← Back to blog
2026-04-176 min read

Why ASN Reputation Scoring Beats IP Blacklists

IP blacklists have been the backbone of email security for decades. But attackers cracked them long ago; they just rotate IPs. ASN reputation scoring closes that gap by scoring at the network level, where attackers can't hide.

The problem with IP blacklists

IP blacklisting works like this: a bad actor sends spam from IP address 1.2.3.4, that IP gets added to a blacklist, and future mail from that IP gets blocked. It sounds logical. The problem is that IP addresses are cheap and disposable. An attacker who gets blocked simply switches to a new IP and is clean again within minutes. Blacklists are always catching up to yesterday's attackers.

What is an ASN?

An ASN (Autonomous System Number) is a unique identifier assigned to a network operator. When an ISP, hosting provider, or large organisation connects to the internet, they get an ASN. All the IP addresses they operate sit under that ASN. Think of an ASN as the landlord, and IP addresses as individual apartments. Attackers rotate apartments constantly. But they rarely move to a different building.

Why attackers can't easily switch ASNs

Getting a new IP address takes seconds. Getting a new ASN, or renting infrastructure under a different one, takes time, money, and a relationship with a new provider. It's not impossible, but it's expensive enough that most attackers don't bother. This means that when an ASN develops a bad reputation, that reputation sticks in a way that IP reputation never could.

How MX Moat uses ASN scoring

When a connection arrives at the MX Moat gateway, the sender's IP is looked up against the Team Cymru DNS API in real time to retrieve its ASN. That ASN is then checked against our reputation database, which scores ASNs on a scale from -100 (blocked) to +100 (trusted) based on historical behaviour. A neutral or unknown ASN gets a small window to prove itself: a few emails, with greylisting applied. A suspicious ASN gets heavily rate-limited. A blocked ASN gets rejected at the connection level before any email is even transferred.

The result

Because ASN reputation persists across IP rotations, MX Moat can identify and throttle bad actors even when they switch IPs, which is exactly what happens during a registration bomb attack. The ASNs behind most bomb attacks are the same ones behind other spam campaigns. By the time they reach a new target, MX Moat already has their number.

Frequently Asked Questions

Does ASN scoring cause false positives?

Rarely. Legitimate senders, companies like Spotify, Mailchimp, or Google, consistently operate from well-established, trusted ASNs. We pre-seed the reputation database with trusted ASNs for major providers, so their mail is never affected.

What happens to a new sender with no reputation?

New senders are treated as neutral and subject to greylisting. Their server is asked to retry after a short delay. Legitimate mail servers always retry. Bots and bulk senders typically don't. This alone eliminates 80-90% of bomb traffic.

How is ASN reputation built up over time?

Every email that passes through MX Moat updates the ASN score. Good behaviour (legitimate mail, proper retries) improves the score. Bad behaviour (high volume, bomb patterns, failed authentication) lowers it. The score adjusts continuously.

Have a question about protecting your domain?

Get in Touch →

Don't Wait for the Attack

Registration bombs don't send warnings. By the time you notice, 100,000 emails are already in your inbox. Protect your domain now.

Protect Your Domain →
🇪🇺 EU-hosted · GDPR compliant · Works with any email provider · Setup in 5 minutes