Mobile IP Fraud Score Lookup: The 2026 Operator Guide

what you will end up with

By the end of this guide you know which six mobile IP fraud score lookup services matter for Telegram sessions in 2026, what each one actually measures, and which thresholds separate a safe session from a flagged one. You get curl commands you can run right now against each API, plus a method for handling contradictory scores when two tools disagree. Plan for about 15 minutes if you already have one or two API keys, and closer to 30 if you are starting from scratch.

before you start

You need curl and Python 3 on your machine. Linux and macOS include both by default. Windows users should run these from WSL or Git Bash. Grab a free API key from AbuseIPDB and from IPQualityScore before you start. Both issue keys on signup with no credit card required, and both have free tiers generous enough for manual checking of individual IPs. MaxMind and Spur require paid accounts for the insight-level data you actually need for Telegram analysis, so start with the free tools and add those two later if you want deeper carrier-level signals. Have the IP address you want to test ready before you run anything.

curl --version && python3 -c "import json; print('json ok')"
# confirm curl 7.x+ and python3 before running the lookup block in step 6

the step-by-step

1. Pull the exact IP Telegram will see.

SSH into the device running your Telegram session and run curl -s https://api.ipify.org. Do not trust the IP your carrier displays in a management portal or app dashboard. Telegram’s servers connect to wherever your session socket is bound, which is the IP that ipify returns. If you are testing a dedicated vs shared mobile IP arrangement on a remote device, get the IP from the device itself, not from the tunnel or the hosting panel. Write the IP down. You will pass it to all six APIs in the same session.

2. Run the AbuseIPDB check first.

AbuseIPDB is the fastest free mobile IP fraud score lookup in this list. It crowd-sources abuse reports from server operators who submit when they see spam, brute-force, or scanning from a given IP. The field you care about is abuseConfidenceScore. For Telegram, you want that number below 25. Scores between 25 and 50 are borderline: Telegram’s own anti-spam layer operates independently of AbuseIPDB, but the two data sources are correlated in practice, and accounts on IPs in that range trigger verification prompts more frequently than clean IPs do. Above 50 and you are borrowing trouble. Also check the usageType field in the response. A clean SIM-based IP returns “Mobile ISP” or “ISP”. If it returns “Data Center/Web Hosting” on something marketed as a mobile IP, either the routing is wrong or the IP block has been recycled from a VPS range.

3. Cross-check with IPQualityScore.

IPQualityScore runs its own crawler and fingerprinting network, entirely separate from AbuseIPDB’s crowd model. For Telegram, the three fields that matter most are proxy (must be false), tor (must be false), and mobile (ideally true for a SIM-based device). The fraud_score runs on a 0-100 scale. Anything under 75 is workable. Above 85 and IPQualityScore’s own abuse-blocking customers will begin dropping traffic from that IP, which has downstream effects on session reliability. One note on mobile returning false: this is not unusual on a genuine SIM if the carrier routes through a gateway that IPQualityScore has not yet classified as mobile. Check the other tools before deciding.

4. Query IPInfo for carrier and ASN validation.

IPInfo does not produce a fraud score, but its org and carrier fields are the ground truth for whether an IP actually lives on a mobile carrier’s ASN. A legitimate SingTel SIM returns an ASN in the AS7473 range. An M1 SIM lands in AS9506. If IPInfo’s org field returns something that is not a recognized carrier name, that is your signal to investigate before trusting any fraud score from the other tools. This is the lookup that catches the common trick of datacenter providers advertising fake mobile ASNs to fool naive detection systems. The IETF RFC 6598 shared address space standard underpins why carrier-grade NAT IPs sometimes appear to serve many simultaneous users: one public IP can front hundreds of SIM subscribers through carrier NAT, which is normal and expected behavior for a mobile ISP block.

5. Run Spur for proxy and anonymization signals.

Spur is the most sophisticated anonymization-detection service in this list and the one most likely to catch residential proxy pools marketed as mobile. Its API returns a risks array. For a Telegram session on a clean SIM, you want that array empty, or at most containing MOBILE_NETWORK_RELAY, which just means the carrier uses NAT and is not a negative signal. Any entry containing PROXY, VPN, TOR, or RESIDENTIAL_PROXY is a fail. Spur’s data is the most likely to surface a shared residential pool that AbuseIPDB and IPQualityScore have not yet caught, because Spur’s methodology focuses specifically on anonymizing infrastructure rather than abuse history.

