Incorrect country in the logs

Hi @sr-2,

IP to location services are not 100% accurate.

Wordfence uses a lookup table provided by https://www.maxmind.com
We only use the IP to reverse the location, not the hostname.

I looked up the IP address in question, and saw that it was returning locations within Ireland / Netherlands, https://dnschecker.org/ip-location.php?ip=5.188.86.218

Here’s an explanation why the location might be incorrect:
https://www.whatismybrowser.com/faq/location-detection-is-wrong

Some ISPs route all their traffic to a fairly central location before it reaches the public internet. As such, regardless of where you are actually located, your internet traffic will appear to be coming from the location of the ISP’s exit point.

Dave

I see you are right some IP services do show it as form Ireland. I think it might be proxied or something.

So, this part of the log might be misleading and cannot be trusted then.
I think it might be useful for your customers to know about it. Maybe you could add a little note where you warn about such inconsistencies?

In anyway. Thank you for getting back to me so promptly.

Alex

I just checked another site and the logs show a similar IP 5.188.62.25 and marked it as Russian Federation. Can two IP from the same network(5.188.) be apart so far?

Maybe it makes sense to mark the worst offenders manually?

• This reply was modified 4 years, 7 months ago by AlexReds.

Hi again,

The first two octets of an IP address, in this case, 5.188, does not always mean a certain country.

For example, lookup 5.188.0.0 and it will state that this IP address is in the United States.

Dave

yeah you are right ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-extended-latest

It looks like it’s distributed across a few countries.. I do see RU is the most with 5.188 IPs tho

Whois.ripe.net also shows Nederlands and Ireland. I don’t really understand how that’s possible tho.

ALEX-DM-WS02:~ alex$ whois -h whois.ripe.net 5.188.86.218
inetnum:        5.188.86.0 - 5.188.87.255
netname:        Channelnet-NET
descr:          pool for VPS and Cloud hosting
country:        NL
org:            ORG-CL421-RIPE
admin-c:        CPLN2-RIPE
tech-c:         CPLN2-RIPE
mnt-by:         MNT-PINSUPPORT
mnt-lower:      GLOBALLAYER
mnt-routes:     GLOBALLAYER
mnt-routes:     channelnet
mnt-domains:    GLOBALLAYER
mnt-domains:    MNT-PINSUPPORT
mnt-domains:    channelnet
status:         SUB-ALLOCATED PA
created:        2017-08-22T00:17:31Z
last-modified:  2018-01-24T11:13:43Z
source:         RIPE

organisation:   ORG-CL421-RIPE
org-name:       Channelnet LTD.
org-type:       OTHER
address:        Ireland, Europe
abuse-c:        CPLN2-RIPE
mnt-ref:        channelnet
mnt-by:         channelnet
created:        2017-08-21T17:35:25Z
last-modified:  2020-01-19T12:19:27Z
source:         RIPE # Filtered

role:           Channel NET Network Operation Centre
address:        Ireland, Europe
abuse-mailbox:  [email protected]
nic-hdl:        CPLN2-RIPE
mnt-by:         channelnet
created:        2016-09-15T08:45:04Z
last-modified:  2020-01-19T12:16:53Z
source:         RIPE # Filtered

% Information related to '5.188.86.0/24AS49453'

route:          5.188.86.0/24
descr:          FastHost
origin:         AS49453
mnt-by:         GLOBALLAYER
created:        2017-08-22T16:51:28Z
last-modified:  2017-08-22T16:51:28Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.97 (BLAARKOP)

• This reply was modified 4 years, 7 months ago by AlexReds.

As far as I know, the only thing that is based on region is the assignment listed here: https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks#List_of_assigned_/8_blocks_to_the_regional_Internet_registries

Other than that, there’s no rule saying that IPs that begin with a certain subnet must belong to a certain country.

Dave

Ah well. looks like there is no way of removing my country from the list.
I still think a little note or an asterisk next to country flags or something like that to let people know that this is not 100% accurate.

But I defo can’t block the whole 5.188.* range then. Have to nitpick all offending IPs manually.