# IP Intelligence: How to Detect VPNs, Proxies, and Tor at Signup > IP intelligence reveals whether users are masking their location with VPNs, proxies, or Tor. Learn how IP analysis works, when anonymization is a fraud signal, and how to use it without blocking legitimate users. **Author:** Matt King | **Published:** December 18, 2025 | **Category:** Fraud Prevention --- [IP intelligence](/tools/ip-checker) is the process of analysing an IP address to determine its geolocation, ISP, connection type, and whether it belongs to a VPN, proxy, Tor exit node, or data center. For fraud detection, IP analysis reveals when users are hiding their real location — one of the most common behaviors associated with [account fraud](/use-cases/account-takeover-prevention), payment fraud, and multi-account abuse. ## What IP Intelligence Reveals Every IP address carries metadata that tells you about the user's connection: | Data Point | What It Reveals | Fraud Relevance | |-----------|----------------|-----------------| | Country/City | Geographic location | Does it match billing address? | | ISP | Internet provider | Residential vs data center | | Connection type | Broadband, mobile, satellite | Data center = potential bot | | VPN detection | Commercial VPN service | Location masking | | Proxy detection | HTTP/SOCKS proxy | Location masking | | Tor detection | Tor exit node | Strong anonymisation | | Hosting provider | Cloud/hosting company | Automated traffic | ## When Anonymisation Is a Fraud Signal Not every VPN user is a fraudster. Privacy-conscious users, corporate employees, and people in restrictive regions all use VPNs legitimately. The key is **context**: **High risk (multiple signals):** - VPN + [disposable email](/disposable-emails) + new account = likely fraud - Tor + mismatched billing country + high-value purchase = likely fraud - Data center IP + automated signup pattern + free tier = likely bot **Low risk (VPN alone):** - VPN + legitimate email + established account = likely privacy-conscious user - VPN + corporate domain email = likely employee on company VPN - VPN + mobile device + residential patterns = likely personal privacy The rule is simple: **never block on a single signal**. Always combine IP intelligence with email validation and behavioral data. ## Implementation ### Basic IP Check ```bash curl -X POST https://api.fidro.io/v1/validate/email \ -H "Authorization: Bearer YOUR_API_KEY" \ -d '{"email": "user@example.com", "ip": "203.0.113.42"}' ``` The response includes IP intelligence alongside email validation: ```json { "email": "user@example.com", "disposable": false, "risk_score": 0.45, "ip": { "address": "203.0.113.42", "country": "DE", "city": "Berlin", "isp": "Example ISP", "vpn": true, "proxy": false, "tor": false, "hosting": false } } ``` ### Geographic Mismatch Detection One of the most powerful fraud signals is a mismatch between the user's IP country and their billing country: ```javascript const validation = await fidro.validate(email, ip); const billingCountry = order.billing_address.country; const ipCountry = validation.ip.country; if (billingCountry !== ipCountry && validation.ip.vpn) { // High risk: VPN + country mismatch flagForReview(order); } ``` This pattern catches a large percentage of payment fraud while generating very few false positives. ## Building a Composite Risk Score Rather than acting on individual signals, combine them into a weighted [risk score](/blog/what-is-a-risk-score-and-how-does-it-work): | Signal | Weight | Rationale | |--------|--------|-----------| | Disposable email | +0.4 | Strong fraud indicator | | Tor exit node | +0.3 | Strong anonymisation | | VPN detected | +0.15 | Moderate signal (many legitimate uses) | | Proxy detected | +0.2 | Moderate signal | | Data center IP | +0.2 | Likely automated | | Country mismatch | +0.25 | Significant when combined with VPN | | Domain age < 7 days | +0.15 | New domain risk | A user with a VPN alone scores 0.15 — well below any blocking threshold. A user with a VPN + disposable email + country mismatch scores 0.8 — clearly suspicious. Fidro calculates this composite score automatically, weighting all available signals into a single `risk_score` field. ## Handling Edge Cases ### Corporate VPNs Employees at large companies often route all traffic through a corporate VPN. The IP will show as a VPN, but the email will have a legitimate corporate domain. Solution: if the email domain matches a known company and is not disposable, reduce the VPN signal weight. ### Mobile Carriers Some mobile carriers use IP ranges that look like VPNs or proxies. Fidro accounts for this by classifying mobile carrier IPs separately from commercial VPN providers. ### Shared IPs University networks, co-working spaces, and apartment complexes share IP addresses. Multiple signups from the same IP are not necessarily fraud. Use IP as a flagging signal rather than a blocking signal for account creation. ## Getting Started 1. Add the `ip` parameter to your existing [Fidro API](/docs) calls 2. Log the IP intelligence data alongside email validation results 3. Start with monitoring mode — flag but don't block VPN users 4. After two weeks of data, set your composite risk thresholds 5. Check the [free email checker tool](/tools/email-checker) to test the full API response 6. Try the [IP checker tool](/tools/ip-checker) to see what a single IP reveals --- ## Frequently Asked Questions ### What is IP intelligence? IP intelligence is the process of analyzing an IP address to determine its geolocation, ISP, connection type, and whether it belongs to a VPN, proxy, Tor exit node, or data center. This data helps identify users who are masking their real location, which is a common signal in fraud, multi-account abuse, and unauthorized access. ### Should I block all VPN users? No. Many legitimate users use VPNs for privacy or because their employer requires it. Blocking all VPN traffic would exclude a significant portion of real customers. Instead, use VPN detection as one signal in a composite risk score. A VPN combined with a disposable email and mismatched geolocation is suspicious; a VPN alone is not. ### How accurate is IP geolocation? IP geolocation is typically accurate to the country level 95-99% of the time, and to the city level 50-80% of the time. Accuracy varies by ISP and region. For fraud detection, country-level accuracy is sufficient — you primarily care whether the IP country matches the billing country. ### Can Tor users be detected? Yes. Tor exit nodes are publicly listed and maintained by the Tor Project. IP intelligence APIs like Fidro check against updated lists of known exit nodes in real time. However, sophisticated users may use bridges or unlisted nodes that are harder to detect. ### How does IP intelligence complement email validation? Email validation catches identity-level fraud signals (disposable emails, invalid domains, fake addresses). IP intelligence catches location-level fraud signals (VPNs, geographic mismatches, data center IPs). Together, they provide a comprehensive risk picture that neither can achieve alone.