We were already discussing this in an other thread (http://www.webhostingtalk.com/showthread.php?s=&threadid=309420) but I thought this idea has a greater chance of success by starting a new thread, so here it is.

As many hosts have probably experienced (especially the larger ones among us), fraud is a serious problem and can cost you a lot of money. Mainly creditcard fraud is a big problem, but we can also think about people who deliberately cause a server to get an overload. The reason of that is often not very clear (maybe boredom?), but I guess that’s the same as for the people who write viruses.

I have already seen a couple of posts of people who had started or were planning to start a database with fraudulent/abusive users. It’s a good idea, but I seriously question the validity and reliability of such a database, as none of the entries appear to get verified. Anyone could just add an entry to annoy another person, while that other person may not be a fraudulent/abusive user himself. In that case the host who uses the database would decline an honest customer.

My idea would be to start a new database, in which all new entries get verified by a specialized team. Now the first obstacle is that these people won’t work for free, but I’ve thought of a solution for that too: it’s in every host’s best interest to make sure the orders they receive are valid, and that the users are no troublemakers. We would only give hosts access to the database, if they contribute a bit in the process of verification. How we would arrange that is the next question, I’m open to suggestions about that.

For now, I’d just like to see if any other hosts are interested in this idea. I think this idea has a good potential, however it can only be a success if we enough people invest some time in it.

the problem with what everyone here is trying to do is that you are attempting to organize a free service which in itself could be ripe with fraudulent submissions.

the key here is to make it a membership based only service.

It's an excellent idea. Membership based would work nicely, as it would be a small expense for a company to spend on security. Think of the chargebacks at $25 each with Authorize that could be avoided, not to mention the numerous other headaches that come along with fraud orders.


Reading through the forum one can see that it is a serious problem. If it was set up in such a way that each company either donate their time to the registry. OR

If time is an issue, it could be set up, that each company pays $20 membership per year (less than 1 Authorize chargeback fee). Then the money is collected and an outside party is hired to maintain the database. This person/persons would then be responsible for contacting hosting companies 1x per month to collect information on fraudulant orders (outside of any submissions that automatically come in).

This person/persons can verifying fraud by comparing hosting companies complaint submissions. Obviously if there is a fraudulant order, they won't target just 1 hosting company. So, as the name of the fraud person/persons is submitted by more than 1 company, we can be sure its a fraudulant order and not 1 companies bias.

On the other hand, for those companies who can volunteer time, the fee could be cut in 1/2 for them and so on.
Picturing a membership website with database and forum, perhaps updated with news or tools that hosts might find useful to ensure return visits. There are a few companies who may even donate articles etc.

Eventually, if all is a success the membership can turn into something of a non-profit organization for the improvement and future of the web hosting industry, with issues not limited to fraud orders, but ethics, industry related news etc. Getting a little carried away here....but you get the idea.

If some energy gets behind this, it might just put a dent into the problem. The first thing, might be to do some market research to determine cost/benefit analysis. How much hosts are losing to fraud orders per month/year and see if the numbers inspire interest to join.

Interested in hearing more pros and cons on the topic..
Just a few ideas that came to mind as I read your post.

AFAIK, the main problem is not that $20 chargeback fee. The problem is that if you have more than 2% of chargebacks on your account - your merchant account get nuked. Also, based on new VISA regulations - there is a $25,000 penalty for having high chargeback rate on your account.

That's an interesting idea that has it's future. Currently we are trying to open the site that will be membershib based. Only registered users (verified hosting companies) will be able to query and submit the information into the database.

Membership will be free, but it will be verified. System will compile a "fraud score" based on number of matching records and matched information. For example - if we have two records for e-mail xxx@hotmail.com then querying the database for that e-mail will give your max fraud score. Also, all the data will be crosslinked, i.e. we have 2 records:
aaa@hotmail.com IP: 10.10.10.1
bbb@hotmail.com IP: 10.10.10.1

If someone will query for IP: 10.10.10.1 then it'll definitely give him high fraud score.

FTMS: I like those ideas, perhaps a membership fee is indeed a good idea. I'm quite sure that companies don't mind $25 if they can succesfully prevent fraud with it, but the question is, can we actually hire staff with that money? I guess it would depend on how much hosts would join in.

nihkiruks: I don't think your registered users idea would be a very good idea, as it also takes time for others to investigate whether a new company can be marked as verified. The fact that someone would have to verify the company, would also mean this person would have to be paid, so where would that money come from? On top of that, we also need people to initially build the system.

Apart from searching on IP, we may also implement features to search on company name, postal code, or whatever. It would probably also be best if we can also enter the fraudulent creditcard numbers. Because those people can change their email address, IP address and so on, but often they use the same (stolen) creditcard number a couple of times. I'm not sure whether storing creditcard numbers privately is illegal though.

I'm not sure whether storing creditcard numbers privately is illegal though.


I think it would be. Other than this, great idea!

Apoc, we are storing name (first, last), e-mail, IP, domain name, timestamp, one-way encrypted CC data.

Based on the experience, you can count only on e-mail/IP/domain/CC combination. Checking for name match will give you a lot of false positives.

No need to store address as well. Query by exact street address is useless.

We are using such a system internally for more than year. Everyday we are adding like 5-20 fraud records.

Also, if system will give you 0 fraud score - that DOES NOT mean the account is true, you'll need to do further investigation. If it'll give you 10 fraud score - 99.99% it's fraud account.

System will be free to use for now. We have enough resources to support it by ourselves. Will see how it goes :)

That's great to see. I think you misunderstood what I meant though. If you allow others to submit entries too, you'll just have to make sure that they are valid, otherwise if you get 10 fraud score, it wouldn't necesarily mean that the account is fraudulent, thus the system would be useless if that happens.

As for further investigation: apart from researching the obvious, there isn't too much you can do, which is why a reliable database would be extremely valueable.

I think there is no effecient way to check ourselves if particular submission is valid or fraudulent. Please let me know if there is anything we can do to check and we'll discuss it.

I run a free service, but we thoughorly screen and rank each submission before it is entered into the database. If it happens to be a mistake, then it is removed.

Membership Fees' is not something we will do as it helping alot of hosts.

Originally posted by nihkiruks
I think there is no effecient way to check ourselves if particular submission is valid or fraudulent. Please let me know if there is anything we can do to check and we'll discuss it.

I'm not sure how, but I'm quite confident that it is possible. Maybe Philipf can tell us more about the way how he screens this submissions..

Sounds like a good idea, i would be interested in spending some time if this project was to be started. Alot of people use fraud call programs, maybe we could get people to submit there data daily and then as said before cross check the information to see if there are any double entries of fraud.

Feel free to use my database:

http://www.dotfraud.com

Need people to submit frauds. There is a simple registration to be able to submit reports. This way we can validate that a report is coming from an actual webhost and then further decide whether or not to add it.