API Documentation
Everything you need to integrate Fraudcache into your security stack — from simple cURL commands to full API access.
By using Fraudcache data, you agree to our legal terms:
Overview
Fraudcache provides two ways to access abuse intelligence data:
Plain Text Feeds
Download .txt files with one IP per line. Perfect for firewalls, ipset, nginx, and HAProxy.
JSON API
Real-time lookups with confidence scores, explanations, and detailed metadata.
Base URL
https://fraudcache.com
Download .txt Feeds
The simplest way to use Fraudcache is to download our plain text feeds. Each feed contains one IP address per line, updated every 15 minutes. No authentication required.
Available Feeds
Combined Feed
All malicious IPs from all categories in a single feed
fraudcache-all.txt
Spam IPs
Email spam, SMTP abuse, bulk messaging
fraudcache-spam-ips.txt
Web Attacks
SQLi, XSS, credential stuffing, exploits
fraudcache-web-attacks.txt
Scanners
Port scanning, SSH/RDP brute force
fraudcache-scanners.txt
Botnet C2
Command & control infrastructure
fraudcache-botnet-c2.txt
Download with cURL
# Download the combined feed (all categories)
curl -O https://fraudcache.com/feeds/fraudcache-all.txt
# Download a specific category feed
curl -o /etc/blocklists/spam.txt https://fraudcache.com/feeds/fraudcache-spam-ips.txt
# Download all category feeds
curl -o /etc/blocklists/spam.txt https://fraudcache.com/feeds/fraudcache-spam-ips.txt
curl -o /etc/blocklists/web_attack.txt https://fraudcache.com/feeds/fraudcache-web-attacks.txt
curl -o /etc/blocklists/scanner.txt https://fraudcache.com/feeds/fraudcache-scanners.txt
curl -o /etc/blocklists/botnet_c2.txt https://fraudcache.com/feeds/fraudcache-botnet-c2.txtDownload with wget
# Download the combined feed (all categories)
wget https://fraudcache.com/feeds/fraudcache-all.txt
# Download only if newer (timestamping)
wget -N https://fraudcache.com/feeds/fraudcache-all.txt
# Download to specific directory
wget -P /etc/blocklists/ https://fraudcache.com/feeds/fraudcache-spam-ips.txtAuto-Update with Cron (Recommended)
#!/bin/bash
# Save as: /usr/local/bin/update-fraudcache.sh
DIR="/etc/blocklists"
BASE_URL="https://fraudcache.com/feeds"
mkdir -p $DIR
# Download the combined feed (recommended)
curl -sf -o "$DIR/all.txt.tmp" "$BASE_URL/fraudcache-all.txt" && \
mv "$DIR/all.txt.tmp" "$DIR/all.txt"
# Or download individual category feeds
curl -sf -o "$DIR/spam.txt" "$BASE_URL/fraudcache-spam-ips.txt"
curl -sf -o "$DIR/web_attack.txt" "$BASE_URL/fraudcache-web-attacks.txt"
curl -sf -o "$DIR/scanner.txt" "$BASE_URL/fraudcache-scanners.txt"
curl -sf -o "$DIR/botnet_c2.txt" "$BASE_URL/fraudcache-botnet-c2.txt"
# Add to crontab (runs every 15 minutes):
# */15 * * * * /usr/local/bin/update-fraudcache.shDirect Feed URLs
- https://fraudcache.com/feeds/fraudcache-all.txt (combined)
- https://fraudcache.com/feeds/fraudcache-spam-ips.txt
- https://fraudcache.com/feeds/fraudcache-web-attacks.txt
- https://fraudcache.com/feeds/fraudcache-scanners.txt
- https://fraudcache.com/feeds/fraudcache-botnet-c2.txt
Feed Format
All feeds are plain text files with one IP address per line. Lines starting with # are comments.
# Fraudcache Spam Feed
# Generated: 2026-01-27T17:55:44+01:00
# Category: spam
# License: Free for any use
#
192.0.2.1
192.0.2.15
198.51.100.5
198.51.100.42
203.0.113.88
2001:db8::1
2001:db8:85a3::8a2e:370:7334Format
One IP per line, IPv4 and IPv6
Updates
Every 15 minutes
License
Free for any use
DNSBL Integration
DNS-based Blocklist for real-time queries
Query the Fraudcache blocklist via DNS for instant IP reputation checks. Perfect for mail servers, firewalls, and any system that supports RBL lookups.
