How to remediate IP reputation risks

Written by Greg Pollock

UpGuard collects data from a variety of open and closed sources to detect IP addresses exhibiting suspicious behaviors and raise risks related to IP reputation. UpGuard categorizes these behaviors into the following risks:

  • Suspected of unsolicited scanning

  • Suspected of attempting to access other systems

  • Suspected of spam

  • Suspected of distributing malware

  • Suspected phishing site

There are two versions of each risk: a scored, high-severity risk when a domain or IP address has been observed performing these activities within the last 30 days, and an unscored informational risk when it has been observed performing those activities between 30 and 90 days. In that case, the IP appears to no longer be actively infected, but it is still useful information for assessing the security of that asset or vendor.

To remediate a risk related to IP reputation, the owner should:

  1. Confirm that the IP address belongs to them.

  2. If the IP address does belong to them, examine the system to determine whether it is performing the offending behavior or has unwanted software.

  3. If they believe their IP address has been flagged in error, contact the owner of the blocklist to request removal. Each risk will contain the name of the data source if available.

  4. IP reputation risks will automatically decrease to unscored risks after 30 days with no further detection of malicious behavior. You can also create a risk waiver to document your remediation activities if desired.