These rules apply to use of the report and report-bulk API endpoints, as well as the respective web forms.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Attack here and elsewhere on the site refers to a cybersecurity attack. If you were physically assaulted or abused, please call your local police.

• Report MUST be of an attack no older than 60 days.
• Report MUST contain a detailed description of the attack. Recommended details to include are: port number, payload, and timestamp.
• Report SHOULD include a timestamp of the attack. If no timestamp is included in the comment, the time of report is assumed to be the time of attack.
• Report MUST NOT be of an attack where the source address is likely spoofed i.e. SYN floods and UDP floods. TCP connections can only be reported if they complete the three-way handshake. UDP connections cannot be reported.
• Report MUST NOT be on the basis of an AbuseIPDB confidence of abuse score. This is circular logic.
• Report MAY be an aggregation of multiple logs related to a single attack.

Reports with the same comment and categories within a 24 hour window will be merged.

AbuseIPDB reserves the right to remove reports at its discretion. AbuseIPDB reserves the right to suspend any user's ability to report.