Source IP is on an abuse/threat reputation list
rep.abuse_listed ·
What it catches
Producer: detector IP-CIDR classifier (ip_reputation.py) over the abuse list, fed at deploy by ip_reputation_refresh from two public sources: Spamhaus DROP (hijacked / criminal-leased netblocks — drop_v4.json, free-to-use) and IPsum level-4 (IPs appearing on >=4 independent blocklists — github stamparm/ipsum, Unlicense/public-domain). Both are abuse/threat reputation, distinct from the datacenter (rep.datacenter_asn) and proxy/VPN (rep.known_proxy_exit) dimensions: an IP connecting FROM a hijacked netblock or a multiply-blocklisted address is bot/abuse infrastructure, not a clean residential eyeball. CORROBORATING (category reputation, w0.5) — never convicts alone (the residual FP is a real user behind a NAT that briefly shares an abuse-listed address; rare, and corroborating-only covers it), but it corroborates an ambiguous coordination binding as a bot fleet exactly like datacenter/proxy do (wired into coordination._has_ip_reputation_flag). FP-safe like the sibling rep.* rules: browserforge/Intoli calibration carry no IP, so promotion cannot raise the legit flag rate. Committed seed ships empty (abuse IPs are dynamic public addresses that go stale within hours, like the proxy-exit seed); the live lists are pulled at deploy (output not committed, per docs/ip-reputation-data.md).
Signals it reads
reputation.is_abuse_listed
How it fires
present