DOCS

Free IP Abuse Check: See an IP's Abuse History Instantly

Some IPs have been reported for spam, brute-force attacks, fraud, or other malicious activity. Look up any IP against aggregated public abuse reports in under 200ms. No signup required.
START FOR FREE
CONTACT SALES
Enter an IP address to start
Need inspiration? Try
73.162.0.1
Check IP
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Learn more about the free IP Lookup
Checking
5
You have used all your daily credits
Sign up to get more free validations
Please, input a correct IP address
Sign up to get more free validations
Results for
ip address
Is Abuse:
Is Abuse
Country:
Country
Is Proxy:
Is Proxy
Is Hosting:
Is Hosting
Get free credits, more data, and faster results
CREATE A FREE ACCOUNT

What is an IP abuse check?

An IP abuse check looks up an IP address against aggregated public reports of malicious activity: spam-sending, brute-force login attempts, port scanning, web exploitation attempts, fraud, and similar abusive behavior. The check returns a single boolean signal (abuse history present, yes or no) plus context about the IP itself: which country it is in, whether it is hosted in a datacenter, and whether it shows other risk indicators like proxy or VPN use.

It is not a real-time threat detection system. It tells you whether an IP has been flagged in the past, drawing on databases like AbuseIPDB and similar reputation sources. Think of it as a quick history check before you let an IP reach a sensitive part of your service.

How IP abuse check works

When you submit an IP address, the check runs three steps:

  1. Aggregated abuse-report lookup: The IP is cross-referenced against public abuse reports from sources like AbuseIPDB, Spamhaus, and similar reputation databases, with recent reports weighted more heavily than older ones.
  1. Hosting and proxy cross-reference: The check flags whether the IP runs in a datacenter or hosting range, and whether it appears in public open-proxy lists or shows behavioral signals of proxy or VPN use. Datacenter IPs almost never represent end users, which is itself a useful risk signal.
  1. Single-call response: The abuse signal returns alongside hosting, proxy, VPN, and country fields in one request. No multi-source orchestration, no separate calls per database.

Recency is built into the score: an IP reported six months ago carries less weight than one reported last week, and the result reflects current risk rather than lifetime history. Most checks complete in under 200ms.

IP abuse check vs. IP blacklist check

Two related lookups that answer different questions, served by different tools.

IP abuse check (what this tool does) returns a recency-weighted reputation signal aggregated across multiple sources. It tells you whether an IP has been reported recently for malicious activity (spam, brute force, scanning, fraud), and pairs the signal with context like hosting, proxy, and VPN status. Best for deciding whether to trust an inbound request, blocking high-risk signups, or prioritizing manual review.

IP blacklist check confirms specific membership in named blocklists (Spamhaus SBL, XBL, PBL; CBL; SORBS; and others). It returns a binary yes-or-no per list, which is the standard input for email-deliverability decisions and certain compliance checks that require named-list verification. This direction is not offered by Abstract. MXToolbox or Spamhaus directly are the right tools for that workflow.

Use this tool when you want a consolidated reputation signal for a request-trust decision. Use a blacklist tool when you need to confirm a specific named-list membership for email or compliance reasons.

Use cases for IP abuse check

Signup fraud screening: Catch IPs with bad history before they create accounts. Combine the abuse flag with VPN, Tor, and hosting signals to filter the patterns most often associated with fake accounts and promo abuse, without adding friction for real users.

Network and security debugging: Investigate suspicious traffic in your logs. Get the abuse history, hosting status, and ISP for any IP in your incident timeline, without leaving your dashboard.

Automated risk gating: Set thresholds in your code. Block requests from IPs flagged for abuse and recent activity; allow everything else through. Decisions in milliseconds, no manual review queue.

Vendor and partner traffic vetting: Cross-check IPs from third-party services or partners before granting them access to internal endpoints or sensitive data. A vendor with abusive IPs in their range deserves a closer conversation.

See what the API returns

Every IP abuse check returns a structured JSON response. The same data the tool above shows is available through the API, from one request to millions per month.

Response parameters

ip_address

String
The IP address submitted for geolocation.

security.is_vpn

Boolean
Whether the IP address is being used from a VPN.

security.is_proxy

Boolean
Whether the IP address is being used from a Proxy.

security.is_tor

Boolean
Whether the IP address is part of the TOR network.

security.is_hosting

Boolean
Whether the IP address is an internet service hosting IP address.

security.is_relay

Boolean
Whether the IP address is being used as a relay server.

security.is_mobile

Boolean
Whether the IP address belongs to a mobile network.

security.is_abuse

Boolean
Whether the IP address has been flagged for abusive behavior.

asn.asn

Integer
The Autonomous System Number (ASN) associated with the IP address.

asn.name

String
The name of the organization or ISP associated with the ASN.

asn.domain

String
The domain associated with the ASN.

asn.type

String
The type of organization, such as ISP or hosting.

company.name

String
The name of the company associated with the IP address.

company.domain

String
The company's domain name.

company.type

String
The type of company, such as ISP or hosting.

domains.domains

Array
A list of domains associated with the IP address.

location.city

String
City's name.

location.city_geoname_id

Integer
City's geoname ID.

location.region

String
State or province in which the city is located.

location.region_iso_code

Integer
State or province's ISO 3166-2 code.

location.region_geoname_id

String
State or province's geoname ID.

location.postal_code

String
ZIP or postal code.

location.country

String
Country's name.

location.country_code

Integer
Country's ISO 3166-1 alpha-2 code.

