Today we received an order for our $240/yr hosting package, from Indonesia. The credit card was stolen (thanks TomD and the team at 2Checkout, for figuring this out). :)

Anyway my question is does anyone have a sample .htaccess file which only blocks Indonesian IP addresses? I saw some posted previously, but they contained lots of other countries as well.

Edit: By the way, TomD, if you are reading this... How about giving us an option to block out only a select few "high risk" countries such as Indonesia?

Heh. We get planty of requests from Indonesia. I can't understand why they ALWAYS (different IP's) sign for year of most expensive package with new domain name like these ones:
i-wanna-bang-you.com
ble-e.org
wisataindonesia.net
bukanmonyettapi.org
selayang-pandang.net
rampok.tv
ghaem110.com
bitch-dark.org
anak-safana.net
waks-dhegleng.org
Yogie.Nareswra.com
TRIP-ON-CUBA.NET
aybanet.com
iwan-dhita.com
janda-janda.net
Xrampoq.net
isiscam.net
zdravka.org

And much more other stupid domains.

Isn't it strange for webhosting company such orders?

I think it's safe to say that they're all using stolen credit cards. You're just lucky you haven't seen any chargebacks yet.

Well most of the names are normal Indonesian domainnames. Nothing wrong with them.

Next to the US my largest customer base is in Asia. Malaysia, India, Vietnam, Thailand, Indonesia... Nice people. Always polite when asking questions.

You can protect yourself a little by not accepting yearly payments.

Originally posted by NinthSwat
Heh. We get planty of requests from Indonesia. I can't understand why they ALWAYS (different IP's) sign for year of most expensive package with new domain name like these ones:
...
janda-janda.net
...
And much more other stupid domains.



Hey, I got a fraudent order for janda-janda.net as well! Seems like the same prick(s) are giving us a hard time! Other fraudent accounts they applied for:

cakep-tenan.org
high-tech.net
like-the-bird.net
flylifez.net
bitc-h.com
dookie-cakep.ca
aku-anak-siantar-asli.com
alt.lt
kill-9.de
scumbagass.net
........ many more!

Do you think maybe we can give this guy a scare? e.g. we tell him he's being tracked and that we know which hosts he's applying at? then we mention our host names and he'll have to wonder how we know... what you think?

I've got alot too and Paysystems Charged me $1 for each VOID.......... :bawling:

You can save yourself a lot of headache if you don't process such orders automatically.

I've also had an Indonesian person put through lot's of fraudulent orders. They always signup for the most expensive account for the longest period of time.

We had $15,500 go through of fraud from Indonesia. We've had no problems with any other countries.

Monitoring each order gets a bit tedious when you've got orders coming in all the time. Now if anyone notices an the most expensive account for the longest period of time, we shut down and delete the site straight away.

I think we also had one other Indonesian who signed up for a inexpensive account for one year and we had the chargeback come through. I suspended the account and the peson had the hide to contact us to ask us why the account was suspended. I asked for his contact details and he actually sent them to me. I replied back saying that he had used a fraudulent card and was the reason for shutting down his site. He didn't reply to that one.

So out of all the chargebacks we have ever had, they have come from stolen credit cards from Indonesia.

Regards,
Nigel

So, does anyone have a list of IP addresses/blocks for .htaccess, to block Indonesia?

If anyone from Indonesia is reading this, I do understand that there are lots of honest people there, but the fact of the matter is that when fraud from a particular country is well over 90%, it is simply too much hassle to accept clients from there.

From WTN-Online :

"Since two years now, the Nigerian and Sambian mafia have big competition from Indonesia and Malaysia. While the first party usually only trys to sell ?financial services? with 15 million USD from dead ministers, uncles and cousins (10% is for your efforts), the second party buys with stolen credit cards in online shops and from exporters.

In Europe it has become a real pest, and a press release from us got a lot of feedback from ripped companies. It is always the same scheme. Either inquiries or direct sales come with credit card payment. The credit card companies usually transmit their OK-numbers, because the cards have not been addressed as stolen by their owners. Gangs in all major airports of the world grab the card numbers from bills and shopping documents out of waste baskets and send them by E-Mail directly to their ?partners?, who start buying immediately. When the ripped person got the next invoice for the credit card, they see, that there are a lot of sales, which have not been done by them. The credit card company pays the money to the owner and charges the seller, who made the sale weeks ago. He is fully responsible and takes all the risk.

