Comment by reincoder

2 years ago

I appreciate it, sir! If you have any questions or feedback, please let us know.

The challenge of being a data provider is that you can use our data in a million ways, and we don't have coverage of all. So, when you come up with questions or ideas, we can help you better.

As you mentioned, audit logs. I highly recommend you look into the ASN field.

The ASN identifies an organization that owns a block of IP addresses. In my experience, I have found that the combination of ASN+Country is the most valuable information you can use in spam and fraud detection. You can fake the IP geolocation information with a VPN. However, it is not as easy to fake the ASN information of the IP address. So, when you use a combination of country + ASN, you can have a robust cybersecurity system.

2 comments

reincoder

welder 2 years ago

Can you explain more how to use ASN to detect fraud and how it's different from the country detected for the IP? I thought ASN was derived from the IP, basically the route to that IP? Here's the ipinfo response for an IP used by a recent fraud signup attempt. The asn field matches country.

  {
    "city": "Mumbai",
    "connection": {
      "asn": 24560,
      "isp": "Bharti Airtel Ltd."
    },
    "continent_code": "AS",
    "continent_name": "Asia",
    "country_code": "IN",
    "country_name": "India",
    "currency": {
      "code": "INR",
      "name": "Indian Rupee",
      "plural": "Indian rupees",
      "symbol": "Rs",
      "symbol_native": "\u099f\u0995\u09be"
    },
    "ip": "2401:4900:1f38:7402:5569:2e45:3bb:9c0d",
    "latitude": 19.076000213623047,
    "location": {
      "calling_code": "91",
      "capital": "New Delhi",
      "country_flag": "https://assets.ipstack.com/flags/in.svg",
      "country_flag_emoji": "\ud83c\uddee\ud83c\uddf3",
      "country_flag_emoji_unicode": "U+1F1EE U+1F1F3",
      "geoname_id": 1275339,
      "is_eu": false,
      "languages": [
        {
          "code": "hi",
          "name": "Hindi",
          "native": "\u0939\u093f\u0928\u094d\u0926\u0940"
        },
        {
          "code": "en",
          "name": "English",
          "native": "English"
        }
      ]
    },
    "longitude": 72.87770080566406,
    "region_code": "MH",
    "region_name": "Maharashtra",
    "time_zone": {
      "code": "IST",
      "current_time": "2023-09-15T10:52:42+05:30",
      "gmt_offset": 19800,
      "id": "Asia/Kolkata",
      "is_daylight_saving": false
    },
    "type": "ipv6",
    "zip": "400203"
  }

Here's the response from ipinfo.io which includes privacy fields. It's technically a proxy but might be hard to detect because it's probably a crowdsourced/botnet proxy not a public one. We don't pay for

  {
    "ip": "2401:4900:1f38:7402:5569:2e45:3bb:9c0d",
    "city": "Najafgarh",
    "region": "Delhi",
    "country": "IN",
    "loc": "28.6114,77.2982",
    "org": "AS24560 Bharti Airtel Ltd., Telemedia Services",
    "postal": "110097",
    "timezone": "Asia/Kolkata",
    "asn": {
      "asn": "AS24560",
      "name": "Bharti Airtel Ltd., Telemedia Services",
      "domain": "airtel.com",
      "route": "2401:4900:1f38::/48",
      "type": "isp"
    },
    "company": {
      "name": "ABTS (Karnataka),",
      "domain": "airtel.com",
      "type": "isp"
    },
    "privacy": {
      "vpn": false,
      "proxy": false,
      "tor": false,
      "relay": false,
      "hosting": false,
      "service": ""
    },
    "abuse": {
      "address": "Bharti Airtel Ltd., ISP Division - Transport Network Group, 234 , Okhla Industrial Estate,, Phase III, New Delhi-110020, INDIA",
      "country": "IN",
      "email": "ip.misuse@airtel.com",
      "name": "ABUSE BHARTIIN",
      "network": "2401:4900:1f30::/44",
      "phone": "+000000000"
    }
  }

EDIT: Oops, I confused ipinfo with ipstack. I'm actually using ipstack. Their security field also doesn't detect this IP as a proxy, which is why we only pay for Professional (no security field).

  {
    "ip": "2401:4900:1f38:7402:5569:2e45:3bb:9c0d",
    "type": "ipv6",
    "continent_code": "AS",
    "continent_name": "Asia",
    "country_code": "IN",
    "country_name": "India",
    "region_code": "MH",
    "region_name": "Maharashtra",
    "city": "Mumbai",
    "zip": "400203",
    "latitude": 19.076000213623047,
    "longitude": 72.87770080566406,
    "location": {
      "geoname_id": 1275339,
      "capital": "New Delhi",
      "languages": [
        {
          "code": "hi",
          "name": "Hindi",
          "native": "\u0939\u093f\u0928\u094d\u0926\u0940"
        },
        {
          "code": "en",
          "name": "English",
          "native": "English"
        }
      ],
      "country_flag": "https://assets.ipstack.com/flags/in.svg",
      "country_flag_emoji": "\ud83c\uddee\ud83c\uddf3",
      "country_flag_emoji_unicode": "U+1F1EE U+1F1F3",
      "calling_code": "91",
      "is_eu": false
    },
    "time_zone": {
      "id": "Asia/Kolkata",
      "current_time": "2023-09-15T12:27:08+05:30",
      "gmt_offset": 19800,
      "code": "IST",
      "is_daylight_saving": false
    },
    "currency": {
      "code": "INR",
      "name": "Indian Rupee",
      "plural": "Indian rupees",
      "symbol": "Rs",
      "symbol_native": "\u099f\u0995\u09be"
    },
    "connection": {
      "asn": 24560,
      "isp": "Bharti Airtel Ltd."
    },
    "security": {
      "is_proxy": false,
      "proxy_type": null,
      "is_crawler": false,
      "crawler_name": null,
      "crawler_type": null,
      "is_tor": false,
      "threat_level": "low",
      "threat_types": null
    }
  }

reincoder 2 years ago

Looking at the IP metadata of the IP address [0], nothing stands out. The ASN belongs to large teleco. What you can do is just block the IP address and keep a note of IP address.
[0] https://ipinfo.io/2401:4900:1f38:7402:5569:2e45:3bb:9c0d