endpoint deserves a lower block threshold than a newsletter signup.
- Measure your false-positive rate before tightening. Sample challenged users who completed verification — if 95% pass, your challenge band is well placed; if 99.9% pass, you are burning conversion for nothing.
- Never hard-code score semantics into multiple services. Centralize the threshold logic so you can move cut-offs during an attack without redeploying everything.
Common Mistakes
- Blocking on
is_vpnalone. You will lose real customers and barely inconvenience fraudsters, who will rotate to residential proxies anyway. - Treating the score as static. Scores move as evidence changes. Cache briefly (minutes to hours), not for days.
- Ignoring the risk factors array. The factors are your audit trail and your tuning interface. If
geo_registry_mismatchtriggers a flood of false positives for one mobile carrier, you can compensate downstream without abandoning the score. - Scoring after the decision. Risk lookups belong before account creation and before payment authorization. Retroactive scoring only tells you how you were robbed.
Where to Start
The cheapest way to evaluate any scoring system is to run your own traffic through it and look at the distribution. Pull a day of signups, score the IPs, and check two things: do your known-bad cases land above 80, and does your paying-customer population land below 50?
You can check individual addresses right now with the free IP fraud score checker, or grab an API key and score 2,000 IPs a day on the free tier — every one of the 80 response fields included.
Start Scoring Every IP in Real Time
GeoIPHub gives fraud, security, and engineering teams a single API for IP geolocation, VPN & proxy detection, threat intelligence, and an explainable 0–100 risk score.
Get Your Free API Key
Sign up in minutes — no credit card required. Upgrade only when you need more volume.
Frequently Asked Questions
What is a good risk score threshold for blocking?
Most teams block at 80+ and challenge (step-up verification) between 50 and 79. The right cut-off depends on your fraud cost versus friction cost — a bank should challenge earlier than a content site. Start conservative, measure false positives, then tighten.
Why is an explainable score better than a black-box one?
Because every blocked user is a potential support ticket, chargeback dispute, or compliance question. When the score ships with its contributing signals, you can answer why a decision happened, tune individual weights' impact, and audit the system instead of trusting it blindly.
Should I score every request or only risky flows?
Score at decision points: signup, login, checkout, withdrawal, and content submission. Scoring every pageview adds cost without adding decisions. Caching scores per IP for a short TTL keeps both latency and spend low.
Does a low risk score mean the user is safe?
It means the network the request came from shows no anonymization, abuse history, or infrastructure red flags. IP intelligence is one layer — combine it with device, behavioral, and payment signals for full coverage.
How often do risk scores change for the same IP?
Whenever the underlying evidence changes: an IP joins a proxy network, lands on a blocklist, or a VPN provider deploys a new server. Continuously refreshed signals mean scores can move within hours, which is exactly what you want during an active attack.