Some of our business partners have been ripped, too and the local police in Indonesia and Malaysia do not help them. A few phonecalled them, but they said, the police is either not interested, or they ?seizured? the products and can not ship them back in the future because of their criminal nature.

The result is, that nobody here will do any business with people in Indonesia, no matter, if they are serious or not"

------------

4Cheap Hosting Network
http://www.4cheahosting.net
4Cheap Web Hosting you can rely
69$ per year flat price UNIX/NT
No Hidden or Setup Fee

Originally posted by Pilgrim
Well most of the names are normal Indonesian domainnames. Nothing wrong with them.


Yes, but in application form they are all from US.

EXAMPLE:
domain_name: bukanmonyettapi.org

domain_info: new

hosting_plan: Supreme

first_name: JOHN

city: LONG BEACH,

street: XXXX LANAI STREET

state: CA

postal: 90808-3554

country: United States

term: ANNUAL

credit_card: VISA

card_num: 4217XXXXXXXXXXXXXX

ex_month: 08

ex_year: 2002

name_oncard: JOHN XXXXXXX

---------------------------------------------------------------------------

REMOTE_ADDR: 203.130.238.56

Track IP :D

Originally posted by hostmaniac

Do you think maybe we can give this guy a scare? e.g. we tell him he's being tracked and that we know which hosts he's applying at? then we mention our host names and he'll have to wonder how we know... what you think?

I always reply them with:

This order (domain.com) has been found to be at high-fraud risk, and will not be processed.

Your IP has been logged and ISP has been traced. All information will be reported to FBI
for further investigation.
Legal action will be taken! http://www.fbi.gov/hq/cid/fc/ifcc/ifcc.htm

I dont think that they really scares FBI in Indonesia :) .
P.S: 100% of all my indonesian orders are fraud orders.

Originally posted by avara
So, does anyone have a list of IP addresses/blocks for .htaccess, to block Indonesia?

If anyone from Indonesia is reading this, I do understand that there are lots of honest people there, but the fact of the matter is that when fraud from a particular country is well over 90%, it is simply too much hassle to accept clients from there.

List of Indonesian ISP's will also help us.

As per the March 1, 2002 APNIC IP allocation report, the following IP ranges are currently allocated to Indonesia:

[Please see the revised list of IP addresses later in this thread.]

Thanks CJB. :)

Where did you get this list from, or did you build it yourself by doing some searches on apnic.net?

I'll be adding it to my .htaccess file right now.

Originally posted by avara
Thanks CJB. :)

Where did you get this list from, or did you build it yourself by doing some searches on apnic.net?

I'll be adding it to my .htaccess file right now.

http://ftp.apnic.net/stats/apnic/

APNIC publishes their allocations there once a month. I took the latest data and ran it through a quick script I wrote to parse out the Indonesian ranges and convert them to CIDR format.

Originally posted by Synergy
I've got alot too and Paysystems Charged me $1 for each VOID.......... :bawling:


You're lucky, WorldPay charge you the MSC fee on every transaction, if you refund you lose 4.5% of the order total.
Not good when you get 6 $500 + orders in a couple of days. :(

Steve

How do you put that into the .htaccess ?

I mean eg. 123.123.5.0/19

Do you put that in or do you list each IP seperately?
eg. 123.123.5.0
123.123.5.1
123.123.5.2

etc etc

Cheers

Steve

I think you can use wildcards such as:

deny all 123.123.5.x

Hello,

I'm from Indonesia and I'm really concerned about more and more merchants stopping doing business with us Indonesians.

I'm willing to create some efforts to work out this problem. But I need some cooperation from outside merchants. Those bastards are not stupid enough to place orders on local merchants, they go to outside merchants instead. Ones that are stupid enough to do that are getting arrested.

