Posts Tagged ‘IP reputation’

IP Addresses: A Lesser-Known (But Important) Piece of Contact Data

When you gather contact data for leads and customers, some items are obvious: name, mailing address, and email to name a few. But in some cases, it makes sense to check another data point: their IP address.

IP is short for Internet Protocol. It can often tell you where this customer is originating from, or at the very least where their current internet service host is located. This data can be particularly useful in fraud prevention, especially during the busy holiday selling season. For example, if you have just received a large order from a brand-new customer in Kansas but their IP address is in Kyrgyzstan, you may want to flag this order for further review before processing it.

In this article, we will take a look at IP addresses, and how they can form an important part of keeping your business and revenue safe. Let’s start with how IP addresses work.

Understanding IP addresses

An IP address is essentially the internet equivalent of a mailing address – it is a unique numerical address corresponding to each device communicating over a network, such as your computer, a server, or a website. If you are using a device at home, this IP address will normally be provided by your internet service provider (ISP) – conversely, at an airport or café, your IP address will be provided by the Wi-Fi provider you are using.

IP addresses come in one of two forms, known as IPv4 (Internet Protocol version 4) and IPv6 (version 6). IPv4 uses four three-digit numerical codes separated by periods, such as, and generally take the following form:

Getting into a little further detail, an IPv4 IP address listing may also include terms such as subnet mask (essentially a filter to isolate the host location from this address) and gateway (the network address, independent of the host ID). Both the network and host IDs are bundled into this format of four three-digit codes.

Because IPv4 addresses have a numerical limit of a little over 4 billion unique addresses, these addresses are rapidly becoming exhausted. In anticipation of this, the IPv6 standard was implemented in the late 1990s, using longer strings of hexadecimal addresses to allow for up to 2128 possible addresses: for example, a sample of one address in IPv6 format is 2001:db8:0:1234:0:567:8:1.

As one article notes, if the range of IPv4 addresses were compressed to the size of a postage stamp, a similar range of IPv6 addresses would take up the entire solar system!

Leveraging IP address data to prevent fraud

There are several circumstances where a client or prospect’s IP address might raise concerns:

  • If the location of the IP address does not match the customer’s location, particularly if it originates from another country
  • If the IP address comes from a known high-risk area
  • If an IP address is flagged as being malicious or potentially malicious
  • If the client is using a proxy server, which does not reveal the user’s real IP address

Service Objects’ DOTS IP Address Validation product is designed to check for each of these issues, as well as providing a host of related data such as a customer’s Internet Service Provider (ISP), its latitude and longitude, the network owner, host name and more. To ensure the most accurate results, this service’s database of over 4 billion records is updated daily.

For any order or financial transaction – particularly larger ones that might seem “too good to be true” – IP addresses provide a valuable check on the validity of new contact data. Validating these addresses is a good example of how an ounce of prevention can be worth a pound of cure, and is well worth considering as part of your overall data hygiene strategy.

IP Reputation and the Nationwide Bomb Threat Hoax

The bomb threat hoax from Thursday, December 13, 2018 was easily detectable as fraud.

There were several smoking guns that could have quickly identified the bomb threats as bogus. The leading indicator of fraud was the IP block from which the emails were sent. Emails associated with this bomb threat hoax were sent from the 194.58.x.x address range. This address range is well known in Internet security circles as malicious. IP reputation databases show this range was identified as fraudulent as early as March of 2015. Internet traffic originating from this range was commonly known to place fraudulent orders on e-commerce sites. This IP range was also seen often in fake reviews, instances of click fraud, and hacking attempts.

Further investigation of the 194.58.x.x address block shows with near perfect certainty the range was a manually banned, well-known public proxy. Said another way, this IP range was known to be among the worst of the worst, and clearly its originating messages should have been ignored.

Internet security professionals need to use IP reputation services to determine if an IP address is a proxy or VPN. Lookup tables with this information have existed for years. IP reputation services use machine learning and probability theory to infer a trust score on IP addresses. IP addresses with poor trust scores are behaving badly in an automated manner. Online merchants and video streaming services already utilize advanced mathematical and modern data science to identify malicious Internet addresses, and e-mail providers should too.

In the Internet of Things (IoT), with 11 billion smart devices connected, we can’t allow hospitals, schools, and emergency services to be distracted because of a dozen rogue devices like this. In life reputation matters, but on Thursday we let a few well-known bogus devices in Russia cause panic and fear.

We can do better — the data already exists.