IP Reputation
developer/v1/ip/reputationChecks an IP address against 8 DNS-based blacklists (DNSBLs) and 8 threat feed categories (backed by 10 individual sources) in parallel. Returns a composite reputation score (0-100), risk classification, and per-source detection details. DNSBL sources: Barracuda, SpamCop, Blocklist.de, CINS, Spamrats, PSBL, DroneBL, and Mailspike. Threat feeds: FireHOL Level 1, Spamhaus DROP, Feodo Tracker, Blocklist.de, CINS Army, Stamparm ipsum, Emerging Threats, Abuse.ch SSLBL, Cisco Talos, and Tor exit nodes. Results cached for 1 hour.
What It Does
Executes two parallel detection pipelines: (1) Real-time DNSBL queries via Cloudflare DoH against Barracuda, SpamCop, Blocklist.de, CINS Army, Spamrats, PSBL, DroneBL, and Mailspike - using the standard reverse-IP DNSBL lookup method. (2) Pre-indexed threat feed checks against FireHOL Level 1 (aggregated malicious IPs), Spamhaus DROP (worst-of-the-worst IP ranges), Feodo Tracker (banking trojan C2), Blocklist.de (brute-force attackers), CINS Army (malicious IPs), Stamparm ipsum (aggregated threat intelligence), Emerging Threats (compromised IPs), Abuse.ch SSLBL (malicious SSL certificates), Cisco Talos (malicious IPs), and Tor exit nodes. Results are combined using weighted scoring where more authoritative sources (FireHOL, Spamhaus, Feodo Tracker) carry higher weight. Score ranges: 100 = clean, 80-99 = low risk, 50-79 = medium risk, 20-49 = high risk, 0-19 = critical threat.
Why It's Useful
A single API call checks against 16 source categories (8 DNSBLs + 8 threat feed types backed by 10 individual sources), replacing manual DNSBL lookups and multiple feed subscriptions. IP reputation is critical for fraud prevention (blocking transactions from known-bad IPs), email security (rejecting mail from blacklisted senders), and Zero Trust access control (risk-based authentication). The composite scoring methodology reduces false positives compared to single-source checks.
Use Cases
Transaction Risk Scoring
Integrate IP reputation checks into payment processing to flag or block transactions originating from IPs listed on spam, botnet, or brute-force blacklists.
Reduce fraud chargebacks while minimizing false positives through multi-source consensus scoring.
Email Gateway Enhancement
Supplement your email gateway's built-in spam filtering by checking connecting mail server IPs against multiple DNSBLs and threat feeds before accepting messages.
Catch spam and phishing that bypasses single-DNSBL checks by leveraging multi-source threat intelligence.
SIEM Alert Enrichment
Automatically enrich SIEM alerts with IP reputation scores to prioritize investigation of alerts involving high-risk IPs flagged by multiple sources.
Focus analyst time on high-confidence threats by de-prioritizing alerts from IPs with clean reputation.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
ip | string | Required | The IPv4 address to check reputation for. DNSBL checks are IPv4 only; threat feeds support both IPv4 and IPv6.Example: 1.2.3.4 |
Response Fields
| Field | Type | Description |
|---|---|---|
ip | string | The queried IP address |
reputation_score | number | Composite reputation score (0 = critical threat, 100 = clean) |
risk_level | string | Risk classification: clean (100), low (80-99), medium (50-79), high (20-49), critical (0-19) |
is_malicious | boolean | Whether the IP is considered malicious (score < 50) |
total_sources_checked | number | Total number of threat sources queried |
detections | number | Number of sources that flagged this IP |
detection_details | array | Per-source results: source name, category (spam, botnet_cc, brute_force, malicious), listed status, and type (dnsbl or threat_feed) |
sources_queried | array | List of source categories queried (dnsbl, threat_feeds) |
sources_failed | array | List of source categories that failed (empty when all succeed) |
partial_result | boolean | Whether some sources failed — result may undercount threats |
last_updated | string | ISO 8601 timestamp of when the check was performed |
Code Examples
curl "https://api.edgedns.dev/v1/ip/reputation" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "ip=1.2.3.4"const response = await fetch(
'https://api.edgedns.dev/v1/ip/reputation?ip=1.2.3.4',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/ip/reputation',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'ip': '1.2.3.4'
}
)
data = response.json()
print(data)Read the full IP Reputation guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the IP Reputation endpoint live in the playground.