How AbuseTrack risk scoring works

Every IP address, domain, URL, email address or phone number tracked on AbuseTrack carries a community risk score from 0 to 100. The score answers one question: how confident should you be, right now, that this entity is abusive? This page documents exactly how that number is computed so you can interpret it and decide your own thresholds.

The 0–100 scale

The score is a single integer between 0 and 100. It is built from three weighted components that are each capped, then summed and clamped to 100. The dominant component is corroboration — how many independent people reported the entity — because agreement between unrelated reporters is the strongest signal that abuse is real rather than a one-off or a grudge.

What goes into the score

Corroboration across distinct reporters (up to 50 points)

Each distinct reporter counts once, no matter how many times they report the same entity. The weighted count of reporters is multiplied and capped at 50 points — half of the whole scale. This is deliberate: a single person cannot push an entity to High on their own. It takes several independent reporters to reach the top band.

Report volume (up to 30 points)

The total weight of all reports contributes up to 30 points. More reports raise the score, but with a ceiling, so a flood of duplicate reports cannot dominate the result.

Threat-type variety (up to 20 points)

If an entity is reported under more than one kind of abuse — for example both brute force and port scanning — that breadth adds up to 20 points. A single threat type adds nothing here; each additional distinct type contributes until the cap.

Recency and decay

Threats are not permanent. AbuseTrack weights every report by its age using exponential decay with a half-life of about 21 days: a report counts fully on the day it is made, roughly half as much three weeks later, a quarter after six weeks, and so on. An entity that stops attracting new reports cools down on its own and its score drifts back toward zero. This keeps the data current without anyone having to manually expire old reports, and means a high score reflects recent activity, not ancient history.

How reporters are counted

Corroboration is measured per reporter, not per report. Each reporter is weighted by the recency of their most recent report on that entity, so a reporter who flagged something months ago contributes less than one who flagged it yesterday. All anonymous and guest reports collapse into a single bucket, so they can lend supporting weight but cannot be used to manufacture fake corroboration by submitting many unauthenticated reports.

Low / Medium / High thresholds

The numeric score maps to three human-readable levels:

Low0–24Little or no corroborated, recent evidence of abuse.

Medium25–59Some recent, corroborated reports — worth treating with caution.

High60–100Strong, recent corroboration from multiple reporters.

Interpreting the score

Use the score as one input, not a verdict. A High score is a strong signal to block or rate-limit; a Medium score is a reason to look closer; a Low score means there is not yet enough recent, corroborated evidence — not a guarantee of safety. When you pull the blocklist feed, you choose the minimum score and the minimum number of distinct reporters, so you decide how strict your own threshold is.

Learn more about AbuseTrack Browse community reports Query scores via the API