ipasis
Blog/Security Engineering

Engineering Fraud-Resistant Referral Systems with IP Intelligence

February 16, 20268 min read

Referral programs are a primary vector for CAC (Customer Acquisition Cost) inflation. For fraudsters, the ROI on scripting account creation to harvest referral bonuses is high. While device fingerprinting and email verification are standard defenses, they are easily bypassed with headless browsers and catch-all email domains.

The network layer remains the most expensive resource for attackers to spoof convincingly. This guide details how to implement IP-based controls to identify and block fraudulent referrals without degrading the user experience for legitimate customers.

The Attack Vector: Sybil Attacks & Residential Proxies

Sophisticated referral abuse operates as a Sybil attack. An attacker creates hundreds of identities to claim bonuses. To bypass basic IP bans, they utilize:

  1. Rotating Residential Proxies: Routing traffic through infected consumer IoT devices to appear as unique residential users.
  2. Datacenter IPs: Using cheap VPS instances (AWS, DigitalOcean) to run automation scripts.
  3. Tor Exit Nodes: Anonymizing traffic to obscure origin.

To mitigate this, we must analyze the quality and reputation of the connection, not just the uniqueness of the IP address.

Strategy 1: Connection Type Filtering

Legitimate users rarely sign up for consumer apps via Datacenter or Hosting IPs. If a referral conversion originates from an ASN belonging to a cloud provider, it should be treated with extreme suspicion or blocked immediately.

Similarly, while privacy-conscious users utilize VPNs, a referral signup occurring via a known VPN endpoint often correlates with multi-accounting attempts.

Implementation Logic

Your signup middleware should query IP intelligence data before persisting the user. Here is a Python implementation pattern using the IPASIS API structure:

import requests
from fastapi import HTTPException

def validate_referral_ip(ip_address: str) -> bool:
    """
    Validates an IP against fraud rules. 
    Returns True if safe, raises HTTPException if high risk.
    """
    try:
        # IPASIS API lookup
        response = requests.get(f"https://api.ipasis.com/json/{ip_address}?key=YOUR_API_KEY")
        data = response.json()

        # 1. Block Datacenter/Hosting IPs (High probability of bots)
        if data.get('is_datacenter', False):
             raise HTTPException(status_code=403, detail="Signup not permitted from hosting networks.")

        # 2. Block known proxies and Tor nodes
        if data.get('is_proxy', False) or data.get('is_tor', False):
             # Optional: Allow VPNs but flag for manual review, block Tor entirely
             if data.get('is_tor', False):
                 raise HTTPException(status_code=403, detail="Anonymized connections not allowed for referrals.")
             
             # Flag account for manual review (pseudo-code)
             mark_account_for_review(ip_address, "VPN Detected")

        # 3. Risk Score Assessment
        if data.get('risk_score', 0) > 85:
             raise HTTPException(status_code=403, detail="High risk connection detected.")
             
        return True

    except Exception as e:
        # Fail open or closed depending on security posture
        print(f"IP Lookup failed: {e}")
        return True

Strategy 2: Velocity Checks & Subnet Analysis

Attackers often rotate IPs within the same subnet (/24 block). Blocking a single IP is insufficient; you must monitor velocity at the subnet level.

If you detect 50 signups in one hour from 192.168.1.x, legitimate users are unlikely to be the cause (unless it is a CGNAT environment, which IPASIS metadata can clarify).

Best Practice: Implement rate limiting on the /24 CIDR range for referral redemptions. If a specific subnet exceeds N signups per hour, trigger CAPTCHA or invalidate the referral bonus for subsequent signups.

Strategy 3: Geographic Consistency

Referral fraud often involves labor arbitrage (e.g., click farms). If the Referrer is a long-standing user based in the UK, but the Referee signs up from an IP in a completely different high-risk region with no logical connection, the transaction is suspect.

Compare the IP geolocation against:

  1. The phone number country code provided during 2FA.
  2. The shipping address (if applicable).
  3. The Referrer's historical geolocation data.

FAQ

Q: Won't blocking VPNs hurt legitimate privacy-focused users? A: It is a trade-off. For high-value referral payouts, requiring a residential IP for the initial signup is standard industry practice. You can allow VPN usage for login, but restrict it for account creation and referral redemption.

Q: How do we handle CGNAT (Carrier-Grade NAT)? A: Mobile networks use CGNAT, meaning thousands of users share an IP. Relying solely on IP velocity will cause false positives here. Use IP intelligence to identify if an IP belongs to a mobile carrier (ISP type) and increase velocity thresholds for those specific ASNs.

Q: Should we block or shadowban? A: For referral fraud, shadowbanning is superior. Allow the signup to proceed but silently invalidate the referral bonus. This slows down the attacker as they do not immediately realize their script has been detected.

Secure Your Growth Engine

Referral programs should fuel growth, not burn cash. By integrating real-time IP intelligence, you can automate the detection of bot networks and proxy farms before they drain your marketing budget.

IPASIS provides enterprise-grade IP data, including accurate detection of VPNs, proxies, and tor exit nodes, with low-latency API response times designed for real-time transaction processing.

Get your API Key and start securing your referral program today.

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key