IP Reputation: a beginner's guide
Check IP against blacklists and threat feeds
IP reputation: how the internet remembers which addresses misbehaved
IP reputation is a score, usually expressed as a number from 0 to 100 or as a categorical rating (good, neutral, suspicious, malicious), that summarizes how trustworthy a particular IP address has historically been. The score is computed by combining many signals: did this IP appear in any known spam blocklists? Has it been seen sending phishing emails? Has it been part of a botnet or a credential-stuffing attack? Is it on a residential ISP, a hosting provider, a known VPN, or Tor? Each signal contributes a small weight, and the result is a single number you can plug into a fraud rule, an authentication decision, or a security alert.
You should care because most online abuse comes from a relatively small pool of IPs that are reused across many attacks. A spam-bot operator rents servers from a low-quality hosting provider. A credential-stuffing attacker buys access to compromised residential proxies. A scammer running fake-account creation rotates through a known set of VPN exit nodes. In all of these cases, the IPs are not new — they have been seen misbehaving before, often many times. IP reputation is the way the security community keeps that institutional memory.
The five things every IP reputation check looks at:
Public blocklists. Spamhaus, SpamCop, Barracuda, SORBS, Composite Blocking List, and dozens of others.
Historical abuse signals. Has this IP been observed sending spam, brute-forcing logins, hosting malware, or running scans?
The IP's network type. Residential, datacenter, mobile, VPN, Tor exit node? Each carries different baseline risk.
Geolocation consistency. Is the IP's claimed location consistent with its routing path?
Recency of bad behavior. A bad rep score from years ago is less actionable than one from yesterday.
Three questions an IP reputation check answers:
Should my signup form, payment flow, or comment system trust this visitor?
Is the IP this fraud alert came from a known abuser, or is this a fresh case?
Across my whole user base, what fraction of recent traffic comes from IPs with poor reputation?
The cost of ignoring IP reputation is letting the same small pool of abusers hit you over and over with attacks they have already used everywhere else. The fix is to plug an IP reputation check into the places where decisions are made — fraud rules, abuse triage, account-creation flows, login pages. Doing it well dramatically reduces the rate of obvious abuse while keeping the friction on legitimate users essentially zero.
The IP Reputation endpoint, in plain language
In one sentence: Check [IP (Internet Protocol address)](/guides/ip-geolocation) against blacklists and threat feeds
Checks an IP (Internet Protocol address) address against 8 DNS-based blacklists (DNSBLs) and 8 threat feed categories (backed by 10 individual sources) in parallel. Returns a composite reputation score (0-100), risk classification, and per-source detection details. DNSBL sources: Barracuda, SpamCop, Blocklist.de, CINS, Spamrats, PSBL, DroneBL, and Mailspike. Threat feeds: FireHOL Level 1, Spamhaus DROP, Feodo Tracker, Blocklist.de, CINS Army, Stamparm ipsum, Emerging Threats, Abuse.ch SSLBL, Cisco Talos, and Tor (The Onion Router) exit nodes. Results cached for 1 hour.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Executes two parallel detection pipelines: (1) Real-time DNSBL queries via Cloudflare DoH (DNS over HTTPS) against Barracuda, SpamCop, Blocklist.de, CINS Army, Spamrats, PSBL, DroneBL, and Mailspike - using the standard reverse-IP DNSBL lookup method. (2) Pre-indexed threat feed checks against FireHOL Level 1 (aggregated malicious IPs), Spamhaus DROP (worst-of-the-worst IP (Internet Protocol address) ranges), Feodo Tracker (banking trojan C2), Blocklist.de (brute-force attackers), CINS Army (malicious IPs), Stamparm ipsum (aggregated threat intelligence), Emerging Threats (compromised IPs), Abuse.ch SSLBL (malicious SSL (Secure Sockets Layer) certificates), Cisco Talos (malicious IPs), and Tor (The Onion Router) exit nodes. Results are combined using weighted scoring where more authoritative sources (FireHOL, Spamhaus, Feodo Tracker) carry higher weight. Score ranges: 100 = clean, 80-99 = low risk, 50-79 = medium risk, 20-49 = high risk, 0-19 = critical threat.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the IP Reputation tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
A single API (Application Programming Interface) call checks against 16 source categories (8 DNSBLs + 8 threat feed types backed by 10 individual sources), replacing manual DNSBL lookups and multiple feed subscriptions. IP (Internet Protocol address) reputation is critical for fraud prevention (blocking transactions from known-bad IPs), email security (rejecting mail from blacklisted senders), and Zero Trust access control (risk-based authentication). The composite scoring methodology reduces false positives compared to single-source checks.
