Explain IPQS scoring methodology

[Good Carder]

Here is a highly detailed, comprehensive explanation of the IPQS (IPQualityScore) scoring methodology as of early 2026. This draws from official IPQS documentation, technical articles (including their March 2026 piece "A Closer Look at How IPQS IP Scores Work"), API references, release notes, and integration guides. IPQS does not publish the exact mathematical formula or weights (it is proprietary and protected as a trade secret), but they provide extensive transparency on the inputs, processes, data sources, outputs, and logic.

The system is designed for real-time fraud prevention, turning complex threat intelligence into actionable scores for signups, logins, payments, clicks, and automation detection. It is particularly relevant for evaluating residential proxy IPs, where low scores indicate "clean" connections with minimal abuse history or proxy flags.

1. Core Outputs: Fraud Score and Risk Score​

• Fraud Score (0–100): The primary metric. It represents the overall estimated likelihood that the IP (and associated session) is linked to abusive or malicious activity, such as bots, proxies, VPNs, credential stuffing, fake accounts, chargebacks, or payment fraud.
  • Interpretation guidelines (official):
    • 0–74: Generally low risk / acceptable for most traffic.
    • ≥75: Suspicious — often indicates a proxy, VPN, Tor, or prior reputation issues, but not necessarily active fraud.
    • ≥85: High risk / suspicious behavior signals present (recommend flagging or additional verification).
    • ≥90: Very high risk / frequent abusive behavior (strong recommendation to block). This is tightly linked to recent or excessive abuse within the past 24–72 hours.
  • The score is influenced by the IP address plus optional inputs like user agent, language, device details, or transaction context.
• Risk Score: A separate, complementary metric returned in many responses. It places less weight on long-term reputation history and focuses more on short-term session behavior. This helps distinguish immediate risk (e.g., current session anomalies) from broader historical patterns. It supports nuanced decisioning, such as comparing "this session looks risky now" vs. "this IP has a bad reputation overall."
• Supporting Data Points (typically 20+ returned in API responses):
  • Geolocation (country, region, city, ZIP, lat/long, timezone).
  • ISP, ASN, organization, hostname.
  • Connection type: Residential, Mobile, Datacenter/Hosting, Corporate, Education.
  • Proxy/VPN/Tor detection (including proxy, vpn, tor, active_vpn, active_tor).
  • Recent Abuse (boolean): Verified abusive activity in the recent past (e.g., chargeback, compromised device, fake signup/app install, or similar malicious behavior within the past few days).
  • Abuse Velocity: "none", "low", "medium", or "high" — measures how frequently abuse is occurring across the IPQS threat network (especially in the past 24–48 hours). "High" or "medium" often correlates with poor reputation.
  • Bot Status: Indicates recent non-human/automated fraudulent activity (premium feature).
  • Other: Frequent abuser (long-term history over 6+ months), is_crawler, mobile flag, etc.

These fields explain why a score is elevated and allow rule-based decisions (e.g., "block if fraud_score ≥ 90 OR recent_abuse = true").

2. Data Sources and Threat Intelligence Network​

IPQS aggregates signals from a massive, proprietary ecosystem that processes over 1 billion actions per day (hundreds of millions of financial transactions and user events worldwide). Key sources include:

• Honeypots and traps: Over 10,000 active honeypot sites that lure and capture bad actors, bots, and abuse patterns in real time. These feed live data back to scoring engines.
• Fraud Fusion™: An invite-only program where participating businesses (including Fortune-level clients) share anonymized fraud data. This creates a collaborative threat network that continuously trains models.
• Botnet and dark web monitoring: Tracks over 50 million live botnets, leaked credentials, compromised devices, and emerging threats.
• Historical and real-time abuse feeds: Customer-reported data, blacklist integrations, and observed patterns from proxy/VPN usage, spam, DDoS, etc.
• Behavioral telemetry: Request velocity, automation markers, geolocation consistency, and session anomalies when additional data (user agent, device fingerprint) is provided.
• External signals: DNS records, proxy network databases, spam databases, ASN/ISP reputation, and connection characteristics.

The system is self-improving: More data from lookups and fraud reports refines machine learning models. Release notes (e.g., January and February 2026) regularly mention improvements to detection accuracy, reduced false positives, and updated threat intelligence.

3. Key Factors and Multi-Layered Analysis​

Scoring is multi-layered and combines rule-based elements with machine learning models (managed by data scientists). Over 300 data points can be evaluated in broader fraud contexts, though IP lookups focus on ~20–30 core ones. Signals are weighted dynamically (exact weights are not public).

