SAFE-e
  • Welcome!
  • Quick Start
  • A complete integration
  • KNOWLEDGEBASE
    • Risk scoring
    • Signals
  • API Reference
Powered by GitBook
On this page
  • Example
  • Scripted Signals
  • Anomalous Behavior
  • Device Signals
  • Email Signals
  • Network Signals

Was this helpful?

  1. KNOWLEDGEBASE

Signals

Safe-e exposes a number of signals in the API response body: A list of potentially risky properties and behaviors that were detected on the event.

Example

{
	"risk": 55.0,
	"account_abuse": 89.00,
	"account_takeover": 37.75,
	"bot": 27.75,
	"signals": [
		"proxy_ip", "datacenter_ip"
	],
	"policy": {
		"name": "Policy Default",
		"action": "Deny"
	}
}

That is, this event originated from a proxy IP address (proxy_ip) where the device information indicates that the event was scripted like a bot script (IP Intelligence ).

Good to know: These are the Signals available in the current version of the product, we are putting into production new signals and risk indicators every month.

Scripted Signals

Name
Description

bot_behavior

Bot behavior can be an indication of all sorts of unwanted behavior, including fake account creation, testing of stolen credit card numbers and credential testing, but also more benign behavior like integration testing using browser automation software.

credential_stuffing

Credential stuffing is an automated type of attack in which stolen account credentials, in particular e-mail addresses, are used to gain unauthorized access to user accounts. Credential stuffing attacks, unlike credential cracking, do not attempt to guess any passwords with brute force, but rather leverage a list of leaked credentials.

generated_email

This signal is a strong indicator of automated attempts, in which the attacker is either repeating the same email pattern or submitting completely random emails, typically during registration. The email provider may still be legitimate and non-disposable.

high_activity_account

This signal learns what is typical behavior for a user account and then detects anomalous bursts of requests. This is often correlated with automated attacks or abuse.

high_activity_device

This signal learns what is typical behavior for a device and then detects anomalous bursts of requests. This is often correlated with automated attacks or abuse.

high_activity_ip

This signal learns what is the typical rate of traffic coming from IP addresses and then detects anomalous bursts of requests. This is often correlated with automated attacks or abuse.

Anomalous Behavior

Name
Description

impossible_travel

This is triggered by comparing the user's current location with their last known location and then detecting trips that are highly unlikely, or even impossible, given the time between the two events. This signal correlates with man-in-the-middle attacks, account takeovers, and offshore attacks.

multiple_accounts_per_device

The device, from which this event originated, has been used to log into multiple user accounts. This could indicate account abuse or promotion abuse.

Device Signals

Name
Description

http_client_library

There is evidence that the request is not coming from a genuine device but that the device parameters have been changed or are fabricated. This includes using a device emulator that mimics the entire client context of the device or simply changing the user agent string in the browser.

web_crawler

HTTP client libraries are used to send requests to an application with relatively little effort using a command line or a script. They are frequently used in less sophisticated but high-volume automated attacks and abuse.

spoofed_device

A web crawler is an application that searches and indexes documents on the Internet. It should be considered abnormal if an authenticated user is claiming to be a web crawler.

missing_device_data

The data forwarded from the device to the server is empty. This is possibly due to an attacker attempting to bypass the client-side analysis, however, it could also be due to a misconfigured integration.

invalid_device_data

The data forwarded from the device to the server could not be interpreted, most likely due to a replay attack or request tampering.

Email Signals

Name
Description

disposable_email_domain

A disposable email domain indicates that the email address was issued by a service that issues temporary inboxes that expire after a short period of time. Examples of these providers are Mailinator, TempMail, and Guerrilla Mail.

invalid_email

An email address that does not conform to internet email standards, or which does not exist on the recipient's server. Examples include addresses without the @ sign, addresses that include certain special characters and/or spaces, or failed SMTP authentication attempts.

low_quality_email

This signal triggers whenever signs of randomness or profanities are found in the email. This typically means that the user signed up without a serious intent to use the service.

Network Signals

Name
Description

vpn_ip

A virtual private network, better known as a VPN, gives you online privacy and anonymity by creating a private network from a public internet connection. VPNs mask your internet protocol (IP) address so your online actions are virtually untraceable.

datacenter_ip

An IP address belonging to a hosting provider, data center, or content delivery network can serve to provide anonymity, as well as be used to launch large-scale automated fraud campaigns.

proxy_ip

Proxy servers are used to mask the true location of a device. This signal identifies requests coming from proxy servers both by running the IP address against lists of known proxy IPs and by identifying timezone and timing anomalies that indicate that the traffic was routed through a proxy server.

tor_exit

Tor anonymizes internet traffic and is frequently used by fraudsters to conceal their true location. A Tor IP is an IP address that matches an entry in Tor's official list of exit nodes.

PreviousRisk scoring

Last updated 2 years ago

Was this helpful?