Thanks for the feedback, completely agreed. We are redoing the entire docs page to give more info on all responses plus some other generic stuff/updates.
Regarding only one risk type per IP. We set the severity to the max level logged in our system. If it's a 3, 4 and 5 based of attack type, frequency of attack, method of collection, etc it'll be the highest severity logged. We might look at integrating this differently in v2.
So in the past we talked about this kind of integration. Our only concern would be user generated content. Our users can 100% trust that if an IP is in our system and logged as a level 5 risk level, that that the originating IP hacked one of our nodes and was caught in the process.
Obviously we are concerned that a user that doesn't like (example IP) 4.2.2.1 for whatever reason might create 10 accounts and log this IP as malicious so we would need to tag it as user-generated before we turn it on. But we are considering it
It's my fault. I'll try to find a way to get this data and eventually adjust my code to not include non-exit relays or at least recategorize them as a lower severity.
Not your fault - not talking about your service specifically! My IP was banned by several other companies (I assume from a list that was purchased from a third party) like Hulu/Netflix because I was simply relaying non-exit traffic.
TOR and people who speak for the service often say that it's safe to run a non-exit relay. It isn't. It's tracked and punished. I know from first-hand experience.
I've been running Tor relays from home for about a year. Only sites I've found to block me are Monoprice and Apple's support forums. Hulu and Netflix are fine.
Due to a similar IP reputation service, I couldn't pay my taxes from home this year, just because I had run a non-exit Tor relay recently. It's a big problem.
ETA: I'd also strongly recommend not marking an IP address specially in any way just for having a non-exit relay -- from what I've seen, the clients of IP reputation vendors also don't understand the distinction, so they block both kinds if told about both kinds. It's an attractive nuisance.
> Due to a similar IP reputation service, I couldn't pay my taxes from home this year, just because I had run a non-exit Tor relay recently. It's a big problem.
Something doesn't seem correct to me about this...
Doesn't really matter - it happens. I'm not specifically talking about the OP's service but rather another third party list that was purchased by other companies. My IP was banned. Whether it should have been or not is up for debate, but I can tell you I was confused for a week straight when I was getting cryptic Hulu/Netflix/Bank/etc error messages.
There are a lot of IPs out there. Unlike Pokemon we can't catch them all. It varies but we run less than 50 honeypot nodes in 15 different countries (because I pay for them out of the kindness of my heart each month as we are not yet profitable) right now that would collect this kind of data. Our goal is if we get more people to signup we will add more nodes. Obviously more nodes = more data.
We never considered it I guess. Like someone else already mentioned there are other options out there but their prices are insanely ridiculous. Starting at $10 /month the three of us devs/creators feel like a competitive price will keep big and small customers happy hopefully long-term.
Look up articles on pricing plans. $10 is really low and makes your product seem less valuable (if it's so good why are you almost giving it away?). Cheap and free customers are often not worth the headache. You probably want the entry-level plan to be at least $39, $49 or so. Maybe more. Offer a free trial, and let that be enough for the cheap customers.
I don't think there are 100s, let alone 1000s, of low-maint customers that are thinking "hmm, this abuse issue is really a problem on my site, consuming at least an hour a month of my time, but I can't afford $49 to fix it".
Think about it, you're asking for $25 for a million checks. Typically that'll be sign-ups or some sort of interaction. So their volume is probably what, 10-50x times that. Even if they used your API for checking before anon comments, that means they're getting millions of pageviews/visits per month. If such a site can't afford a, I dunno, $199 plan, maybe they aren't worth dealing with.
If you really think you need a charity-level plan, perhaps include a contact link for "open source and educational projects".
Someone will probably point out some wildly successful freemium model. Suppose that's possible too. But even then you'll want to make a large gap between free and premium. No one wants to deal with $10/month business customers.
You know, I remember some old Tom & Jerry cartoon where an older mouse was explaining capitalism. How a factory that sells great volumes is able to reduce its margins and make even more total profit. Something like that.
