Why Automatic IP address quarantine

If you have a SaaS service or you manage the registration system in a forum I am sure you are familiar with this problem: A user registers for the first time in your service, and for some reason decides to create not one, but multiple accounts. When he has consumed the trial period of one account, then he consumes the credit of the other accounts he created. This is the case for Automatic IP address quarantine.

Automatic IP address quarantine in detail

It is now possible to include an IP address in each user’s private blacklist when the rating of our algorithms for domains or emails is negative. Let’s take this typical example: a user tries to register with an email address that our algorithm has determined is not trustable. If we use our API, then we can be confident that he will not be allowed to progress in the registration process.

But this user does not give up after using several suspicious email accounts until he finds an email that our algorithm is not yet able to detect and therefore manages to register on our platform (Obviously, our algorithm cannot guarantee 100% accuracy, just like any other algorithm out there).

With the new Automatic IP address quarantine capability, when it is detected that the user’s source IP address is attempting to register with a suspicious mail if the domain or mail score assigned by the algorithm is negative, then the source IP is automatically stored in the QUARANTINE-IP blacklist as long as the service developer decides. By default, this time is one hour, although you can enter the time in seconds as desired.

How to use it

You can read about this new capability in the API documentation in the Check Domain, Check Email and Add an IP address automatically to QUARANTINE-IP. If a developer wants to add the IP address and the Time to Live of the IP address in the blacklist, she only needs to add the parameters quarantine_ip and quarantine_ttl to the domain and email check services:

Check a “bad” domain and add IP address 8.8.8.8 to QUARANTINE-IP if found malicious

$ curl -i -H "X-Auth-Token: UUID" -X GET "https://api.apility.net/baddomain/mailinator.com?quarantine_ip=8.8.8.8&quarantine_ttl=86400"
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 24 Nov 2017 14:00:50 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 7
Connection: keep-alive
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Check a “bad” email and add IP address 8.8.8.8 to QUARANTINE-IP if found malicious

$ curl -i -H "X-Auth-Token: UUID" -X GET "https://api.apility.net/bademail/test@mailinator.com?quarantine_ip=8.8.8.8&quarantine_ttl=86400"
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 24 Nov 2017 14:00:50 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 7
Connection: keep-alive
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

In both cases, the IP address 8.8.8.8 will be quarantined for 24 hours (86400 seconds). If you check this IP address now, it will return that it belongs to the QUARANTINE-IP blacklist of the user:

$ curl -H "Accept: application/json" -H "X-Auth-Token: UUID" -X GET "https://api.apility.net/badip/8.8.8.8"
{
    "blacklists": ["QUARANTINE-IP"]
}

An example

Let’s enrich our solution in How to identify bad customers before they sign up for this capability. Let’s change the is_email_malicious method to submit the source IP address and the Time To Live:

 

import requests

def is_email_malicious(email, source_ip, ttl=86400):
    response = requests.request("GET", "https://api.apility.net/bademail/%s?token=YOUR_API_KEY&quarantine_ip=%s&quarantine_ttl=%s" % (email, source_ip, ttl))
    return response.status_code == 200

The method now needs source_ip and optionally ttl. The IP address should be obtained from the information of the HTTP Header of the request, for example, and the TTL should be set depending on how much time you want to ban the IP address.

Now, when the user tries to register again on our site, he will obtain the page explaining that registration from malicious IP addresses is not permitted.

Apility.io Automatic IP Address quarantine

What’s next?

In order to use this service, it is necessary to register in the platform and obtain an API Key. You are allowed to use it even with a free account, so all you have to do to start using the service is register now!