Picture this in real life. Imagine a fraud analyst. Here's the situation they're walking into: Integrate IP (Internet Protocol address) reputation checks into payment processing to flag or block transactions originating from IPs listed on spam, botnet, or brute-force blacklists. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the IP Reputation tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the IP Reputation tool is built for you:
Is this domain or IP address known for fraud, phishing, or abuse?
Should my signup form, payment flow, or comment system trust this visitor?
Is someone out there registering lookalike domains targeting my brand?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Trust and safety teams, fraud analysts, brand-protection managers, security operations engineers, and product teams running open signup flows. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you find out a domain or IP was malicious only after it has already cost you money or trust. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/ip/reputation`.
When would I actually use this?
If you're still on the fence about whether the IP Reputation tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a fraud analyst, a email administrator, and a threat analyst — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Transaction Risk Scoring
Imagine you're a fraud analyst. Integrate IP (Internet Protocol address) reputation checks into payment processing to flag or block transactions originating from IPs listed on spam, botnet, or brute-force blacklists.
Why it matters: Reduce fraud chargebacks while minimizing false positives through multi-source consensus scoring.
Story 2: Email Gateway Enhancement
Imagine you're an email administrator. Supplement your email gateway's built-in spam filtering by checking connecting mail server IPs against multiple DNSBLs and threat feeds before accepting messages.
Why it matters: Catch spam and phishing that bypasses single-DNSBL checks by leveraging multi-source threat intelligence.
Story 3: SIEM Alert Enrichment
Imagine you're a threat analyst. Automatically enrich SIEM alerts with IP (Internet Protocol address) reputation scores to prioritize investigation of alerts involving high-risk IPs flagged by multiple sources.
Why it matters: Focus analyst time on high-confidence threats by de-prioritizing alerts from IPs with clean reputation.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the IP Reputation tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Inside a signup form, payment flow, or comment system, to score risk in real time.
When investigating a customer complaint about a suspicious link or message.
On a recurring schedule, to monitor lookalike domains targeting your brand.
During incident response, to enrich an alert with reputation context.
If you can see yourself in even one of those bullets, the IP Reputation tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the IP Reputation tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the IP Reputation tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/ip/reputation?ip=1.2.3.4"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
ip | string | Yes | The IPv4 (Internet Protocol version 4) address to check reputation for. DNSBL checks are IPv4 only; threat feeds support both IPv4 and IPv6 (Internet Protocol version 6). | 1.2.3.4 |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
ip | string | The queried IP (Internet Protocol address) address |
reputation_score | number | Composite reputation score (0 = critical threat, 100 = clean) |
risk_level | string | Risk classification: clean (100), low (80-99), medium (50-79), high (20-49), critical (0-19) |
is_malicious | boolean | Whether the IP (Internet Protocol address) is considered malicious (score < 50) |
total_sources_checked | number | Total number of threat sources queried |
detections | number | Number of sources that flagged this IP (Internet Protocol address) |
detection_details | array | Per-source results: source name, category (spam, botnet_cc, brute_force, malicious), listed status, and type (dnsbl or threat_feed) |
sources_queried | array | List of source categories queried (dnsbl, threat_feeds) |
sources_failed | array | List of source categories that failed (empty when all succeed) |
partial_result | boolean | Whether some sources failed — result may undercount threats |
last_updated | string | ISO 8601 timestamp of when the check was performed |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.
IP (Internet Protocol address) — A unique number that identifies a computer on the internet, like a phone number for a server.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
SSL (Secure Sockets Layer) — The original encryption used by HTTPS. The name stuck even though every modern site actually uses TLS, the newer replacement.
DoH (DNS over HTTPS) — A modern way of sending DNS queries that hides them inside encrypted HTTPS traffic, so people on the same network can't see which websites you're looking up.
Tor (The Onion Router) — A free privacy network that bounces your traffic through several volunteer-run servers around the world to make it very hard to trace back to you. The 'exit node' is the last server in the chain — the one your destination actually sees.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.