If you are willing to help us, please send me any information of fraudulent orders from Indonesia. I have set up a mailbox frauds@priyadi.net for you to forward to. It is ok to flood that address with fraudulent orders. In fact please do, the more frauds we get, the more we able to make something from it. You also can use some logic in your order forms to minimize human work like this: if (order coming from indonesia) { forward to me ; reject order }. You have the list of our IPs from another poster.

Thank you for your help. :)

I had more fraudulent orders come through in the last couple of days. One payment was $6540. I've already cancelled all the transactions.

But this one was different because it came through from a secure online browser facility. So the user could have been anywhere in the world and goes to this site and types in our URL to access our site to proceed with the order.

I also understand that there are many good people in Indonesia and I myself have spent a couple months in Jarakata so I know what the place is like.

Can we redirect all indonesian IPs and these secure browsing ones to a page that explains the situation and that they need to contact customer service or whoever to get access to the site. If the details look legit, then you could give them access to your site to make an order.

What do you think?

Cheers,
Nigel

CJB, could you share with us the code used to parse through that list and output it in that format you just gave? I'm parsing out some other countries too but am doing it by hand now. :(

Actually, now that I look at the code again, there was a line inserted twice which resulted in the list being inaccurate. :\

I've attached the script and the corrected IP list is below.

202.0.103.0/24
202.0.81.0/24
202.0.116.0/24
202.46.0.0/20
202.46.129.0/24
202.46.16.0/24
202.46.17.0/24
202.46.240.0/20
202.46.128.0/24
202.46.18.0/24
202.159.0.0/21
202.46.20.0/23
202.154.0.0/20
202.152.0.0/22
202.154.32.0/23
202.154.34.0/24
203.153.0.0/22
202.157.0.0/23
202.159.8.0/21
202.159.16.0/20
202.46.24.0/21
202.155.0.0/23
202.158.0.0/22
202.151.0.0/22
202.150.0.0/22
202.154.16.0/20
202.46.130.0/23
202.159.32.0/19
202.159.64.0/18
202.149.252.0/22
202.148.0.0/22
202.146.254.0/23
202.146.0.0/23
202.149.251.0/24
202.145.0.0/22
202.149.248.0/23
202.149.250.0/24
202.147.252.0/22
202.158.4.0/22
202.158.8.0/21
202.154.35.0/24
202.154.36.0/22
202.154.40.0/21
202.154.48.0/20
202.149.240.0/21
202.155.2.0/23
202.155.4.0/22
202.53.252.0/22
202.51.252.0/22
202.43.252.0/22
202.146.252.0/23
202.152.4.0/22
202.137.0.0/22
202.43.248.0/22
202.146.248.0/22
202.3.96.0/19
202.183.0.0/19
203.77.224.0/19
202.155.8.0/21
202.138.224.0/19
202.180.0.0/19
202.137.4.0/22
202.148.4.0/22
203.109.0.0/19
202.170.224.0/19
202.164.0.0/19
202.155.16.0/20
202.158.16.0/20
202.53.224.0/20
202.53.240.0/21
202.53.248.0/22
203.130.224.0/19
202.137.8.0/21
202.20.106.0/23
202.20.108.0/23
203.130.192.0/19
202.152.8.0/21
202.152.16.0/20
202.146.224.0/20
202.146.240.0/21
202.155.32.0/19
202.149.128.0/19
202.158.32.0/19
202.46.64.0/19
202.51.192.0/19
202.147.224.0/20
202.147.240.0/21
202.147.248.0/22
202.146.128.0/19
202.146.32.0/19
202.149.0.0/19
202.148.32.0/19
202.95.128.0/19
202.148.8.0/21
202.148.16.0/20
202.173.64.0/19
202.155.64.0/19
202.47.192.0/19
202.149.64.0/19
202.77.96.0/19
202.150.64.0/19
202.158.64.0/19
202.152.128.0/19
202.152.224.0/19
202.153.224.0/19
202.150.128.0/19
202.153.128.0/19
203.128.64.0/19
202.150.224.0/19
202.51.96.0/19
203.99.96.0/19
202.81.32.0/20
202.55.128.0/20
202.165.32.0/20
202.58.192.0/20
202.3.192.0/20
202.47.64.0/20
202.171.0.0/20
202.147.192.0/20
202.87.192.0/20
202.169.32.0/20
61.5.0.0/17
202.150.32.0/20
203.112.64.0/20
202.67.32.0/20
202.152.32.0/20
202.92.192.0/20
202.150.4.0/22
202.150.8.0/21
202.162.192.0/20
202.136.64.0/19
202.155.96.0/19
202.150.160.0/20
202.152.160.0/20
202.93.32.0/20
202.59.160.0/20
202.143.32.0/20
202.57.4.0/23
202.55.160.0/20
202.151.32.0/24
202.46.144.0/20
202.72.224.0/20
202.73.16.0/20
202.75.96.0/20
202.72.32.0/20
202.127.96.0/20
202.73.224.0/20
202.143.48.0/20
202.46.96.0/20
61.5.192.0/20
202.158.96.0/19
202.145.4.0/22
202.145.8.0/21
202.70.48.0/20
202.58.64.0/20
202.72.192.0/20
202.143.96.0/20
202.162.32.0/20
202.75.16.0/20
202.137.16.0/22
202.162.208.0/20
202.65.224.0/20
202.43.160.0/20
202.57.16.0/20
61.94.0.0/16
202.137.20.0/22
202.137.24.0/21
202.155.128.0/19
202.158.128.0/20
202.43.176.0/20

