ASN reputation

What is ASN reputation?#

ASN reputation is a measure of the trustworthiness of an autonomous system based on the concentration and history of malicious activity hosted within its IP prefixes. An ASN with a high proportion of phishing sites, malware distribution endpoints, or spam sources receives a lower reputation score than one with minimal abuse. It is a key signal in threat intelligence and domain risk scoring.

Reputation signals#

Several signal categories contribute to ASN reputation assessments.

Spam volume (the proportion of IP addresses within the ASN that appear on spam blocklists) is one of the most established signals, with decades of data from email reputation systems.

Malware hosting tracks IPs serving exploit kits, drive-by downloads, or command-and-control infrastructure. A high ratio of malware-associated IPs relative to the ASN's total address space is a strong negative signal.

Phishing concentration measures how many active phishing pages are hosted on the ASN compared to legitimate content. Some ASNs consistently appear in phishing domain detection feeds, suggesting lax abuse enforcement.

Bulletproof hosting indicators are the most damning signal. Bulletproof hosts are providers that explicitly or implicitly tolerate malicious content, resist takedown requests, and may operate in jurisdictions with weak enforcement. ASNs associated with known bulletproof hosting operations carry persistently poor reputation. See hosting provider reputation for how provider-level scoring complements ASN-level analysis.

Data sources#

ASN reputation draws from blocklists (Spamhaus, SURBL), threat intelligence feeds, honeypot networks, abuse report databases, and internet-wide scanning projects. Some services compute composite scores; others provide raw data for organizations to build their own models.

How ASN reputation is used#

In domain risk scoring, the ASN hosting a domain's resolved IP is one input among several. A newly registered lookalike domain resolving to an ASN with a history of phishing infrastructure scores higher risk than the same domain resolving to a major cloud provider. ASN reputation helps prioritize which domains merit deeper investigation, particularly in malicious domain detection workflows where analysts need to triage large volumes of candidates.

Limitations#

ASN reputation has significant blind spots that prevent it from being a standalone signal.

Shared hosting and cloud providers host millions of legitimate and malicious customers under the same ASN. AWS, Google Cloud, and Azure have enormous IP spaces; their ASN reputation is inherently mixed, and flagging their ASN penalizes legitimate sites alongside malicious ones.

CDN attribution is similarly problematic. Domains served through Cloudflare or Fastly resolve to CDN edge IPs, not origin servers. The CDN's ASN tells you nothing about the actual host.

Reputation lag means a previously clean ASN that begins hosting abuse may not be flagged until enough incidents accumulate, and a reformed ASN may carry a poor score long after cleanup.

ASN reputation is most effective when correlated with registration data, DNS behavior, and content analysis. The ASN hosting a suspicious domain helps analysts assess whether the infrastructure behind it is consistent with legitimate use or part of a pattern of abuse, but it should never be the sole basis for a blocking or takedown decision.