Well, I was hit with about 2 fraudlent orders from Indonesia this month, so I decided to make this script, I saw couple of posts by some people with ways to disable access to the site completely using httpd.conf but I really think thats just a way to loose a fraction of customers from asian countries, small fraction but it does matter.

Therefore I made this script, what it does is that if a person's ip belongs to the one in the ipmasks it redirects him to some other page you specify and if it isnt then it redirects him to the order page you specify. On my site I made it redirect to a page where it asks the person to send faxed copy of their CC front and back side and provide other information.

It supports ability to check proxies by opening connections on ports 8080, 8008, 1080 etc (You can add your own by editing config.php) and also the ability to check the extensions of reversed hostmask (say most isps in malaysia use .my hostmasks instead of normal ips, check hostmasks.txt for adding your own) and also the ability to check a certain email address and see if it belongs to the free email providers list.

Here is the extract from readme.txt I wrote:

//######################
// CC Fraud Checker Script v1.0
//######################
// Copyright (c) 2001 Varun Shoor
// Email: varun@kayako.com
//######################
// You are free to redistribute this script
// provided this header is kept intact
//######################

I made this script in my part time because I had processed about 2 fraudlent orders from indonesia
this month alone and I was getting tired of gettting hit with transaction fees and all.

Requirements:
PHP 4.0.1pl1 or later

Usage:
To use this script, edit the config.php to suit your needs, once you have failed url and success url set up
replace the current order links at your pages with the ones in this script, Example:
<a href="http://www.yourdomain.com/checker/index.php">Click Here to Order!</a>

If the person's IP belongs to the one in mask, he will be redirected to the failed url page else he will be
redirected to the success url page, I recommend you ask the person to fax his credit card's front and back
sides at the failed url page so you dont loose on customers.

Extended Functionality:
You can further make it check the emails, for this purpose you can redirect a person to say:
http://www.yourdomain.com/checker/index.php?email=iamfraud@hotmail.com if the email host matches the
one in emailist.txt it will redirect the person to the failed url page. It is recommended you use email functionality
from within your order form script if its in PHP.

Adding more ips, hosts, emails:
Look into ipmasks.txt, all ips should have a * as a wildcard, example: 202.*.54.*
hostmasks.txt contain the last domain name TLD, I have yet to implement wildcard functionality into it
emailist.txt contains the list of free email providers
To add more proxy ports look into config.php

If you have any more questions or improve the listing of ipmasks or hostmasks then do email me at varun@kayako.com


Just thought this might help other people suffering from these problems, I have yet to thoroughly test proxy checking+hostmask checking but AFAIK it should work perfectly.

Hope that helps :D

Regards,

Varun Shoor

good job.

I love beautifully formatted, beautifully commented code...

Beautifully simple by the looks of it. I will delve into it deeper later, but it's a nice contribution.

-WC-

hehe thanks for the comments, No fruadlent order from any asian country since I added that on my site :D

Received 4 fraudlent orders though all from USA so now I have thought of another idea to stop fraudlent orders, use SMS.. what I am going to do is ask the end user for his cell phone # and send a unique id via SMS over to his cell that will activate his account and let him order the product, I am confident that will bring down the whole fraud rate down to 0%, I will release a script for that once it is completed.

nice!

I most probably won't even use the script, but I would just like to say how nice it is that you are willing to share your hardwork with the rest of us. :)

Thanks.

Thanks for sharing this, many would have charged a lot for this.

dumb question, are hostmasks TLDs?

yep, TLDs... its an easy way to ban a lot of collective ips at once by just banning their tld, it will work in some cases but wont in other... like most malaysian isps use .my extension whereas indian and others dont do reverse dns..

Originally posted by Varun Shoor
use SMS.. what I am going to do is ask the end user for his cell phone # and send a unique id via SMS over to his cell that will activate his account and let him order the product

I have had a cell phone for years here in the US, but am unfamiliar with SMS. Is this some form of messaging standard? If so, do all cell phone services and phones have SMS service available to them?

And would you only do this for the customers that are high risk or all?

Sorry to ask so many question! :)

-WC-

SMS is just text messages to your cell phone. If you are on at&t people can sms you by emailing (your phone number)@mobile.att.net . Not sure what the other providers use for your address, but you should be able to find it on their web site.

yep they are just text messages... personally I would do it for all my customers as my target audience is someone who should have a cell phone. I dunno about hosting though, because there might be a lot of people without a cell phone in that category. That way whenever a person wants to order a product an activation id is sent to his cell and the order will be processed only once he enters the activation id.

sms activation code is a good idea :)

good work Varun, thanks for sharing knowledge.

A very nice idea! Thanks for sharing :D

No problemo :)

If you're interested we could actually set this up with the voxeo.com network so it would verify orders via telephone VoiceXML + CCXML (or the older CallXML).

It could be used in the US to instantly create accounts if it's able to reach their telephone number.

Kevin

Originally posted by Varun Shoor
hehe thanks for the comments, No fruadlent order from any asian country since I added that on my site :D

Received 4 fraudlent orders though all from USA so now I have thought of another idea to stop fraudlent orders, use SMS.. what I am going to do is ask the end user for his cell phone # and send a unique id via SMS over to his cell that will activate his account and let him order the product, I am confident that will bring down the whole fraud rate down to 0%, I will release a script for that once it is completed.