IP reputation and IP location

IP Reputation and IP Location provides you with reputation and geographic location information for both source and target IP addresses. For example, if a given source IP address is flagged as being a source for spam and it is located in a country rated as high for spam origination, it's likely that the source IP address in question is a spam source.

IP Reputation categories exist for both source IPs and target IPs:

Source/Target IP Reputation (Anonymous Proxies) - IP addresses of web sites that allow users to anonymously view web sites
Source/Target IP Reputation (Botnet Command and Control Server) - IP addresses that host a botnet command-and-control server
Source/Target IP Reputation (Dynamic IPs) - IP addresses of dialup hosts and DSL lines
Source/Target IP Reputation (Malware) - IP addresses of malicious web sites or malware-hosting web sites
Source/Target IP Reputation (Scanning IPs) - IP addresses that have been identified as illegally scanning networks for vulnerabilities
Source/Target IP Reputation (Spam) - IP addresses that have been observed sending out spam
Source/Target IP Reputation (n) - indicates an unreleased category that is mapped to a number (n)

Note: As additional IP Reputation categories are added, they should be defined on the following web page: https://www.xforce-security.com/apploupe/categories/

The values for source IP and target IP Reputation categories are represented as probabilities between 0 and 100. For example, a Source IP Reputation (Spam) entry of zero (0) indicates that the source IP traffic is definitely not spam whereas an entry of 100 indicates definite spam traffic. Consider a value of 50 to be a threshold. Thus, values less than 50 indicate less likelihood that spam is present and values greater than 50 indicate more likelihood that spam is present. These probabilities are based on massive amounts of ongoing Web-based data that IBM X-Force continuously collects and analyzes.

Tip: Summary-type Analysis views show the most current reputation scores (probabilities) and are likely to change over time. Detail-type Analysis views show the reputation scores that were recorded by the event and do not change over time.

IP Location provides the country of origin of the source IP address or target IP address.

Here are some other useful facts regarding using IP Reputation and IP Location:

You can use specific Analysis views created for IP Reputation. These include Event Analysis - Attacker Reputation and Event Analysis - Target Reputation.
You can filter on any of the IP Reputation categories. For example, if you go to the Analysis view, load the Event Analysis - Detail view, and click Filters, you can select any of the Source IP Reputation or Target IP Reputation categories on which to filter. To make it easier to navigate, all the Source IP Reputation categories are listed in an expandable tree format under the Source IP Reputation heading. There is a similar arrangement for Target IP Reputation categories.
When you choose to filter on a Source IP Location or a Target IP Location, the right pane lists all the countries that you can select. There are also Select All and Deselect All links for your convenience. At the bottom of the country list is an entry labeled unknown. Use this to filter IP Locations that are not known.
You can also filter a Source IP Location or Target IP Location by the Private Network entry.