DNSBL Zone
bl.fraudcache.com
Use this zone in your mail server, spam filter, or firewall configuration.
How It Works
# To check if IP 192.0.2.1 is listed:
# 1. Reverse the IP octets: 1.2.0.192
# 2. Append the zone: 1.2.0.192.bl.fraudcache.com
# 3. Query via DNS:
$ dig +short 1.2.0.192.bl.fraudcache.com
127.0.0.3 # Listed as spam source
# No response = not listed
$ dig +short 1.1.1.1.bl.fraudcache.com
# (empty response - NXDOMAIN)Return Codes
| Code | Category | Description |
|---|---|---|
127.0.0.2 |
Generic | Combined/default malicious IP |
127.0.0.3 |
Spam IPs | Email spam, SMTP abuse, bulk messaging |
127.0.0.4 |
Web Attacks | SQLi, XSS, credential stuffing, exploits |
127.0.0.5 |
Scanners | Port scanning, SSH/RDP brute force |
127.0.0.6 |
Botnet C2 | Command & control infrastructure |
Integration Examples
Postfix
# /etc/postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client bl.fraudcache.com,
permitSpamAssassin
# /etc/spamassassin/local.cf
header RCVD_IN_FRAUDCACHE eval:check_rbl('fraudcache', 'bl.fraudcache.com.')
describe RCVD_IN_FRAUDCACHE Listed in Fraudcache DNSBL
score RCVD_IN_FRAUDCACHE 2.5
# Category-specific scoring
header RCVD_IN_FRAUDCACHE_SPAM eval:check_rbl_sub('fraudcache', '127.0.0.3')
score RCVD_IN_FRAUDCACHE_SPAM 3.5Rspamd
-- /etc/rspamd/local.d/rbl.conf
rules {
"FRAUDCACHE" {
rbl = "bl.fraudcache.com";
symbol = "FRAUDCACHE_RBL";
returncodes {
FRAUDCACHE_SPAM = "127.0.0.3";
FRAUDCACHE_ATTACK = "127.0.0.4";
FRAUDCACHE_SCANNER = "127.0.0.5";
FRAUDCACHE_BOTNET = "127.0.0.6";
}
}
}Test the DNSBL
dig +short 2.0.0.127.bl.fraudcache.com
This test IP should return 127.0.0.2 to confirm the DNSBL is working.
Authentication
Plain text feeds and basic API endpoints don't require authentication. For higher rate limits and additional features, use an API key.
| Tier | Authentication | Rate Limit | Features |
|---|---|---|---|
| Public | None | 100 req/min | Feeds, single IP check |
| Registered | API Key | 1,000 req/min | + Batch check, detailed info |
| Partner | API Key | 10,000 req/min | + Signal ingestion, webhooks |
Using Your API Key
Authorization: Bearer YOUR_API_KEYCheck IP (JSON API)
Check if a single IP address is listed in any Fraudcache feed and get detailed information.
Example Request
curl https://fraudcache.com/api/v1/check/192.0.2.1Example Response
{
"ip": "192.0.2.1",
"version": 4,
"listed": true,
"categories": [
{
"name": "spam",
"confidence": 85,
"status": "active",
"decision": "publish"
}
],
"explanation": "This IP has 7 signal(s) from 3 source(s)...",
"checked_at": "2026-01-23T12:00:00Z"
}Batch Check
Check multiple IP addresses in a single request (max 100). Requires authentication.
Example Request
curl -X POST https://fraudcache.com/api/v1/check \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"ips": ["192.0.2.1", "192.0.2.2", "2001:db8::1"]
}'Understanding Scores
Fraudcache uses a confidence-based scoring system (0-100) instead of binary blacklisting.
0-14
Ignored
Insufficient evidence
15-29
Observed
Tracked, not in feeds
30-59
Published
In public feeds
60-100
High Risk
Verified threat
Signal Weight
Honeypots weigh more than external feeds
Source Diversity
Multiple sources increase confidence
Recency
Recent signals weigh more
Time Decay
Scores decrease if abuse stops
Signal Ingestion
Contribute your own abuse signals to help improve the platform. Requires authentication.
Example Request
curl -X POST https://fraudcache.com/api/v1/ingest/community \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"ip": "192.0.2.1",
"category": "spam",
"evidence": "Received spam from this IP on 2026-01-23",
"confidence": 7
}'