So... what is wrong with a "low" price?
Must pricing nowadays be all game-theory where you want to extract the maximum amount without any regard for underlying value or actual costs?
It's almost a meme on HN: "you are asking too little!" "Raise your prices, double your consulting rate!" "Businesses don't even notice bills under $4999!"
I'm from Romania where my "business" cell phone (with 1GB internet and basically unlimited calls) is costing me $7/month. My build server on AWS used to cost me $25/month. Nowadays I use my own machines so I only pay for some leftover storage and I get a whooping $1.50/month bill on my card. I pay $39/month for accounting.
No matter how great a startup believes their thing is, a business has to cover a lot of expenses and 100 super-duper-products to purchase do add up. At some point it might even make sense to say: yes, I'll have an employee waste 1 hour each month on this problem instead of adding another vendor/product/contract to the list.
1 million checks a month. If the problem rate is even 1%, that's 10,000 "problems" that need to be resolved. At 1/minute, that's a full-time person on the job! If that's not worth $$$$, the business isn't in the target audience.
And for people using this for fraud, it's gonna take more than a minute, and there might be even more damage. For instance, avoiding chargebacks on 0.1% would more than pay for itself. And that's a good selling point: "Our product will save you $x% a month". It makes it a no-brainer, instant ROI.
So getting, say, $995 vs $25 means he has to find 40x less customers! He can afford to spend a bit on sales. It's a meme on HN because it's true and us engineers have a terrible habit of repeatedly undervaluing things.
He could even offer a "pre-launch" plan if he's worried about startups not wanting to rack up bills before actually having customers. That way they can maintain price plan integrity.
Overall I feel HN/engineers (myself included; I have to force myself here) worry too much about edge cases and keep thinking somehow these cases will make a serious business.
If you raise your price, you will only end up dealing with businesses that have identified a need for your product, and know exactly how much fraud and other issues cost them.
With your price as is anyone can use it for any purpose, including those that don't involve losing money because of a fraud transaction.
I considered using you for my site just to get GEO-IP. Sure, I could setup a geoip database myself and keep it in sync manually, but at your price point... it was a no brainer.
Plus I'd get threat analysis thrown in so I can know if one of my users isn't able to see the site because Cloudflare is blocking them for being a tor exit node.
But of course if you charge $1000 a month for that, I won't use it for 'any purporse'. I'll just use it for pre-screening new subscriber accounts (and not free ones) because that's the only time it'd make sense.
Look at the numbers again. 1,000,000 checks a month for $25? Even for an ad-supported site (using the checks for commenting) will get vastly more revenue and be able to afford it.
Remember, at $10 for $100, he has to convert 10x the number of accounts. People that are considering setting up their own DB usually don't fall into the category of "good SaaS customers".
True, but if i weren't a technically enabled client then I would want real fraud scrubbing, not this simplistic stuff based solely on someones IP address.
This is something you can add to your own heuristic, but not really use as-is.
Thanks for all the great feedback everybody. We are still looking at pricing. Obviously with all the signups today we will honor original pricing forever if we do decide to make any changes in the future.
I'm Ryan, one of three devs that built FraudGuard.io. Honestly we have a lot more work to do specifically in spam. With that being said, spam is the least requested collector so far by our users. Just to share in beta we asked some of our heavy users and about 90% of our users preferred our focus was on honeypot collection, spam was less than 2%.
So heres how it works now. We do not rely on external sources at this time. The reason why, because our traffic is so high that no external source at least that we've found will serve our users traffic.
For example stopforumspam.com limits API requests to 20,000 per day. I haven't checked our stats today but during our beta (which ended yesterday) we served more than 20,000 API requests per hour. So even with huge cache durations set its very hard to rely on outside sources so instead we run all our own spam collectors, using our own domains, etc.
Regarding only one risk type per IP. We set the severity to the max level logged in our system. If it's a 3, 4 and 5 based of attack type, frequency of attack, method of collection, etc it'll be the highest severity logged. We might look at integrating this differently in v2.