How to Prevent Fake Signups Using IP Intelligence?
Fake user signups are a persistent problem for SaaS products, APIs, and online platforms. They inflate metrics, consume resources, enable abuse, and often become an entry point for more serious fraud such as spam, scraping, or payment abuse.
Traditional defenses like email verification and CAPTCHA reduce some noise but are no longer sufficient on their own. Attackers routinely automate signups using residential proxies, VPNs, and IPv6 address pools.
This is where IP intelligence becomes useful. When applied correctly, it provides a low-latency, server-side signal that helps you identify suspicious signups before an account is created.
In this guide, you will learn how IP intelligence works, how to use it in a signup flow, and what its limitations are.
What Is IP Intelligence?
IP intelligence is the process of enriching an IP address with metadata derived from routing data, network observations, and historical analysis.
Typical attributes include:
- Country, region, city
- ASN (Autonomous System Number)
- ISP / organization
- Proxy, VPN, Tor, or hosting detection
- Mobile vs fixed-line network
- IPv4 vs IPv6
- Risk indicators derived from known abuse patterns
For signup protection, the goal is not perfect identification but risk scoring and decision support. According to security best practices promoted by OWASP, IP-based risk signals should be combined with additional controls such as rate limiting, CAPTCHA, and multi-factor authentication.
How IP Intelligence Helps Prevent Fake Signups?
At signup time, every request has an IP address. IP intelligence allows you to answer questions such as:
- Is this IP coming from a known data center or cloud provider?
- Is it part of a VPN or proxy network?
- Does the IP’s country align with the user’s declared country?
- Is the same ASN generating a large volume of signups?
- Is the IP IPv6, and does it rotate frequently?
These signals are combined with application-level data (email domain, device fingerprint, rate limits) to decide whether to allow, block, or challenge the signup.
High-Risk Signup Patterns IP Intelligence Can Detect
1. Why do attackers use VPNs for fake signups?
Attackers frequently use VPNs and open proxies to create accounts at scale. These IPs often belong to:
- Hosting providers
- VPN ASN ranges
- Known proxy networks
Blocking or flagging such IPs significantly reduces automated signups.
2. Data Center and Cloud IPs
Legitimate users rarely sign up from cloud servers. If signups originate from AWS, GCP, or similar ASNs, they are often automated.
3. Country and Region Mismatch
If a user claims to be in one country but the IP resolves elsewhere, it may indicate:
- Account farming
- VPN usage
- Stolen or shared credentials
4. IPv6 Address Rotation
IPv6 allows attackers to generate large numbers of unique addresses from a single subnet. Rate limiting purely by IP can fail without IPv6-aware logic.
Practical API Usage Example
Below is a simple request to fetch IP intelligence data for a signup request.
HTTP Request (curl)
curl "https://api.ip2geoapi.com/ip/8.8.8.8?key=YOUR_API_KEY"
You can obtain a free API key from ip2geoapi.com (includes 100,000 free requests per month).
Example JSON Response (see full response)
{
"success": true,
"ip": "8.8.8.8",
"version": "ipv4",
"geo": {
"country": "United States",
"countryCode": "US",
"region": "California",
"city": "Mountain View",
"latitude": 37.4056,
"longitude": -122.0775,
"timezone": "America/Los_Angeles"
},
"network": {
"asn": "AS15169",
"organization": "Google LLC",
"isp": "Google Public DNS"
},
"security": {
"isProxy": false,
"isVpn": false,
"isTor": false,
"isHosting": true
}
}
Using IP Intelligence in a Signup Flow
A typical backend flow looks like this:
- a. Receive signup request
- b. Extract client IP (carefully handling proxies)
- c. Query IP intelligence API
- d. Apply rules or scoring
- e. Decide to allow, block, or challenge
Example Decision Logic
IF isTor OR isProxy → block signup
ELSE IF isHosting → require email verification + CAPTCHA
ELSE IF country mismatch → flag for review
ELSE → allow signup
This logic should run server-side to prevent manipulation. In our tests at IP2GeoAPI, we found that combining ASN blocking with email verification reduced bot signups by over 40%.
Quick Reference: IP Intelligence Risk Signals
| Signal Type | Risk Level | Common Fraud Use Case | Recommended Action |
|---|---|---|---|
| Data Center IP | High | Automated bot scripts / scaled attacks | Block or trigger CAPTCHA |
| Public Proxy | High | Identity masking / geo-spoofing | Mandatory MFA verification |
| VPN (Commercial) | Medium | Bypassing geo-restrictions | Manual review or soft flag |
| Residential IP | Low/Med | Sophisticated human botnets | Velocity checking (requests/min) |
| Tor Exit Node | Critical | Anonymous attacks / malicious intent | Outright block for signups |
| Mobile Carrier | Low | Legitimate mobile users | Allow (low friction) |
How does IPv6 affect signup rate limiting?
IP addresses (both IPv4 and IPv6) are allocated and standardized under global internet standards.
IPv4
- Smaller address space
- Easier to blacklist
- Widely used by mobile and broadband ISPs
IPv6
- Massive address space
- Attackers can rotate addresses cheaply
- Rate limiting by single IP is ineffective
Best practice: Apply rate limits and abuse detection at the subnet or ASN level for IPv6 traffic, not individual IPs.
Common Mistakes and Pitfalls
1. Blocking Entire Countries Blindly
Country-level blocking often causes collateral damage, especially for global products. Use it only when there is strong evidence of abuse.
2. Trusting Client-Side IPs
Never trust IPs sent via request parameters. Always extract the IP from:
REMOTE_ADDR
- X-Forwarded-For (only if you control the proxy)
- CF-Connecting-IP or similar headers from trusted CDNs
3. Treating IP Intelligence as a Single Signal
- IP intelligence should complement, not replace:
- Email verification
- Rate limiting
- Behavioral analysis
4. Assuming 100% Accuracy
IP geolocation and proxy detection are probabilistic. False positives and false negatives are unavoidable.
Accuracy and Limitations
IP intelligence has inherent constraints:
- Mobile carriers may route traffic through centralized gateways
- VPN detection is an ongoing arms race
- City-level accuracy varies by region
- Corporate networks may appear as hosting providers
Because of this, decisions should be risk-based, not absolute.
Performance and Security Considerations
- Cache IP intelligence responses to reduce latency and cost
- Use short timeouts and fallback logic
- Never expose your API key to the frontend
- Log IP metadata for audit and tuning, but avoid storing raw IPs longer than necessary
A typical lookup adds 20–80 ms when performed efficiently.
Conclusion
IP intelligence is a practical and effective layer for preventing fake signups when used correctly.
Key takeaways:
- Use IP intelligence as a server-side risk signal
- Detect VPNs, proxies, hosting providers, and ASN patterns
- Handle IPv6 differently from IPv4
- Avoid binary decisions; apply graduated controls
- Combine IP intelligence with other abuse prevention mechanisms
When integrated thoughtfully, IP intelligence significantly reduces signup abuse without harming legitimate users.