6. Run the full lookup block.

Here are the combined curl commands for all six services. Replace YOUR_IP with the target address and set your key environment variables before running. Pipe everything to python3 -m json.tool so the output is readable, then paste all six results into a text file so you can compare them side by side when you get to step 9.

export IP="YOUR_IP"
export ABUSEIPDB_KEY="your_key_here"
export IPQS_KEY="your_key_here"
export IPINFO_TOKEN="your_token_here"
export MAXMIND_ACCOUNT="your_account_id"
export MAXMIND_KEY="your_license_key"
export SPUR_TOKEN="your_token_here"
export IPGEO_KEY="your_key_here"

# 1. AbuseIPDB (free tier available)
curl -s "https://api.abuseipdb.com/api/v2/check?ipAddress=$IP&maxAgeInDays=90" \
  -H "Key: $ABUSEIPDB_KEY" -H "Accept: application/json" | python3 -m json.tool

# 2. IPQualityScore (free tier available)
curl -s "https://ipqualityscore.com/api/json/ip/$IPQS_KEY/$IP?strictness=1" \
  | python3 -m json.tool

# 3. IPInfo (free tier available)
curl -s "https://ipinfo.io/$IP?token=$IPINFO_TOKEN" | python3 -m json.tool

# 4. MaxMind GeoIP2 Insights (paid)
curl -s -u "$MAXMIND_ACCOUNT:$MAXMIND_KEY" \
  "https://geoip.maxmind.com/geoip/v2.1/insights/$IP" | python3 -m json.tool

# 5. Spur (paid)
curl -s "https://api.spur.us/v2/context/$IP" \
  -H "Token: $SPUR_TOKEN" | python3 -m json.tool

# 6. ipgeolocation.io (free tier available)
curl -s "https://api.ipgeolocation.io/ipgeo?apiKey=$IPGEO_KEY&ip=$IP&fields=security" \
  | python3 -m json.tool

7. Interpret the MaxMind connection type.

MaxMind’s GeoIP2 Insights endpoint returns a connection_type field inside the traits object. For a Telegram session on a genuine SIM, you want that field to read cellular. If it returns corporate, the SIM may be on a business APN that routes differently from consumer plans. If it returns hosting, Telegram’s infrastructure layer has almost certainly already noted the anomaly. Check is_anonymous and is_anonymous_proxy in the same response: both must be false. MaxMind’s data model updates continuously and is generally the most authoritative on connection type among the paid services, which is why it is worth the cost even if you are only testing a handful of IPs.

8. Use ipgeolocation.io as a tiebreaker.

ipgeolocation.io does not carry the brand weight of MaxMind or Spur, but its security endpoint is a fast, cheap tiebreaker when two more authoritative tools disagree. The fields to check are is_proxy, is_tor, is_vpn, and connection_type. If ipgeolocation returns cellular while IPQualityScore returned mobile: false, lean toward the cellular reading. IPQualityScore’s mobile-type detection lags its fraud scoring by a wider margin than most operators realize, particularly on newer carrier IP ranges in smaller markets.

9. Build your pass/fail summary.

A clean mobile IP fraud score lookup across all six tools looks like this: AbuseIPDB abuseConfidenceScore below 25, proxy and tor false on both IPQualityScore and Spur, Spur’s risks array empty or containing only MOBILE_NETWORK_RELAY, IPInfo org matching a recognized carrier name, MaxMind connection_type returning cellular, and ipgeolocation is_proxy false. Hit all of those and your IP is about as clean as a live SIM IP can be. Fail exactly one signal while passing five, and read the next section before doing anything drastic.

what can go wrong

AbuseIPDB returns a score above 25 but all other tools show clean.

This almost always means a previous tenant of the SIM block, or a different device sharing the carrier’s subnet, got reported for spam or brute-force sometime in the last 90 days. Pull up the AbuseIPDB web UI for the specific IP and check the reports tab directly. If the most recent report is older than 90 days and describes a use case clearly different from yours (SSH scanning, email spam, credential stuffing), it is residual noise from a past device and not your problem. You can submit a delisting request through AbuseIPDB’s portal. Approval typically takes one to three business days. Telegram does not directly query AbuseIPDB as a lookup API, so a stale historical score here is not an immediate Telegram risk, but it is worth clearing before trusting the IP for a long-term session.

IPQualityScore and Spur disagree on the proxy flag.

This is the most common contradiction you will encounter in any mobile IP fraud score lookup workflow. IPQualityScore has a history of misflagging carrier-grade NAT endpoints as proxies, because a single NAT IP appearing to serve many users looks statistically similar to a shared proxy exit node. Spur is more precise about distinguishing genuine carrier NAT from actual proxy infrastructure, because its data model was built specifically to identify anonymizing services rather than general abuse history. When they disagree on the proxy flag, trust Spur’s classification. If Spur says not a proxy and IPQualityScore says proxy, you almost certainly have a carrier NAT IP, not a proxy. The reverse (Spur flags it, IPQualityScore does not) is a stronger signal that something is wrong.

