About Teletype
Join
Check.Point Docs
@checkpointdocs
September 6, 2023

Documentation 'Check.Point'

Welcome to the technical documentation section of our system. Here you will find out what is "under the hood" of the system and how we check IP addresses for quality and purity.

Table of Contents:

  1. Geolocation ( IP Location )
  2. Connection category ( Connection type )
  3. Open device ports
  4. ASN + Provider Information
  5. Anonymizer feature detection block
  6. AbuseIPDB database check
  7. Blacklisting
  8. Spam Report
  9. Maxmind MinFraud Insights - Check against databases of over 7,000 merchants and apps
  10. IPQualityScore Fraud Reports - Validation against IPQS and FraudScore score databases
  11. Index FRSX ( Index of Finance Risk Scale Exponent)
  12. Anti-Fraud Conclusion

Geolocation

Country: United States(US)
State: Florida
City: Fernandina Beach
Zip Code: 32034
Time Zone: America/New_York

The detection system is based on paid databases of Maxmind.com (GeoIP Service). It has its inaccuracies, but is the best among competitors. Given these limitations, we believe that GeoIP2 products can identify users at the country level with 99.8% accuracy. For IP addresses located in the US, we estimate an accuracy of about 80% at the state/region level and an accuracy of 66% for cities (within a 50-100 km radius of that city)

In the above example, GeoIP2 products and services return coordinates 42.1293, -72.7522 with an accuracy radius of 100 km.

GeoIP2 databases are updated daily, and the Maxmind team has been working to improve their performance for over 20 years.

Connection type

Usage Type: Business

Parameter that conveys the origin of the IP address. The system recognizes such categories as :

●business ●cafe ●cellular ●college ●content_delivery_network ●dialup ●government ●hosting ●library ●military ●residential ●school ●search_engine_spider ●traveler

( business residential ) - Resident IP. Used either by an individual or a legal entity - OUR BRO ( cafe college government library library school traveler ) - IP Public Places ( cellular dialup ) - IP of mobile networks (content_delivery_network search_engine_spider hosting) - Bot, search robot, hosting (server, data center).

Open device ports

Ports: 8080, 8081, 82

Shows the ports that are enabled on the device.
WARNING: An open port does not indicate the presence of a VPN or Proxy on the device. Ports are used for various technical tasks and simply allow you to exchange data packets, process requests, i.e. access the router to the Internet.
For example 80, 8080, 8081, etc. ports are used to access the web panel of the device. And also for these purposes can be selected non-standard port - 4453 for example.
Therefore, we close only those ports that do not affect the work and can cause suspicion of anti-fraud systems. Everything that remains open is done intentionally to prolong the life of the connection and ensure stable operation.

ASN + Provider Info

ASN: 7922
ISP: Comcast Business
User Count: None

An Autonomous System Number (ASN) is a unique number that allows autonomous systems to exchange routing data with other connected systems. In other words, it is the subnet identification number.
ISP - Name of ISP . The system has more than 10,000 names in its database.
User Count - The number of users in the last 48 hours.

Anonymizers

Is Anonymous? - No
Is Anonymous Proxy? - No
Is Public Proxy? - No
Is Anonymous VPN? - No
Is Tor exit node? - No
Is Hosting Provider? - No

Types of anonymizers


We distinguish five different types of anonymizers:

  • VPN ,
  • Hosting providers ,
  • Public proxies ,
  • Private proxies ,
  • and TOR exit nodes.

Analyzed by MinFraud Insights databases

AbuseIPDB

AbuseIPDB Alerts: 0 ✅
Confidence of Abuse: 0 %

Block checking IP address for Abuse Alerts parameter using the service https://www.abuseipdb.com/
It is a reputable service , running since 2016 under the leadership of Marathon Studios Inc. team.

AbuseIPDB is a project designed to help system administrators and webmasters to check and report IP addresses that are involved in malicious activities such as spamming, hacking attempts, DDoS attacks etc.

Abuse Alerts parameter shows the number of complaints received on a given IP. The service provides information on each "complaint" against an address. It also keeps statistics on reports: Number of IPs that have received complaints Geolocation and diagrams by country.