Originally posted by CJB
As per the March 1, 2002 APNIC IP allocation report, the following IP ranges are currently allocated to Indonesia:

202.0.103.0/24
202.0.81.0/24
202.0.116.0/24
202.46.0.0/19
202.46.129.0/24
202.46.16.0/24
202.46.17.0/24
202.46.240.0/19
...
202.43.176.0/19

CJB, I think you got some of those subnets calculated wrong. I just checked out the list and found some discrepancies.

For example, let's take the entry:

apnic|ID|ipv4|202.46.240.0|4096|19941101|allocated

Translated that should become:
202.46.240.0/20

You have it listed above as:
202.46.240.0/19


Basically all of the subnet numbers on your list that are below 23 need to be incremented by one.

Wouldn't want to block the wrong people and let the crooks get in. :D

Haha... CJB. Just found out you've found the mistake and corrected it before I hit the "reply" button! :D

CJB, will the following work?

deny all 202.46.129.0/24

Furthermore, I noticed that the Indonesian IP that signed up with me (and was using a stolen credit card) is missing from your list...

Originally posted by avara
CJB, will the following work?

deny all 202.46.129.0/24

Furthermore, I noticed that the Indonesian IP that signed up with me (and was using a stolen credit card) is missing from your list...

I'm not sure if .htaccess supports CIDR notation. What was the IP that wasn't in the list?

Originally posted by priyadi
If you are willing to help us, please send me any information of fraudulent orders from Indonesia. I have set up a mailbox frauds@priyadi.net for you to forward to.

Hm, I have plenty of them, but I wonder what you will do with this information?

Originally posted by Walter


Hm, I have plenty of them, but I wonder what you will do with this information?

I agree, trust no one with this information.
Especially from Indonesia
Steve :)

Originally posted by dhlsg


I agree, trust no one with this information.
Especially from Indonesia
Steve :)

ermm.

His website doesn't even work ( http://www.priyadi.net/ )

:rolleyes:

Would life not be so much easier if the billing companies let us block these countries out on the order forms hehe :D

Can I ask how do you use this list of ip's, and the script CJB has a link too =)


Thanks

Hey,

Welcome Rochen, catch up with you at the Mch*** forums.

Steve

Originally posted by allmark
Can I ask how do you use this list of ip's, and the script CJB has a link too =)


Thanks

I was wondering this myself :rolleyes:

Originally posted by dhlsg
Hey,

Welcome Rochen, catch up with you at the Mch*** forums.

Steve

Hey steve,

Good to see you! :)

May I suggest you try placing a cookie on the end-users machine at signup. Use it to track fraudulent orders. It's not fool-proof, but it may help.

