Introducing the Abuser Score
Published: January 30, 2024
Last Modified: February 02, 2024
New Feature Abuser Score Threat Intelligence

Introducing the Abuser Score for Organizations and ASNs

This blog post covers the newly added abuser_score API field. The abuser_score can be found in both the company and asn objects and gives a very good estimation of the overall reputation of a network belonging to an organization (company) or an ASN.

If you quickly want to see the most abusive networks and ASNs on the Internet, visit the Most Abusive Networks page or the Most Abusive ASNs page. Those pages are constantly updated with the most abusive networks/ASNs on the Internet!

Back to the blog article.

For example, when looking up the IP address 5.181.168.0 with the API call api.ipapi.is/?q=5.181.168.0, the following (shortened) output is obtained (As of February 1st, 2024): 

{
  "ip": "5.181.168.0",
  "rir": "RIPE",
  "is_bogon": false,
  "is_mobile": false,
  "is_crawler": false,
  "is_datacenter": true,
  "is_tor": false,
  "is_proxy": false,
  "is_vpn": true,
  "is_abuser": false,
  "company": {
    "name": "FINE GROUP SERVERS SOLUTIONS LLC",
    "abuser_score": "0.4883 (Very High)",
    "domain": "finegroupservers.com",
    "type": "hosting",
    "network": "5.181.168.0 - 5.181.168.255"
  },
  "asn": {
    "asn": 14576,
    "abuser_score": "0.2959 (Very High)",
    "route": "5.181.168.0/24",
    "descr": "HOSTING-SOLUTIONS, US",
    "country": "us",
    "active": true,
    "org": "Hosting Solution Ltd.",
    "domain": "kingservers.com",
    "abuse": "abuse@king-servers.com",
    "type": "hosting",
    "rir": "ARIN"
  },
  // [...snipped...]
}

As illustrated by the API output above, there is a new field called abuser_score, present in both the company and asn objects. What does this field mean?

The abuser_score field is formatted as "0.4883 (Very High)". The first part, a floating-point number (0.4883), represents the proportion of abusive IP addresses in either the company network or the ASN. It is computed as follows, depending on whether the abuser_score is in the company or asn object:

  • company.abuser_score - Number of Abusive IPs / Total Number of IPs in the Organization's Network (company)
  • asn.abuser_score - Number of Abusive IPs / Total Number of IPs in all IPv4 Routes of the ASN

The second part of the field is an informal description (Very High). It provides an evaluative summary of the abuser score. The following score classifications are currently used:

  • Very High - More than 20% of all IPs are abusive
  • High - Between 3% and 20% of all IPs are abusive
  • Elevated - Between 0.85% and 3% of all IPs are abusive
  • Low - Between 0.85% and 0.05% of all IPs are abusive
  • Very Low - Less than 0.05% of all IPs are abusive

Unfortunately, the abuser_score field is not easily parsable by machines. However, the additional benefit of having an informal abuser score description outweighs the negatives of having to parse the abuser_score field with more effort.

How to leverage the abuser_score in your product?

What is the actual tangible benefit of the abuser_score?

As the example above with the IP 5.181.168.0 shows, the IP itself is not classified as is_abuser ("is_abuser": false).

However, the network to which this IP address belongs, "network": "5.181.168.0 - 5.181.168.255", has an abuser_score of 0.4883 (Very High). This indicates that nearly half of the 255 IP addresses in this network are abusive (48.83%).

Therefore, even though the IP address 5.181.168.0 is not directly classified as an abuser, it is likely to be used abusively in the near future, given the high number of abusers in its parent network. In other words, the abuser_score is a useful tool for interpolating the overall reputation of a network or ASN.

A prudent action would be to apply the same measures to the IP 5.181.168.0 as if it were a direct abuser. Put differently:

Put differently: The abuser_score is a helpful metric to have an holistic view into the reputation of an network or ASN.