Categories of reports recognized by the service :

1. DNS Compromise:
Altering DNS records resulting in improper redirection.

2. DNS Poisoning:
Falsifying domain server cache (cache poisoning).

3. Fraud Orders:
Fraudulent orders.

4. DDoS Attack:
Participating in distributed denial-of-service (usually part of botnet).

5. FTP Brute-Force

6. Ping of Death:
Oversized IP packet.

7. Phishing:
Phishing websites and/or email.

8. Fraud VoIP

10. Open Proxy:
Open proxy, open relay, or Tor exit node.

11. Web Spam:
Comment/forum spam, HTTP referer spam, or other CMS spam.

12. Email Spam:
Spam email content, infected attachments, and phishing emails.

13. Blog Spam:
CMS blog comment spam.

14. VPN IP:
Conjunctive category.

15. Port Scan:
Scanning for open ports and vulnerable services.

16. Hacking :
Attempts at hacking devices\servers\routers.

17. SQL Injection :
Attempts at SQL injection.

18. Spoofing : Email sender spoofing.

19. Brute-Force:
Credential brute-force attacks on webpage logins and services like SSH, FTP, SIP, SMTP, RDP, etc. This category is seperate from DDoS attacks.

20. Bad Web Bot:
Webpage scraping (for email addresses, content, etc) and crawlers that do not honor robots.txt. Excessive requests and user agent spoofing can also be reported here.

21. Exploited Host:
Host is likely infected with malware and being used for other attacks or to host malicious content. The host owner may not be aware of the compromise. This category is often used in combination with other attack categories.

22. Web App Attack:
Attempts to probe for or exploit installed web applications such as a CMS like WordPress/Drupal, e-commerce solutions, forum software, phpMyAdmin and various other software plugins/solutions.

23. SSH:
Secure Shell (SSH) abuse. Use this category in combination with more specific categories.

24. IoT Targeted:
Abuse was targeted at an "Internet of Things" type device. Include information about what type of device was targeted in the comments.

Confidence of Abuse:

This number is a rating (on a scale of 0 to 100) of how likely it is, based on user reports, that an IP address is completely malicious.


The confidence rating is determined by the reports and their age. The base value is the natural logarithm of the number of individual user reports. The weight of all reports decreases over time. The trust rating for all reported addresses is recalculated daily with the elapsed time.

Checking for blacklists

Blacklisted? - No

The block checks the IP address for presence in one of the checked blacklists. At the moment the system checks 46 lists at a time! We plan to expand this number to 100+
This is a necessary check of address quality. Blacklist can be both for some minor spam and for serious offenses.

Lists used:

  • 0SPAM
  • Abuse.ro
  • Abusix Mail Intelligence Blacklist
  • Abusix Mail Intelligence Domain Blacklist
  • Abusix Mail Intelligence Exploit list
  • Anonmails DNSBL
  • BACKSCATTERER
  • BLOCKLIST.DE
  • CALIVENT
  • CYMRU BOGONS
  • CYMRU BOGONS IPv6
  • DAN TOR
  • DAN TOREXIT
  • DNS SERVICIOS
  • DRMX
  • DRONE BL
  • FABELSOURCES
  • HIL
  • HL2
  • Hostkarma Black
  • IBM DNS Blacklist
  • ICMFORBIDDEN
  • IMP SPAM
  • IMP WORM
  • INTERSERVER
  • ivmSIP
  • ivSIP24
  • JIPPG
  • KEMPTBL
  • KISA
  • Konstant
  • LASHBACK
  • LNSGBLOCK
  • LNSGBULK
  • LNSGMULTI
  • LNSGOR
  • LNSGSRC
  • MADAVI
  • MAILSPIKE BL
  • MAILSPIKEZ
  • MSRBL Phishing
  • MSRBL Spam
  • NETHERRELAYS
  • NETHERUNSURE
  • NIXSPAM
  • Nordspam BL
  • NoSolicitado
  • ORVEDB

Spam Report

SpamCop: ✅ Good
SPAMHAUS: ✅ Good
Barracuda: ✅ Good

Checking against the most popular spam lists : https://www.spamcop.net
https://www.spamhaus.org
https://www.barracudacentral.org

Maxmind MinFraud Insights

Maxmind MinFraud : 0.01
MinFraud Risk_Reasons: ✅ No Reasons

It should be understood that this service provides tools not only for IP analysis, but also for full control over transactions on the merchant. Since we are only checking IP here, we do not touch on the deeper features of maxmind, for now =) .

The minFraud network receives information from all users of maxmind services.