Fresh order:
ubmitted by XXXXXXX (kiara@bonank.tv) on Tuesday, March 5, 2002 at 05:36:34
---------------------------------------------------------------------------

domain_name: ada-apa-dengan-cinta.com

domain_info: new

hosting_plan: Supreme

first_name: Shannon

city: Angola

street: XXXXXX

state: IN

postal: 46703

country: United States

term: ANNUAL

credit_card: MASTERCARD

card_num: 5441XXXX-XXXX-XXXX

ex_month: 07

ex_year: 2003

name_oncard: XXXXX I Mance

text: Great Hosting Plans

---------------------------------------------------------------------------

REMOTE_ADDR: 202.95.155.42
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)

Originally posted by BarrySDCA
May I suggest you try placing a cookie on the end-users machine at signup. Use it to track fraudulent orders. It's not fool-proof, but it may help. Interesting idea... what can we do with the cookies?

Set them to blow up the machine they sit on, if the IP is an Indonesian one :)

Problem solved

Steve

I would send a cookie of the order number. When a new customer signs up, retrieve the order number cookie. If it was a fraudulent order then redirect to fbi.gov or something...

Originally posted by BarrySDCA
I would send a cookie of the order number. When a new customer signs up, retrieve the order number cookie. If it was a fraudulent order then redirect to fbi.gov or something... So this cookie is just to prove that he is indeed the person who puts the order through to you?

What other countries besides Indonesia is big on cc fraud? Malaysia? Any others?

Originally posted by muppie
So this cookie is just to prove that he is indeed the person who puts the order through to you?

Absolutely. It tells you that a machine which placed a fraudulent order through you before is back - probably to place another. If you don't look out for yourself, who will?

Originally posted by rochen
ermm.

His website doesn't even work ( http://www.priyadi.net/ )

:rolleyes:

Would life not be so much easier if the billing companies let us block these countries out on the order forms hehe :D

That's a really bad idea! It's like shooting the innocents along with the bastards :)

I think the domain priyadi.net is reserved by priyadi for his own personal homepage and I'm sure the mail works. I know priyadi is from a respective webhosting company in Indonesia and I'm sure he can be trusted.

Believe me, there are still lots of honest Indonesian people doing business in the Internet and Indonesia is a truly big market with over 200 millions of population and lots of individuals and companies building their own web sites.

Just my two cents... :)

Originally posted by twrs


That's a really bad idea! It's like shooting the innocents along with the bastards :)

I think the domain priyadi.net is reserved by priyadi for his own personal homepage and I'm sure the mail works. I know priyadi is from a respective webhosting company in Indonesia and I'm sure he can be trusted.

Believe me, there are still lots of honest Indonesian people doing business in the Internet and Indonesia is a truly big market with over 200 millions of population and lots of individuals and companies building their own web sites.

Just my two cents... :)

I've only had dealings with the not so innocent 'illegitimate' ones :)

If I could find a way to block every Indonesian surfer from entering my order form I'd implement it - I don't care whether the law abiding ones get blocked - They are in my experience few and far between. Period.

Steve

Originally posted by Walter


Hm, I have plenty of them, but I wonder what you will do with this information?

Hello, sorry for my late reply, I rarely check this forum.

I'm going to show the authorities that the matter will become a big problem if we can't do business with the rest of the Internet. If we got plenty of data maybe we will eventually succeed. I'd also try to get in touch with ISPs to get their cooperation.

No, of course you don't need to trust me, you shouldn't, really. You can't send me the credit card number, in fact please don't send credit card number, it would give us more trouble. We only need the relevant information like the IP address, the time of order, and the total value of the order. No need to disclose any other information. All the other information are probably fake or stolen anyway. I think that should be comfortable for you even if you don't trust me. :)

And, priyadi.net is my personal domain. It is empty right now, I use it only for my personal emails. :)

I think as well as banning indonesian IPs you should also ban those free proxys (like ipzap.com) as someone could use that to cheat.

I agree except there are thousands of them, we got an order through one 64.14.20.252 which if you do a search on yahoo gives this page

http://www.atomintersoft.com/products/alive-proxy/proxy-list/?ap=14

this page did list 30,000 anonymous proxies you could connect through, today it just shows a line which says the site has been hacked - oh well

But there appears to be plenty of sites listing anonymous proxies and our Indonesian and Romanian friends are quick to use them

Folks, I guess that Malaysia should be banned also.
We start getting frauds from this country.
P.S: maybe anyone need my .htaccess - contains list of IPs that were grabed from fraud orders.

