Methodology

Abuse Radar publishes sanitized indicators from monitored infrastructure. It is designed to help defenders prioritize response while avoiding disclosure of private collector details.

What is included

IP address, public reason label, first seen, last seen, detection count, source count, status, approximate geolocation, and blocklist window.

What is removed

Raw logs, usernames, passwords, hostnames, mailboxes, sensor names, request payloads, and any internal infrastructure details.

How to use it

Use the feed as an operational signal for triage, blocking, alert enrichment, and abuse reporting. Validate important decisions with your own logs.

False positives

Network owners can submit a delist request. Abuse Radar keeps records time-limited and marks old active records as archived automatically.

Signal Types

Repeated authentication failures: Repeated failed logins from the same IP. This is commonly seen during password spraying or scripted login attempts.
Automated credential guessing: Automated attempts to guess valid usernames or passwords against a protected service.
Suspicious network scanning: Network probing that matches scanner-like behavior. Treat this as an early warning signal.
Suspicious mail authentication attempts: Suspicious mail authentication attempts against monitored mail infrastructure.
Suspicious SSH authentication attempts: Suspicious SSH authentication attempts against monitored systems.
Leak trap address contacted: A monitored leak-trap address was contacted. This suggests the sender may be using exposed or scraped address data.
Possible credential list abuse: Activity resembles use of leaked credential material or exposed identity data.
Abuse of monitored exposed address: A monitored exposed address was abused or contacted unexpectedly.
Abuse pattern detected: Behavior matched an abuse pattern observed by monitored infrastructure.