We keep a log of the IP addresses on all new account orders and run a traceroute to make sure the order is placed close to the address listed on the order.

Today we received an order and I ran the traceroute and it led back to San Francisco.

216.102.199.63 - resolved to - Pac Bell Internet Services ADSL

The order was for a 5 year new domain registration and a 1 year hosting account. Then I went to the email address that was given as the contact address and it was in Russian.

I'm almost positive the order was placed from Russia because about 80% of our fradulant orders are placed there.

Is it possible to tell what the real IP address of the person who placed the order?

Also, has anybody ever prosecuted people making fradulant orders whether they were placed in the US or in a foreign country? If so, what did you do and what happened?

It doesn't make sense why theres so many fraudulant hosting orders. Most of the time they don't even use the accounts. It would be nice if something could be done about these fradulant orders so this wouldn't happen so much.


Jeff

anybody?

Maybe the russian was using a proxy or they legitimately now live in the US..

If you have any doubt you should confirm EVERYTHING, like phone, email, domain... full AVS..

We get now many attempts from Indonesian registered domains with Network Solutions email services using US CC details which have everything correct except the email contact and the phone number... If you trace it all the way back, even checking the owners of the email address on the whois records you will usually find a dead end or an obviously fraudulent user.

You have little or no chance of getting legal satisfaction for such small amounts and since we were kicked with our first chargeback recently for $1500, we check all suspicious orders.. the downside is that you have to cop the bill, the fees and the aggro from your bank...

Life wasn't meant to be easy..

One thing comes to mind about detecting users using a proxy server. Keep in mind that not all proxy use is malicious, and in fact many many people 'dialing' in from work will be going through one.

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; .NET CLR 1.0.3328)
Via: 1.0 dingo:86 (Squid/2.4.STABLE1)

The 'via' header may or may not contain proxy information, and I believe you can set Apache up to report on this (if it doesn't by default). It can be used as a tool to help confirm fraudulent activity, but it in no way declares a user a fraud.

Good luck,

Scott

www.safeweb.com :( I hate that web site, people can change IP addresses, if you are smart you'll know though :)