Risk Scoring#
VPN Signal uses a weighted scoring system to assess the risk level of an IP address. This guide explains how scores are calculated and how to interpret recommendations.
How Scores Work#
The risk score is a number from 0 to 100, where:
- 0 = Lowest risk (regular residential IP)
- 100 = Highest risk (Tor exit node or confirmed malicious)
Score Components#
Each detection adds points to the base score:
| Detection | Points | Reason |
|---|---|---|
| Tor Exit Node | +80 | Highest anonymity, common for abuse |
| VPN Provider | +60 | Masks true location |
| Proxy Server | +50 | Can be used to bypass restrictions |
| iCloud Private Relay | +40 | Apple's privacy relay service |
| Hosting/Datacenter | +30 | Not a typical residential IP |
Note
Scores are additive. An IP that is both a VPN and from a hosting provider would score 60 + 30 = 90.
Recommendations#
Based on the risk score, VPN Signal provides a recommended action:
| Score Range | Recommendation | Suggested Action |
|---|---|---|
| 0-39 | allow | Proceed normally |
| 40-69 | verify | Add additional verification (CAPTCHA, 2FA) |
| 70-100 | block | Block or require manual review |
Example Scenarios#
Score: 0 - Regular User
{
"ip": "73.15.124.89",
"is_vpn": false,
"is_proxy": false,
"is_tor": false,
"is_hosting": false,
"risk_score": 0,
"recommendation": "allow"
}Residential ISP, no risk indicators.
Score: 30 - Cloud Service
{
"ip": "35.192.45.123",
"is_vpn": false,
"is_hosting": true,
"risk_score": 30,
"recommendation": "allow"
}Google Cloud IP - could be a legitimate service or automated traffic.
Score: 60 - VPN User
{
"ip": "198.54.128.96",
"is_vpn": true,
"is_hosting": false,
"risk_score": 60,
"recommendation": "verify"
}NordVPN server - user may be privacy-conscious or hiding location.
Score: 90 - High Risk
{
"ip": "185.220.101.45",
"is_vpn": true,
"is_hosting": true,
"risk_score": 90,
"recommendation": "block"
}VPN on datacenter IP - commonly used for automated abuse.
Score: 80 - Tor Exit
{
"ip": "185.220.100.252",
"is_tor": true,
"risk_score": 80,
"recommendation": "block"
}Tor exit node - maximum anonymity, high abuse rate.
Implementation Examples#
Basic Risk Check#
async function checkUser(ip) {
const result = await vpnSignal.checkIP(ip);
switch (result.recommendation) {
case 'allow':
return proceedNormally();
case 'verify':
return showCaptcha();
case 'block':
return blockAccess();
}
}Custom Thresholds#
You can implement custom logic based on your risk tolerance:
async function checkUserCustom(ip) {
const result = await vpnSignal.checkIP(ip);
// Stricter for financial transactions
if (result.risk_score > 20) {
return require2FA();
}
// Allow VPNs for privacy-focused users
if (result.is_vpn && !result.is_tor) {
return allowWithLogging();
}
// Block Tor completely
if (result.is_tor) {
return blockAccess('Tor not allowed');
}
return proceedNormally();
}Logging for Analysis#
async function checkWithLogging(ip, userId) {
const result = await vpnSignal.checkIP(ip);
// Log for later analysis
await db.insert('ip_checks', {
user_id: userId,
ip: ip,
risk_score: result.risk_score,
is_vpn: result.is_vpn,
is_tor: result.is_tor,
country: result.location?.country,
checked_at: new Date(),
});
return result;
}Use Case Recommendations#
E-commerce / Payments#
- Block score > 70
- Verify score 40-70 (require phone verification)
- Allow score < 40
Content Platforms#
- Block Tor exit nodes
- Allow VPNs (privacy-conscious users)
- Verify datacenter IPs
Gaming / Anti-Cheat#
- Block score > 50
- Flag VPN users for review
- Allow residential IPs only
Enterprise SaaS#
- Verify any non-residential IP
- Allow known corporate VPNs
- Block Tor and open proxies
Tip
Start with the default recommendations, then adjust based on your specific fraud patterns and false positive rates.
Next Steps#
- View the API reference for implementation details
- Handle errors gracefully
- Set up authentication