Published:
January 30, 2024
Last Modified:
July 04, 2024
New Feature
Abuser Score
Threat Intelligence
Introducing the Abuser Score for Organizations and ASNs
This blog post covers the newly added abuser_score API field. The
abuser_score can be found in both the company and asn
objects and gives a very good estimation of the overall reputation of a network belonging to an
organization (company) or an ASN.
If you quickly want to see the most abusive networks and ASNs on the Internet, visit the
Most Abusive Networks page or the
Most Abusive ASNs page. Those pages are constantly updated with the
most abusive networks/ASNs on the Internet!
Back to the blog article.
For example, when looking up the IP address 5.181.168.0 with the API call api.ipapi.is/?q=5.181.168.0, the following (shortened)
output is obtained (As of February 1st, 2024):
{
"ip": "5.181.168.0",
"rir": "RIPE",
"is_bogon": false,
"is_mobile": false,
"is_crawler": false,
"is_datacenter": true,
"is_tor": false,
"is_proxy": false,
"is_vpn": true,
"is_abuser": false,
"company": {
"name": "FINE GROUP SERVERS SOLUTIONS LLC",
"abuser_score": "0.4883 (Very High)",
"domain": "finegroupservers.com",
"type": "hosting",
"network": "5.181.168.0 - 5.181.168.255"
},
"asn": {
"asn": 14576,
"abuser_score": "0.2959 (Very High)",
"route": "5.181.168.0/24",
"descr": "HOSTING-SOLUTIONS, US",
"country": "us",
"active": true,
"org": "Hosting Solution Ltd.",
"domain": "kingservers.com",
"abuse": "abuse@king-servers.com",
"type": "hosting",
"rir": "ARIN"
},
// [...snipped...]
}
As illustrated by the API output above, there is a new field called abuser_score,
present in both the company and asn objects. What does this field mean?
The abuser_score field is formatted as "0.4883 (Very High)". The first
part, a floating-point number (0.4883), represents the proportion of abusive IP addresses in
either the
company network or the ASN. It is computed as follows, depending on whether the abuser_score
is in the company
or asn object:
- company.abuser_score - Number of Abusive IPs / Total Number of IPs in the
Organization's Network (company)
- asn.abuser_score - Number of Abusive IPs / Total Number of IPs in all IPv4 Routes of
the ASN
The second part of the field is an informal description (Very High). It provides
an evaluative summary of the abuser score. The following score classifications are currently used:
- Very High - More than 20% of all IPs are abusive
- High - Between 3% and 20% of all IPs are abusive
- Elevated - Between 0.85% and 3% of all IPs are abusive
- Low - Between 0.85% and 0.05% of all IPs are abusive
- Very Low - Less than 0.05% of all IPs are abusive
Unfortunately, the abuser_score field is not easily parsable by machines. However, the
additional benefit of having an informal abuser score
description outweighs the negatives of having to parse the abuser_score field with more
effort.
How to leverage the abuser_score in your product?
What is the actual tangible benefit of the abuser_score?
As the example above with the IP 5.181.168.0
shows, the IP itself is not classified as is_abuser ("is_abuser": false).
However, the network to which this IP address belongs,
"network": "5.181.168.0 - 5.181.168.255", has an
abuser_score of 0.4883 (Very High). This indicates that nearly half of the
255 IP
addresses in this network are abusive (48.83%).
Therefore, even though the IP address 5.181.168.0 is not directly classified as an abuser, it
is likely to be used abusively in the near future,
given the high number of abusers in its parent network. In other words, the abuser_score is a
useful tool for interpolating the overall reputation
of a network or ASN.
A prudent action would be to apply the same measures to the IP 5.181.168.0 as if the IP were
a
direct abuser.
Put differently: The abuser_score is a helpful metric to have an holistic view into the
reputation of an network or ASN and to not solely rely on single IP addresses. This of course comes with a
small risk of false positives, but the benefits of having a more comprehensive view into the reputation of
a network outweigh the negatives.