MaxMind returns connection_type “corporate” on a genuine SIM.

Some carriers offer business SIM plans that route through enterprise APN gateways with separate IP blocks. Vivifi and certain M1 business tiers do exactly this. If your SIM is on such a plan, MaxMind may classify the IP as corporate rather than cellular because of where the APN gateway sits in the routing table. Cross-reference with IPInfo’s org field: if the organization listed is the carrier’s consumer division, not a separate enterprise entity, the corporate flag is a MaxMind data gap rather than a real signal. Switching to a standard consumer SIM on the same carrier resolves this in the next 24 to 48 hours as the IP gets reclassified.

The API returns 429 or “quota exceeded” mid-way through your lookup script.

AbuseIPDB free accounts cap at 1,000 lookups per day. IPQualityScore free accounts allow 5,000 per month. If you are building an automated monitoring flow around these APIs, cache results per IP for at least six hours. Paying for AbuseIPDB Basic ($20/month) or IPQualityScore Starter unlocks higher rate limits and is worth it if you are checking more than a dozen IPs regularly. The free tiers are fine for one-off audits and new IP vetting but will throttle you fast if you try to run continuous monitoring on a live session fleet.

how this looks on managed hosting

If your Telegram session runs on a cloud phone like the ones in our Singapore farm, you do not need to run most of this lookup sequence yourself. Every IP in the telegramvault fleet is static, pinned to a single SIM, and was checked against AbuseIPDB and IPQualityScore before onboarding. We re-run the checks weekly and rotate any IP whose AbuseIPDB score climbs above 15. The MaxMind connection_type for every SingTel, M1, StarHub, and Vivifi SIM in our farm returns cellular. Spur’s risks array is empty on all of them. If you are already a telegramvault customer and you want to run your own independent mobile IP fraud score lookup to verify, steps 1 and 2 in this guide take about 90 seconds. The results should match what we have already confirmed on our end.

recovery if you mess up

If you ran the lookup sequence after your Telegram account already received a soft restriction or an unexpected phone verification prompt, treat the score data as diagnostic information, not as a fix. The restriction has already been triggered. A clean IP is necessary going forward but it does not undo the flag that is already on the account.

A fresh soft restriction on a clean IP typically clears within 24 to 48 hours if you do not re-trigger it. Do not log in from a different IP during that window. Telegram treats a session IP change during an active restriction period as a new risk event and often escalates the restriction level rather than resolving it.

If your IP scores badly across three or more tools and you are worried about the account, the safest path is to export your session file, pause the Telegram client cleanly, and request a replacement IP from your hosting provider. Do not simply swap SIM cards or change your proxy without closing the session first. Terminate cleanly, pause for at least one hour, then resume on the new IP with a fresh session start. Telegram support is non-functional for IP-adjacent restrictions, particularly for accounts in Iran, Russia, or jurisdictions under active sanctions review. Fix the IP and restart.

related tasks

Understanding why Telegram bans accounts puts the IP fraud score context in perspective. IP reputation is one signal in a multi-factor system that also weights account age, session behavior, message velocity, and contact graph properties. A poor fraud score alone rarely triggers a ban. It combines badly with other weak signals, which is why it matters most at session creation time and during the first weeks of a new account’s life.

The gap between a dedicated IP and a shared one shows up most visibly in mobile IP fraud score lookup results. A dedicated vs shared mobile IP comparison explains why shared residential pools produce exactly the contradictory Spur and IPQualityScore disagreements described in this guide: pools rotate IPs across many users and accumulate mixed abuse histories from customers you have no visibility into.

For operators running a business Telegram account under their own phone number on remote hosting, the IP question connects directly to how the session was originally authenticated. The BYO number Telegram hosting guide covers how to keep your number tied to a session on a remote device without exposing your OTP or phone number data to the hosting provider.

For operators evaluating Singapore as a hosting base, the why Singapore mobile IPs post covers which carrier ASNs score cleanest on MaxMind and Spur, and why SingTel and M1 IP ranges have the fraud score profiles they do compared to mobile carrier IPs in other markets.

final word

owasp.org/www-project-automated-threats-to-web-applications/" target="_blank" rel="noopener">OWASP’s automated threat classification and telegram.org/api/auth" target="_blank" rel="noopener">Telegram’s own auth API documentation both treat IP reputation as one layer of a multi-signal system, not the whole picture. Run the mobile IP fraud score lookup sequence above before you commit any phone number to a long-running remote session. If you want an IP that has already passed all six tools before your account ever touches it, the telegramvault waitlist is the right starting point.