Methodology
Updated 2026-06-09 · ipok.io
IPOK's risk score (0–100, higher = riskier) is not one vendor's black-box verdict. It is a reliability-weighted blend of multiple data sources, plus a few hard-signal floors. This page documents the full algorithm — the numbers you see under "How is this score computed?" on any result map exactly to the rules here.
1. Weighted average of sources
Every source that returns a risk score is blended by the weights below to form the base score. Dormant or failed sources are excluded.
| Source | Weight | Notes |
|---|---|---|
| Scamalytics | 0.90 | Pro fraud score; proxy/VPN/datacenter coverage |
| IPQS | 0.90 | Fraud score (API key; currently dormant) |
| proxycheck | 0.85 | Live proxy / VPN detection |
| AbuseIPDB | 0.80 | Community abuse reports + whitelist flag |
| ipapi.is | 0.70 | Calibrated abuse score + network intel |
| ip-api | 0.50 | Boolean inference only; lowest weight |
2. Hard-signal floors
Once a signal is hit, the final score cannot fall below its floor, no matter how low the weighted average is (final = max of weighted average and all triggered floors). This stops a datacenter IP from being mislabeled "pristine" just because most sources score it low.
| Signal | Floor | Notes |
|---|---|---|
| Tor exit node | 90 | Almost always blocked; top priority |
| On spam / abuse blocklist | 70 | Any of 5 DNSBLs = real abuse history |
| Proxy / VPN detected | 65 | Proxy by a dedicated source, or VPN by any source |
| Recent abuse history | 55 | Reports / abuse score above threshold |
| Datacenter / hosting | 35 | Hosting is a use case, not fraud — floor kept low |
Whitelist dampener: if a source (e.g. AbuseIPDB) explicitly marks the IP as a trusted whitelist entry (Google / Cloudflare infrastructure), the "abuse" and "hosting" floors are suppressed, so major public DNS isn't penalized.
3. Spam / abuse blocklists (DNSBL)
Five major mail / abuse blocklists are queried live over Cloudflare DoH: SpamCop, UCEPROTECT, Barracuda, S5H, Anonmails. Any hit triggers the blocklist floor above and the matching lists are shown in the result. IPv4 only.
4. Risk bands
| Band | Range | Meaning |
|---|---|---|
| Pristine | < 15 | Residential native, no signals — safest for ops |
| Clean | 15 – 50 | Normal, occasional minor signal |
| Caution | 50 – 70 | Proxy / hosting signals; some platforms may flag |
| High risk | ≥ 70 | Blocklist / Tor / strong proxy — easily blocked |
5. Native vs. broadcast IP
Compares the IP's registration country (RDAP / ASN) with its geolocation country: a match = native IP (locally landed, friendlier for streaming and risk controls); a mismatch = broadcast IP (cross-region routing / forwarding, common for hosting and some proxies).
Disclaimer
The risk score is an advisory blend of multiple sources, not an absolute verdict. Different platforms use different sources and thresholds — cross-verify before acting. IPOK is for network diagnostics and research reference only.