IP Intelligence 12 min read Markdown

IP Risk Scoring for Developers: How to Assess IP Reputation in Real Time

Matt King
Matt King

June 17, 2026

IP Risk Scoring for Developers: How to Assess IP Reputation in Real Time

Every request to your application carries an IP address. That IP contains a surprising amount of intelligence about who is on the other end: whether they are connecting through a VPN, routing through a proxy, hiding behind a Tor exit node, or operating from a data centre.

IP risk scoring turns that raw intelligence into a single actionable number. Low score, let them through. High score, block or review.

Why IP Risk Scoring Matters

At signup: Fake account creation, free tier abuse, and bot registrations almost always originate from high-risk IPs. A data centre IP combined with a disposable email is a near-certain indicator of abuse.

At checkout: Stolen credit cards are typically used from IPs that don't match the cardholder's billing country. Scoring the IP before processing payment saves you chargebacks.

For more on how risk scores work, see what a risk score is and how it works.

The Signals Behind an IP Risk Score

VPN Detection

VPN usage alone is not proof of fraud, but combined with other signals it increases confidence significantly.

Proxy Detection

Open proxies are particularly dangerous because anyone can route traffic through them.

Tor Exit Nodes

Tor exit nodes are publicly listed, making detection straightforward. Their presence in a transaction flow is a strong risk signal.

Data Centre and Hosting IPs

Legitimate users browse from residential ISPs, not from AWS or DigitalOcean instances.

Abuse History

IPs that appear in spam blocklists or honeypot traps carry additional weight.

Geolocation Anomalies

If a user claims to be in the US but their IP geolocates to Nigeria, that is a risk signal. See geolocation fraud detection.

Checking IP Reputation at Signup

// app/Services/FraudScreening.php
use Illuminate\Support\Facades\Http;

class FraudScreening
{
    public function checkSignup(string $email, string $ip): array
    {
        $response = Http::timeout(3)
            ->withHeaders([
                'Authorization' => 'Bearer ' . config('services.fidro.api_key'),
            ])
            ->post('https://api.fidro.io/v1/validate', [
                'email' => $email,
                'ip' => $ip,
            ]);

        if (! $response->successful()) {
            return ['action' => 'allow', 'score' => 0];
        }

        $result = $response->json();
        $score = $result['risk_score'];

        if ($score > 70) {
            return ['action' => 'block', 'score' => $score, 'data' => $result];
        }
        if ($score > 30) {
            return ['action' => 'review', 'score' => $score, 'data' => $result];
        }
        return ['action' => 'allow', 'score' => $score, 'data' => $result];
    }
}

Try the free IP checker tool or the VPN detector to see the full analysis for any IP address.

Checking IP Reputation at Checkout

At checkout, also pass the billing country for geolocation matching:

$check = Http::timeout(3)
    ->withHeaders([
        'Authorization' => 'Bearer ' . config('services.fidro.api_key'),
    ])
    ->post('https://api.fidro.io/v1/validate', [
        'email' => $request->email,
        'ip' => $request->ip(),
        'country_code' => $request->billing_country,
    ]);

$result = $check->json();

if ($result['risk_score'] > 70) {
    return response()->json(['error' => 'Payment could not be processed.'], 422);
}

if ($result['risk_score'] > 30) {
    // Require 3D Secure for medium-risk transactions
}

Setting Thresholds: The Three-Tier Framework

Tier 1: Allow (Score < 30)

Residential IP, well-known ISP, no VPN or proxy, geolocation matches. Process normally.

Tier 2: Review (Score 30 to 70)

Some risk signals but not clearly fraudulent. Require email verification or flag for monitoring.

Tier 3: Block (Score > 70)

Multiple strong risk signals. Block the action and log for analysis.

Tuning Your Thresholds

Start with 30/70 and monitor:

  • False positive rate: Too many real users blocked? Raise block threshold to 80.
  • False negative rate: Still seeing chargebacks from low-score users? Lower allow threshold to 20.

For a full guide, see tuning fraud thresholds.

What High-Risk IPs Look Like

Residential User, Low Risk (Score: 8)

{
  "risk_score": 8,
  "checks": { "vpn": false, "proxy": false, "tor": false, "datacenter": false },
  "location": { "country_code": "US", "isp": "Comcast Cable Communications" }
}

VPN User, Medium Risk (Score: 42)

{
  "risk_score": 42,
  "checks": { "vpn": true, "proxy": false, "tor": false, "datacenter": false },
  "location": { "country_code": "US", "isp": "NordVPN" }
}

Tor on Data Centre, High Risk (Score: 91)

{
  "risk_score": 91,
  "checks": { "vpn": false, "proxy": false, "tor": true, "datacenter": true, "bad_ip": true },
  "location": { "country_code": "DE", "isp": "Hetzner Online GmbH" }
}

Combining IP Scores with Email Validation

IP risk scoring is most powerful when combined with email intelligence:

$result = $fidro->validate($request->email, $request->ip());

$isDisposable = $result['checks']['disposable_email'] ?? false;
$isVpn = $result['checks']['vpn'] ?? false;

// Custom rule: disposable email + VPN is always blocked
if ($isDisposable && $isVpn) {
    return response()->json(['error' => 'Registration blocked.'], 403);
}

Try the email checker alongside the IP checker to see how these signals complement each other.

Getting Started

  1. Sign up at fidro.io/pricing. Free plan includes 200 requests per month.
  2. Test with the IP checker tool.
  3. Integrate at signup first, then extend to checkout.
  4. Monitor and tune thresholds based on your data.

For API reference, see the documentation. For more on IP intelligence, read IP intelligence for detecting VPNs, proxies, and Tor.

Frequently Asked Questions

What is IP risk scoring?

IP risk scoring assigns a numerical score to an IP address based on fraud signals like VPN usage, proxy detection, Tor connections, data centre hosting, abuse history, and geolocation anomalies. A higher score indicates higher likelihood of fraudulent activity.

Should I block all VPN users based on their IP risk score?

No. VPN detection should be one factor in a composite risk score, not a standalone block rule. Combine it with email validation, geolocation matching, and behavioural signals to make nuanced decisions.

What IP risk score thresholds should I start with?

A good starting point: allow scores below 30, review scores between 30 and 70, block scores above 70. Monitor your false positive rate and adjust based on your traffic patterns.

How fast is real-time IP risk scoring?

Fidro returns IP risk scores in under 200ms, fast enough to run inline during signup or checkout flows without noticeable latency.

Can I use IP risk scoring at both signup and checkout?

Yes, and you should. Checking at signup catches fake accounts. Checking at checkout catches stolen cards and account takeover. Scoring at multiple touchpoints gives you better coverage.

Related Articles

VPN Detection API for Developers: How to Detect and Handle VPN Users
IP Intelligence 12 min read

VPN Detection API for Developers: How to Detect and Handle VPN Users

How to Prevent Fake Signups Without Killing Your Conversion Rate
Fraud Prevention 11 min read

How to Prevent Fake Signups Without Killing Your Conversion Rate

Best Email Validation APIs Compared: Features, Pricing & Developer Experience (2026)
Email Security 13 min read

Best Email Validation APIs Compared: Features, Pricing & Developer Experience (2026)

Free Email Checker · Compare Alternatives · Disposable Email Database · ← Back to Blog