minFraud Release Notes

Email first seen can be used as a parameter for custom rules

minFraud Insights and Factors customers can now use the /email/first_seen output in minFraud custom rules.

The minFraud service retains a record of when an email address or email domain was first seen on the minFraud Network. An email address that has been conducting transactions for a long time across the minFraud Network may be more trustworthy than a new email address created within the last 30 days.

You can select the email first seen output as a parameter in custom rules by selecting minFraud outputs > Email first seen when defining a new condition for a custom rule.

• Learn more about setting custom rule conditions on our Knowledge Base.
• Learn more about email risk data on our Knowledge Base.

Upcoming changes to our TLS certificates may impact customers with unusual server configuration

Starting in May, Let's Encrypt will no longer use a cross-signed root certificate, and the primary TLS certificate handling the *.maxmind.com domains will be impacted by this change.

Most customers will see no impact from this change.

This change should only be of concern if the servers interacting with MaxMind domains are running a very old or out of date operating system, or if you manage your own local Certificate Authority store.

• Read more about these changes on the Cloudflare blog.
• Get information about compatibility from Let's Encrypt.

API policies are now permanently enforced

To improve our server infrastructure and allow for better performance and efficiency, our API policies are now being permanently enforced as of March 13, 2024.

What are the policies?

• MaxMind only accepts API and database download requests sent with the more secure HTTPS protocol.
• MaxMind only accepts API and database download requests that are sent to the appropriate hostname as documented in the integration instructions on our Developer Portal (see direct links below).

What do I need to do? Ensure that you are using the correct hostname for your API requests, and that you are using HTTPS. Failure to do so will result in web service or database download requests failing.

You can view the appropriate URIs for minFraud services on our Developer Portal using the links below:

• minFraud Score, Insights, and Factors web services
• minFraud Device Tracking
• minFraud Transaction Reporting
• Legacy minFraud web services
• Legacy Proxy Detection web service

Please note: This enforcement will also affect GeoIP web service and database download requests. If you are also a GeoIP user, see our GeoIP release note on this issue.

API policies - temporary enforcement on February 7, 2024

To improve our server infrastructure and allow for better performance and efficiency, MaxMind will begin enforcing our policies around our API and database download requests on March 13, 2024. To help customers get ready for this change, we will have a planned, temporary enforcement of these policies on February 7, 2024.

What are the policies?

• MaxMind will only accept API and database download requests sent with the more secure HTTPS protocol.
• MaxMind will only accept API and database download requests that are sent to the appropriate hostname as documented in the integration instructions on our Developer Portal (see direct links below).

What do I need to do? To ensure that your MaxMind service is not interrupted, please ensure ensure that you are using the correct hostname for your API requests, and that you are using HTTPS, prior to February 7, 2024.

If you have not made the requested changes before Wednesday, February 7, 2024, you might experience a period where web service or database download requests fail.

You can view the appropriate URIs for minFraud services on our Developer Portal using the links below:

• minFraud Score, Insights, and Factors web services
• minFraud Device Tracking
• minFraud Transaction Reporting
• Legacy minFraud web services
• Legacy Proxy Detection web service

Please note: This enforcement also affects GeoIP API requests. If you are also a GeoIP user, see our GeoIP release note on this issue.

minFraud no longer accepts event times more than one year in the past

Starting tomorrow, January 23, 2024, minFraud will no longer accept /event/time inputs with values more than one year in the past. Most customers do not need to send the /event/time input and will not be impacted by this change. Learn more about this input and how to use it to score historical transactions on our Knowledge Base.

If you send the /event/time inputs with values more than one year in the past, minFraud will:

• replace the event time with the current time
• score the transaction and return a score
• return an INPUT_INVALID warning with its response