IP Intelligence: How to Detect VPNs, Proxies, and Tor at Signup

IP intelligence is the process of analysing an IP address to determine its geolocation, ISP, connection type, and whether it belongs to a VPN, proxy, Tor exit node, or data center. For fraud detection, IP analysis reveals when users are hiding their real location — one of the most common behaviors associated with account fraud, payment fraud, and multi-account abuse.

What IP Intelligence Reveals

Every IP address carries metadata that tells you about the user's connection:

When Anonymisation Is a Fraud Signal

Not every VPN user is a fraudster. Privacy-conscious users, corporate employees, and people in restrictive regions all use VPNs legitimately. The key is context:

High risk (multiple signals):

• VPN + disposable email + new account = likely fraud
• Tor + mismatched billing country + high-value purchase = likely fraud
• Data center IP + automated signup pattern + free tier = likely bot

Low risk (VPN alone):

• VPN + legitimate email + established account = likely privacy-conscious user
• VPN + corporate domain email = likely employee on company VPN
• VPN + mobile device + residential patterns = likely personal privacy

The rule is simple: never block on a single signal. Always combine IP intelligence with email validation and behavioral data.

Implementation

Basic IP Check

curl -X POST https://api.fidro.io/v1/validate/email \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{"email": "user@example.com", "ip": "203.0.113.42"}'

The response includes IP intelligence alongside email validation:

{
  "email": "user@example.com",
  "disposable": false,
  "risk_score": 0.45,
  "ip": {
    "address": "203.0.113.42",
    "country": "DE",
    "city": "Berlin",
    "isp": "Example ISP",
    "vpn": true,
    "proxy": false,
    "tor": false,
    "hosting": false
  }
}

Geographic Mismatch Detection

One of the most powerful fraud signals is a mismatch between the user's IP country and their billing country:

const validation = await fidro.validate(email, ip);

const billingCountry = order.billing_address.country;
const ipCountry = validation.ip.country;

if (billingCountry !== ipCountry && validation.ip.vpn) {
  // High risk: VPN + country mismatch
  flagForReview(order);
}

This pattern catches a large percentage of payment fraud while generating very few false positives.

Building a Composite Risk Score

Rather than acting on individual signals, combine them into a weighted risk score:

A user with a VPN alone scores 0.15 — well below any blocking threshold. A user with a VPN + disposable email + country mismatch scores 0.8 — clearly suspicious.

Fidro calculates this composite score automatically, weighting all available signals into a single risk_score field.

Handling Edge Cases

Corporate VPNs

Employees at large companies often route all traffic through a corporate VPN. The IP will show as a VPN, but the email will have a legitimate corporate domain. Solution: if the email domain matches a known company and is not disposable, reduce the VPN signal weight.

Mobile Carriers

Some mobile carriers use IP ranges that look like VPNs or proxies. Fidro accounts for this by classifying mobile carrier IPs separately from commercial VPN providers.

Shared IPs

University networks, co-working spaces, and apartment complexes share IP addresses. Multiple signups from the same IP are not necessarily fraud. Use IP as a flagging signal rather than a blocking signal for account creation.

Getting Started

1. Add the ip parameter to your existing Fidro API calls
2. Log the IP intelligence data alongside email validation results
3. Start with monitoring mode — flag but don't block VPN users
4. After two weeks of data, set your composite risk thresholds
5. Check the free email checker tool to test the full API response