Features and Risk Score

Test Areas

Data supplied to the API is analyzed using a broad spectrum of tests incorporating big data, machine learning, and advanced analytics.

The API groups results into rollup areas for IP, email, phone, location, domain, activity, Geo-location, device, SSN, Tags, and community.

Each area runs many sub-tests as well as cross analysis between linked data (for example the IP and the location). When the analysis and tests are complete, the API returns a Risk Score as well as scores for each area and risk reasons found in a response JSON.

Our analysis includes thousands of tests and some are:

  • IP bots, worms, proxies, TOR, blacklists, spam history, geo-location
  • Email suspect, disposable, free, MX, reputation, history, age
  • domain registration, age, parked, for sale, blacklists, suspended, name servers
  • phone format validity, association with fraud, connected, name matching, line type
  • location checking of country, city, state, and postalcodes
  • Geo-location distances between data points, country risk factors, movement velocity
  • frequency of data, phonetic repeating, consistency of data
  • device fingerprint reputation and activity
  • Millions of community records added from customers who share fraudsters' information

and more. In addition, all scoring can be customized to meet your business risk tolerance levels.


The Talon JavaScript creates a device Fingerprint for each API call. Using fingerprints makes it easier to tag bots, muti-signups, and other risk issues including device spoofing. The Portal tracks all fingerprints and links to the Vet details page so you can quickly view all vets associated with a specific device.

You can tag fingerprints bad, good, do not score or score normally. Fingerprints with a link icon connect previous vets for the same device.

Customizing Scoring

Because each organization views risk differently, risk hit scores are customizable. As an example, tagging a proxy or bot by default results in a High Risk IP score, but you can customize hundreds of these scores to fit your business risk profile using Configure Scores in the Portal.

Custom Score


In addition to custom scoring, tagging is used to score specific emails, emaildomains, domains, names, IPs, country codes, and device fingerprints as good, bad, or to skip scoring. Items you tag as Bad will add negative scoring to the risk area. Good tags add positive scoring, and Do Not Score will set the item score to zero. Good and Bad scoring is in addition to standard area scoring. Tags are used to created your private whitelists, blacklists, and do-not-score lists. Tags can be managed in the Portal or with the Tag API.

Custom Score

To illustrate how tagging works, if you vet IP =, the vet will hit "Private or no geo IP" risk and score -10 for IP area. Adding tags of:

Bad will add -130 to the IP score area, and the IP will now score -140
Good will add +130 to the IP scoring area, and the IP will now score +120
Do Not Score will set the IP scoring to 0


Using phonetic algorithms, pattern matching, and machine learning, the API detects frequency and velocity abuse patterns. This helps eliminate repeat signups, bots, and other fraudsters.

The Portal lists all incidents created by the activity monitor during the last thirty days. To the right of each incident are buttons: Correct to verify the incident as a Repeat Sign-up, False to mark as incorrect (remove from scoring), and Hold to not score until marked correct or false. This report should be checked often because many times the first items in the incident are marked as low risk (no bad pattern yet), and the later ones are marked as high risk. If the incident is Correct, then make sure to take action on all items in the incident.

The system also features an Activity Report API to automate the deletion of these incidents from your databases.

Leads and Campaigns

The service tracks campaign and lead source performance... so you know which ones are delivering the best results. Stop buying leads from sources who deliver bad prospects, and optimize campaign conversion rates.

How is the risk score calculated?

The score starts at zero. When our risk engine discovers good things, such as a clean IP, a few positive points are added. When bad things are identified such as a history of spam or cyber fraud, negative points are scored.

The API returns an overall Risk Score as well as scores for each tested area, such as email, IP, and devive fingerprints. Most vets have some risk, but Risk Scores of -71 and below should be of concern and raise red flags. All scoring is customizable, so your scoring should be set to exceed your bad lead threshold. As a general guideline for risk levels, we also return Risk Type with the Risk Score.

Type Risk Score
Lowest Risk 10+ or higher
Low Risk 0 to 9+
Some Risk -1 to -15
Medium Risk -16 to -30
High Risk -31 to -70
Very High Risk -71 to -100

E-HAWK performs risk checks in real-time for each API call. In addition to returning a Risk Score, we also return risk hit details. As an example:

Risk Score
Risk Type
Very High Risk
Risk Hit Details
  • Disposable email
  • IP on blacklist
  • Domain 3 days old
  • 4 Repeats
  • Community Spam Email

With these details, your company can take specific actions based on actual risk hits, not just a simple score. We also have an Alert system that will notify you when your users are later blacklisted or become high risk.

Reporting and Analytics
Marketing Performance
Read the API documentation