Source IP is on an abuse/threat reputation list

rep.abuse_listed  ·  corroborates

reputationlayer
reputationcategory

What it catches

Producer: detector IP-CIDR classifier (ip_reputation.py) over the abuse list, fed at deploy by ip_reputation_refresh from two public sources: Spamhaus DROP (hijacked / criminal-leased netblocks — drop_v4.json, free-to-use) and IPsum level-4 (IPs appearing on >=4 independent blocklists — github stamparm/ipsum, Unlicense/public-domain). Both are abuse/threat reputation, distinct from the datacenter (rep.datacenter_asn) and proxy/VPN (rep.known_proxy_exit) dimensions: an IP connecting FROM a hijacked netblock or a multiply-blocklisted address is bot/abuse infrastructure, not a clean residential eyeball. CORROBORATING (category reputation, w0.5) — never convicts alone (the residual FP is a real user behind a NAT that briefly shares an abuse-listed address; rare, and corroborating-only covers it), but it corroborates an ambiguous coordination binding as a bot fleet exactly like datacenter/proxy do (wired into coordination._has_ip_reputation_flag). FP-safe like the sibling rep.* rules: browserforge/Intoli calibration carry no IP, so promotion cannot raise the legit flag rate. Committed seed ships empty (abuse IPs are dynamic public addresses that go stale within hours, like the proxy-exit seed); the live lists are pulled at deploy (output not committed, per docs/ip-reputation-data.md).

Signals it reads

reputation.is_abuse_listed

How it fires

present

← all detections