87.118.116.90

{ } JSON 🔧 Full Actions API

🤖 Witness AIThis summary was generated by AI and may contain inaccuracies. Verify critical details independently.

IP Intelligence Briefing: 87.118.116.90

Date: 2026-06-09

Key Findings

1. Risk Profile

- Reputation: Moderate Risk (Risk Score: 40).

- Network Role: Identified as a Tor Exit Node (provider: KEYWEB-MNT).

- Geolocation: Registered to Germany (DE), but geolocation data suggests London, UK.

2. Ownership

- ASN: 31103 (KEYWEB-AS, Keyweb AG).

- Subnet: 87.118.116.0/24.

- Abuse Contact: Available via RDAP.

3. Threat Indicators

- No active malicious indicators (no blacklists, spam, or campaigns).

- DNS Associations: Linked to `this-is-a-tor-exit-node---keywebtor1.artikel5ev.de` (no security records like SPF/DMArc).

4. Network Activity

- BGP: Part of the `87.118.64.0/18` prefix (KEYWEB-AS).

- Routing: Stable with no recent route changes.

- Subnet Neighbors:

- 87.118.116.12 (Risk Score: 66).

- 87.118.116.103 (Risk Score: 55).

- Subnet abuse density: Low.

5. Historical Observations

- Recent Activity: DNS and routing data observed in June 2026.

- No Persistent Threats: No long-term malicious behavior detected.

6. Relationships

- Network Links: Multiple connections to `DE-KEYWEB-III` (same network).

- DNS: Strong association with the `artikel5ev.de` domain.

Actionable Insights

Monitor Tor Exit Node: While Tor exit nodes are not inherently malicious, this IP’s association with a Tor node could indicate potential anonymization or covert communication.
Verify DNS Security: The linked domain (`artikel5ev.de`) lacks SPF/DMArc records, which may indicate poor email hygiene.
Subnet Assessment: Neighboring IPs in the 87.118.116.0/24 subnet show mixed risk levels; prioritize monitoring higher-risk siblings (e.g., 87.118.116.12).
Geolocation Discrepancy: Investigate the conflicting geolocation data (Germany vs. London) for potential registration errors or misconfigurations.

Recommendations

Network Defense: Consider blocking this IP if it is associated with suspicious traffic, given its Tor exit node role.
DNS Monitoring: Track DNS queries to `artikel5ev.de` for anomalies.
Subnet Review: Reassess the 87.118.116.0/24 subnet for potential risks, especially if neighboring IPs exhibit higher threat scores.

Conclusion: This IP is associated with a Tor exit node and has a moderate risk profile. While no direct malicious activity is detected, its role as a Tor node and the lack of DNS security measures warrant further investigation. SOC teams should monitor for unusual traffic patterns and verify geolocation accuracy.

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.

🌍 Geolocation

Country	🇩🇪 Germany
Region	—
City	London
Timezone	Europe/Berlin
Latitude	51.17
Longitude	10.45

🏢 Ownership & Registration

Organization	KEYWEB-MNT
ASN	AS31103
Network Name	—
CIDR Block	—
RIR	RIPE
Country	—
Abuse Contact	Available via RDAP

🌐 DNS Intelligence

PTR	this-is-a-tor-exit-node---keywebtor1.artikel5ev.de
Forward Confirmed	Yes — FCrDNS verified
Forward Hostnames	`this-is-a-tor-exit-node---keywebtor1.artikel5ev.de`

🔐 DNS Hygiene

Hygiene Score	40% (Fair)
SPF	Not configured
DMARC	Not configured
FCrDNS	Verified
DNSSEC	Valid
CAA	Not configured

☁️ Network Classification

Infrastructure	Unknown
Service Purpose	Web Server
Network Tier	Tier 3 — Basic operator with some routing infrastructure

Tor

🔌 Services & Open Ports

Port	Service	Protocol	Banner
80	http	tcp	—
443	https	tcp	—
22	ssh	tcp	SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7
Closed Ports	25, 3389, 8080, 8443 (3 open / 7 scanned)

Server	lighttpd/1.4.69
HTTP Title	—
SSH Version	SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7

🔐 TLS Certificate

🔒

CN=www.5qunwlgw7cmrbbkom.net

Issued by CN=www.zxsmyo3xb.com

Self-signed: No

SANs	None
Valid From	2025-11-18T00:00:00+00:00
Valid Until	2026-07-22T00:00:00+00:00
TLS Protocol	Tls13
Cipher Suite	TLS_AES_256_GCM_SHA384
Signature Algorithm	sha256RSA
Validity Period	246 days
Serial Number	00C847C79FEA5442B8
Thumbprint	2ECDB746553435734C51A10EE253A869412C626B

🎯 Confidence Breakdown

Per-dimension confidence scores based on source diversity and data freshness

Dimension	Score	Sources	Observations
threat	30%	2	3
routing	13%	1	1
services	28%	2	3
ownership	20%	2	3
reputation	20%	1	2
geolocation	19%	2	2
Overall	22%	10	14

Coverage: 6/6 dimensions · Data sufficiency: sufficient

Data Coherence	Consistent (100%)
Attribution	Moderate (70%)
	OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid

📅 Observation Timeline 🔄 Live

First Seen	2026-05-22 13:35:38 UTC
Last Seen	2026-06-26 21:06:47 UTC
Profile Built	2026-06-27 10:45:29 UTC
Data Freshness	Live
Signal Types	23
Total Observations	51

🔍 23 signal types · 51 observations collected

This report is generated from 23+ independent intelligence signals including ownership records, DNS analysis, BGP routing, TLS certificates, port scanning, threat feeds, behavioral fingerprinting, and more.
Full dossier details are available via our API.

{ } JSON API 🔧 Actions API 📧 Enterprise Access

ℹ️ About This Report

All data shown is publicly available network metadata — IP addresses do not reliably identify individuals. Assessments are probabilistic and should not be used as sole basis for access control decisions. To report an issue or request data review, contact admin@ipdebrief.com.

87.118.116.90📋 Copy

**Key Findings**

**Actionable Insights**

**Recommendations**