Great!

I added all these including some very large list of anon. proxies to my latest update

If you got anymore, please email me :)

http://www-hosting.net/denied.html

AlaskanWolf, your list includes 194.165. Most of these IP's are used by Ireland OnLine, Ireland's largest Internet service provider. Ireland has one of the lowest crime and fraud rates in the world. :mad:

Basically when connecting through Ireland OnLine, my IP always starts with either 194.145, or 194.165. Please consider removing.

Originally posted by NinthSwat
Folks, I guess that Malaysia should be banned also.
We start getting frauds from this country.
P.S: maybe anyone need my .htaccess - contains list of IPs that were grabed from fraud orders.

I am a Malaysian and I don't know what's the fuss about banning Malaysians. I am paying my bills every month via my credit card around $400 to $600 for things that I buy and others such as ......server charges, resellers accounts, membership accounts, etc.

As an example, as a business concern when someone buys:

1) Goods/products and pays by cheque, it's only normal to get the cheque cleared before you deliver the goods/products.

2) Goods/products and pays cash, of course you would release the goods/products immediately.

3) Good/products paid by credit card, it's quite risky and any businessman knows that, and it's only normal to take extra precaution before releasing the goods/products

What I am saying is....If you are in any business, there's always a risk of getting cheated by conman and it can be any part of the world and not only from Malaysia.

It's only how good are you at detecting fraud when it comes your way. As an example... Quite some time ago, I signed up with Revecom and they rejected my application as I am a Malaysian but when I applied to 2Checkout.com, they were real professional business people and approved my application and was paid.

If you want to limit your business, it's your choice but remember you can also be cheated by your own kind in many ways that you may not be aware of..as I have said, it's how you go about your business and please don't blame others for your lack of business knowledge.

Regards.

Originally posted by avara
AlaskanWolf, your list includes 194.165. Most of these IP's are used by Ireland OnLine, Ireland's largest Internet service provider. Ireland has one of the lowest crime and fraud rates in the world. :mad:

Basically when connecting through Ireland OnLine, my IP always starts with either 194.145, or 194.165. Please consider removing.

You made me waste 30 minutes trying to find out where i got those ips :angry: :angry: :angry:

Anyways, i got them from the Host Coalition (2 companies stated to ban that range) website and also theres an 3rd one i found if you look at my list, was found off the #2 site on google when you type anonymous proxy servers

So thats three strikes and they are out for me baby, but your more then welcome to remove it from the list if you download it

since im in a semi-nice mood today (just 1 server crash.....god im glad my new hardware is in...) i commented it out and included an explaintion why

the 2nd one (full ip, anon. proxy) will remain blocked

What's the exact IP address/range of the anon proxy server? Anyway now I know why I couldn't access your site sometimes, depending on which IP Ireland OnLine/ESAT assigned me. I had always thought your servers were unreliable or something.

lmao thats really funny

194.165.248.34
xxxxxxxxxxxxxxxxxxxxxxxxxx

http://www.google.com/search?hl=en&q=anonymous+proxy+servers&spell=1

http://195.208.219.11/proxy.htm

Erm, why did you not simply ban 194.165.248.34, or say 194.165.248.x just to be safe? I don't want you to lose any customers. ;)

If I went out and banned every single IP block where an anon proxy server was running, I'd probably end up banning the entire Internet.

lol be truly safe from fraud ban x.x.x.x :)
good thread tho thanks for the info.

Originally posted by avara
Erm, why did you not simply ban 194.165.248.34, or say 194.165.248.x just to be safe? I don't want you to lose any customers. ;)

If I went out and banned every single IP block where an anon proxy server was running, I'd probably end up banning the entire Internet.

It really does not matter to me if you use the list that i compiled, Its a complie of all the ips in this forum, from other hosts that have had confirmed fraud signups and from other forums.