location.country_geoname_id

Integer
Country's geoname ID.

location.is_country_eu

Boolean
True if the country is in the EU, false if it is not.

location.continent

String
Continent's name.

location.continent_code

String
2 letter continent code: AF, AS, EU, NA, OC, SA, AN.

location.continent_geoname_id

Integer
Continent's geoname ID.

location.longitude

Float
Decimal of the longitude.

location.latitude

Float
Decimal of the latitude.

timezone.name

String
Timezone's name from the IANA Time Zone Database.

timezone.abbreviation

String
Timezone's abbreviation, also from the IANA Time Zone Database.

timezone.utc_offset

Integer
The UTC offset for the timezone.

timezone.local_time

String
Current time in the local time zone.

timezone.is_dst

Boolean
True if the location is currently in Daylight Savings Time (DST).

flag.emoji

String
Country's flag as an emoji.

flag.unicode

String
Country's flag in unicode.

flag.png

String
Link to a hosted version of the country's flag in PNG format.

flag.svg

String
Link to a hosted version of the country's flag in SVG format.

currency.name

String
The currency's name.

currency.code

String
The currency's code in ISO 4217 format.

currency.symbol

String
The currency's symbol.

API Endpoint

curl --request GET \
  --url https://ip-intelligence.abstractapi.com/v1

API Response

{
"ip_address": "185.197.192.65",
"security": {
    "is_vpn": true,
    "is_proxy": true,
    "is_tor": false,
	"is_hosting": false,
	"is_relay": false,
	"is_mobile": false,
	"is_abuse": false,
},
"asn": {
    "asn": 136787,
    "name": "PacketHub S.A.",
    "domain": "packethub.tech",
    "type": "isp",
},
"company": {
    "name": "PacketHub S.A.",
    "domain": "packethub.tech",
    "type": "isp",
},
"domains": {
	"domains": []
},
"location": {
    "city": "Miami",
    "city_geoname_id": 4164138,
    "region": "Florida",
    "region_iso_code": "FL",
    "region_geoname_id": 4155751,
    "postal_code": "33197",
    "country": "United States",
    "country_code": "US",
    "country_geoname_id": 6252001,
    "is_country_eu": false,
    "continent": "North America",
    "continent_code": "NA",
    "continent_geoname_id": 6255149,
    "longitude": -80.1946,
    "latitude": 25.7689,
},
"timezone": {
    "name": "America/New_York",
    "abbreviation": "EST",
    "utc_offset": -5,
    "local_time": "12:07:51",
    "is_dst": false,
},
"flag": {
    "emoji": "🇺🇸",
    "unicode": "U+1F1FA U+1F1F8",
    "png": "https://static.abstractapi.com/country-flags/US_flag.png",
    "svg": "https://static.abstractapi.com/country-flags/US_flag.svg",
},
"currency": {
    "name": "US Dollar",
    "code": "USD",
    "symbol": "$"
}
}
Powered by the IP Intelligence API · View pricing · See the full API reference

IP abuse check FAQ

How does an IP abuse check work?

Abstract aggregates public abuse reports from databases such as AbuseIPDB, Spamhaus, and similar reputation sources. When you submit an IP, the check returns a boolean signal indicating whether the address has been reported for malicious activity, plus context like hosting status, proxy detection, country, and ASN. The check completes in under 200ms.

What kinds of abuse are reported?

Public abuse reports cover a range of activities: spam-sending, brute-force login attempts, port scanning, web exploitation attempts, comment spam, and similar abusive behavior. Different sources track different categories. Abstract normalizes them into a single abuse-history signal so you do not have to query each source separately.

How recent are the reports the check uses?

Recency is weighted in the signal. Reports from the last 30 to 90 days carry more weight than older ones. An IP that was reported a year ago and has been clean since is less likely to flag as abusive than one reported last week. The signal reflects current risk, not lifetime history.

An IP is flagged for abuse. Should I block it?

That depends on what is at stake. The abuse flag is a strong signal but not definitive evidence on a single request. For high-friction actions (account creation, payment processing, sensitive data access), the flag is a good basis for additional verification or blocking. For low-friction actions like a marketing page view, letting the request through is fine. Combine with other signals like VPN, Tor, or hosting status for sharper decisions.

How is an IP abuse check different from an IP blacklist check?

Blacklist checks confirm whether an IP appears on specific named blocklists (Spamhaus SBL, XBL, PBL, CBL, and others), typically used for email deliverability. An abuse check returns reputation across multiple aggregated sources and weights recency. They overlap but answer different questions: "is this IP on this specific list" versus "has this IP been reported for malicious activity recently."

Is the IP abuse check tool free?

Yes. The online tool is free with no signup required for individual lookups. For programmatic access, Abstract's IP Intelligence API offers a free tier with 1,000 requests per month. View pricing for higher-volume plans.

More IP intelligence tools

VPN Checker
Check whether an IP belongs to a known commercial VPN service.
Try it free
ASN Lookup
Find the network operator behind any IP
Try it free
Proxy Checker
Identify anonymous, transparent, and datacenter proxy connections.
Try it free
Tor Checker
Determine whether an IP belongs to the Tor anonymity network.
Try it free
IP Lookup
Geolocate an IP address to its city, region, country, and ISP.
Try it free
Explore all Abstract tools
Get started
Need IP abuse data for more than 1,000 requests?
stars rating
4.8 from 1,863 votes
The same check the tool above runs, available as an API.
get free api key
No credit card required