Major contributing categories:

• Network Reputation & History:
  • Long-term and surrounding network reputation of the IP, subnet, ASN, and ISP.
  • Context of the connection type (residential IPs generally receive lower baseline risk than datacenter/hosting; mobile has unique patterns).
  • Frequent abuser flag for IPs with consistent abuse over 6+ months.
• Anonymizer & Proxy Detection:
  • Sophisticated detection of proxies (including residential proxies), VPNs (commercial and private), Tor nodes/exits, and botnet-compromised devices.
  • IPQS claims high accuracy even for hard-to-detect residential proxies. Active VPN/Tor flags identify currently in-use connections from popular services or private servers.
• Behavioral and Session Signals:
  • Request velocity, automation patterns, and non-human behavior.
  • When provided: User agent, language, device details, or transaction context (e.g., billing/shipping match with IP location).
  • Geolocation integrity: Checks for inconsistencies or impossible travel.
• Abuse History & Velocity:
  • Recent Abuse: Boolean flag for verified incidents in the past few days.
  • Abuse Velocity: Short-term frequency (past 24–48 hours) — a strong driver for high fraud scores (≥90). "High" velocity often triggers stronger risk.
• Bot & Malware Signals:
  • Association with automated fraudulent behavior or malware-infected devices.
  • Bot status provides higher confidence in suspicious classification.
• Contextual & Multi-Factor Enhancements:
  • Integration with email, phone, device fingerprinting, URL scanning, or payment scoring amplifies the IP score.
  • Customizable via 50+ (or 75+ in some references) scoring options: Adjust sensitivity, blacklists, thresholds, "lighter penalties" for mixed-quality traffic, or bypasses for public/education IPs.

The Fraud Score balances long-term reputation more heavily, while the Risk Score emphasizes immediate/short-term signals. Machine learning models learn patterns from billions of events to predict malicious intent.

4. How the Score Is Computed in Practice (Step-by-Step Flow)​

1. Input Collection: Required — IP address. Optional but recommended — user agent, language, device info, transaction details, or "mobile" flag.
2. Real-Time Lookup: Query hits the IPQS threat network (honeypots, Fraud Fusion, botnet data, etc.).
3. Signal Extraction & Analysis: Extract geolocation, ISP/ASN, connection type, proxy/VPN/Tor flags, abuse history, velocity, etc.
4. Risk Point Aggregation: Individual factors add/modify risk points. ML models combine them with learned patterns (e.g., "this residential IP + high velocity + recent proxy-like behavior = elevated score").
5. Customization Applied: User-defined settings (e.g., lighter penalties, public access bypass) adjust the final output.
6. Output Generation: Fraud Score, Risk Score, plus rich metadata. Scores update dynamically as new abuse data arrives.

The process takes milliseconds and is designed for real-time blocking or flagging.

5. Customization, Best Practices, and Tuning​

• 75+ Custom Settings: Tune detection rates, blacklists, thresholds, and penalties for your audience (e.g., "Lighter Penalties" reduces scores for mixed-quality residential traffic to lower false positives).
• Fraud Reporting: Submit confirmed bad IPs/emails/transactions via the Fraud Reporting API. This trains account-specific models and improves global accuracy.
• Integration Tips:
  • Use full suite (IP + device + email + phone) for stronger combined scoring.
  • Combine with rules: e.g., block if fraud_score ≥ 85 OR abuse_velocity = "high".
  • For residential proxies: Test samples repeatedly. Clean pools aim for consistent scores well below 75, residential connection type, "none/low" velocity, and no recent_abuse.
• Reducing False Positives: Enable lighter penalties or public access options for legitimate shared connections (schools, corporate Wi-Fi).

6. Strengths, Limitations, and Relevance to Residential Proxies​

• Strengths: Real-time, rich explanations via sub-metrics, continuous ML improvement, high claimed accuracy for sophisticated threats (including residential proxies and botnets). Processes massive daily volume for fresh intelligence.
• Limitations: Can be stricter on proxies (even clean residential ones may score 70–75+ due to anonymizer flags). Scores are probabilistic and can fluctuate with new data. False positives possible on shared/mobile ranges. No single tool sees the entire internet.
• For Proxy Users (Your Context): In 2026 proxy tests (e.g., Proxyway research referenced in reviews), providers are benchmarked partly on IPQS fraud scores. "Clean" pools show lower averages (e.g., ~32–45 globally, with top performers lower). High scores often stem from proxy detection, recent abuse, or velocity in overused P2P networks. Quality-filtered providers (with real-time blacklist removal and carding) perform better.

IPQS methodology evolves via regular updates (see 2026 release notes for specific improvements in detection and reduced false positives). It emphasizes blending broad threat intelligence with behavioral analysis to deliver practical, explainable risk scores.

If you share a sample IP (or API response JSON), I can help interpret what typical factors might drive its score. Or provide more on how it compares to Scamalytics, integration examples, or testing strategies for residential proxies — just let me know! For the absolute latest, their official documentation and free IP lookup tool are excellent resources.