Its services are used by over 7000 companies worldwide. This includes sole proprietorships, Fortune 100 companies and everything in between. The minFraud risk score modeling takes into account all transactions made across this network of businesses in the last year. That's more than 3 billion transactions.

These transactions help the minFraud service collect reputation data for a number of digital identities. The minFraud network allows us to flag suspicious IP addresses and devices based on their activity on the network.

With so many different types of businesses and transactions in the minFraud network, we can more closely monitor risk across industries and verticals. This means that small businesses will benefit from the risk patterns of larger businesses and institutions, and larger businesses will benefit from the risk signals we see in small businesses that may be missed with higher transaction volumes.

Machine learning and data analysis of these billions of transactions is also behavior-based. These metrics are not only based on fraudulent activity that has already occurred, but behavioral patterns are also applied to more accurately identify untrusted IP addresses.

The minFraud services return an overall risk score that takes into account a number of risk factor scores. Each of these estimates represents the probability that the IP is dangerous to the merchant. The various risk factor scores are weighted and combined with other factors.

The total score can be broken down into a number of risk factor scores.

All risk scores are given as percentages from 0.01 to 99. For example, a risk score of 20.00 means that the IP has a 20 percent chance of being fraudulent, and a risk score of 0.10 means that the IP has a 0.1 percent chance of being fraudulent.

"The Insides. Detailed description of the inspection results inside the Maxmind system.

Causes of increased scor risk are displayed when one of the following conditions occurs :

ANONYMOUS_IP

The IP address belongs to an anonymous network. See the object at /ip_address/traits for more details.

BILLING_POSTAL_VELOCITY

Many different billing postal codes have been seen on this IP address.

EMAIL_VELOCITY

Many different email addresses have been seen on this IP address.

HIGH_RISK_DEVICE

A high risk device was seen on this IP address.

HIGH_RISK_EMAIL

A high risk email address was seen on this IP address in your past transactions.

ISSUER_ID_NUMBER_VELOCITY

Many different issuer ID numbers have been seen on this IP address.

MINFRAUD_NETWORK_ACTIVITY

Suspicious activity has been seen on this IP address across minFraud customers.

IPQualityScore

IPQualityScore: 20

Quality assessment from the IPQS service.

https://www.ipqualityscore.com/proxy-vpn-tor-detection-servicehttps://www.ipqualityscore.com/proxy-vpn-tor-detection-service

Conducts checks against databases and its honey-pot systems, assesses the likelihood of an IP being malicious and affiliated with fraud.
Also analyzes complaints from merchants and shops running on IPQS.

It gives a score from 0 to 100:

75+ = suspicious | 85+ = risky | 90+ = high risk

And has scores like this.

Index FRSX

[ Index of Finance Risk Scale Exponent ]

A scale indicating the level of risk for financial systems, databases, merchants, etc. If the score is exceeded, the transaction or action cannot avoid manual review or rejection.

The parameter is calculated based on several dozens of metrics, including those mentioned above, as well as on information from banking systems and financial organizations. As well as banking honeypot systems used by such organizations as: J.P.Morgan, FCCA, Wheels Fargo, Austria Bank, HSBC, BNP Paribas, DeutscheBank, UBS, CitiGroup, Capital One, etc. ( over 30+ names ) . .

Represented by a scale from 0-125+, where :
Very Low Risk (0 - 9) - Minimal probability of fraud.
Medium Risk (10-38) - Not the strongest indication, but there is a risk.
High Risk (38-89) - already indicates the degree of risk that the IP address used may be unreliable or dangerous for financial systems, as well as various kinds of merchants (payment systems) and the like. Usually, transactions with this marking are sent for manual processing and analysis.
Very High Risk (90-125+) - IP address is marked by all systems as unreliable and will be subject to filtering in 100% of cases.

Anti-Fraud Conclusion

Anti-Fraud Conclusion:
Trusted 🟢

Analysis of all parameters and (possible, it's not 100% accurate) variant output of the Anti-Fraud algorithm of the system we need to pass.

Trusted 🟢 - No reason for filtering.
Questionable 🟡 - There are doubts about any parameter (10-30% chance of a frod).
Threat - 🔴 - Definitely anti-fraud system won't let this through (60-90% chance of frod).

Check.Point Docs
September 6, 2023, 21:00
0 reactions
0 views