Fraud + abuse protection
Bots don't get attribution.
Cobalz scores every click against IPQS and Fingerprint Pro signals before attribution. Edge rate limiting on the public click endpoint. Configurable auto-block + manual review thresholds.
What ships
The defense in depth.
- Yes Edge rate limit: 60 clicks/min/IP on the public ingest endpoint, Upstash Redis backed
- Yes IPQS: fraud_score, proxy, vpn, tor, recent_abuse, bot_status — composite score weighted
- Yes Fingerprint Pro: bot probability, vpn/tor signals, visitor id stability
- Yes Self-referral block: on by default, +50 score when affiliate clicks their own link
- Yes Velocity flags: rapid clicks from same IP/session
- Yes Refund-rate flag: affiliates with >50% refund rate auto-flagged
- Yes UA pattern matching: bots/crawlers/headless/python-requests/curl auto-flagged
- Yes Configurable thresholds: review at 60, block at 85 by default
- Yes Outbound webhook:
fraud.flaggedfires on suspend/ban with reason matching fraud/abuse/chargeback - Yes Scoring is composable: the
@cobalz/abusepackage is open for custom rules
Stop paying commissions to bots.
Anti-fraud is built in on every plan, not a paid add-on.