*you can* edit out ips you feel are unbeneficiary to your company. It really does not matter to me if i loose customers from Ireland because I banned the ip address.

Its not a big loss to my company if i ban the 194.165 ip range, and just because Ireland has a low amount of fraudulent signups, it only takes 1 to put an ip on a ban list....so far i have counted 3 plus the anon. proxie i found today which took 5 minutes to uncover.

In fact I still have and will keep it in my ban list for as long as I see fit but to your benifit since your in Ireland and you want to make a stiffile about it, i removed it from the downloadable list that everyone can view :)

Does anybody know what does the lenght field in APIC base mean?

:) I want to write one more script

Eugene

not only Indonesia is high-fraud order country (I am sure it's top #1), but you may consider countries listed below as well:

Georgia
other former USSR countries
Moldova
China
Korea
Romania
Czech Republic
Poland

and many others.. I suggest using AVS service that comes with your CC processor and also doing a full traceroutes (Whois lookups with Arin/Ripe etc) to IP (watch out for proxies!)

Clear commerce lists this data. Who knows where it comes from though. It doesn't seem to match what I've seen personally, and what I've seen posted here:

From lowest to highest:

United States 1%
Israel
Malaysia
Pakistan
Russia
Turkey
Bulgaria
Romania
Egypt
Lithuania
Yugoslavia
Indonesia
Ukraine 19%

It was a graph. I can't make it out well enough to guess other percentages.

http://www.clearcommerce.com/pdf/datasheets/ClearCommerce_Risk_Management_Data%20Sheet_4.2.pdf

Name: Agung M Setiawan
Address: Sumatera Utara I/49
City: Madura
State: Ej
Zip: 60119
Country: IN
Telephone: 0315933241
Fax:
Email: zirkon@webbox.com
Analyze Email Address
Shipping Information
Name:
Address:
City:
State:
Zip:
Country:
Telephone:
Fax:
Instructions:

well that really doesnt help us :(

U got any ips u can post so we can add it to our deny lists?

Ok here is the IP

202.155.55.31

Originally posted by batcavenet
Ok here is the IP

202.155.55.31


That ip is using the Indonesia ISP "IndosatNET", I suggest to block the whole access of the ISP, ip range from 202.155.27.0 to 202.155.27.127 :)

well I check again, that should be the ip range of proxy server of IndosatNET

We are expermenting with a new fraud "point system".

It has country blacklists and whitelists, and we use NetGeo to resolve IPs to countries. (http://www.caida.org/tools/utilities/netgeo/)

It checks whether the source IP is a proxy.

It adds points if the visitor requests the most expensive plan.

It adds points if they have a hotmail or yahoo address.

It subtracts points if the billing country and IP country match.

It subtracts points for english-language-only browsers.

And a number of other checks.

Our plan, once the system is refined, is to set a 'threshhold' above which signups are frozen for manual review. The idea is to allow US military with American billing addresses and Korean IPs to sign up, and allow German programmers to sign up, but block the standard Indonesian fraudster using a Virginia proxy anonymizer.

What a pain this all is though. Sheez.

We haven't actually gotten any fraud orders. We gotten a few people sending in blank orders just to push the submit button. If you're using a merchant accout you also shouldn't have the credit card number or anything else. If it auto enters it into the system and you don't have to manually do it. It is best not to use Automatic Signup System to reduce the fraud orders and do the orders manually or use a billing system. It sure will save you from a Charge Back. But just my 2 cents...

right now somebody is flooding our order system with stolen credit cards. :angry:

till now he had punched 24 credit cards within 1 hours.

they are coming from ip addresses

62.72.80.198
64.105.254.130

I have blocked ip address but it appears that ******* have book marked our payment page with revecom. :(

some body please tell me where i can report the fraud through email or web based address. :mad:

also he is using

zlord@xtrem-team.net and zelot@zelot.info email addresses. :angry:

John,

How do you determine if a source IP is a proxy IP?

Thanks
Joe

i don't know weather they are proxy IPs or original ips but these are the ips from where orders are coming from.

We have experienced the same type of fraud orders form Indonesian.

Solution? We no longer accept orders from Indonesian. If the credit card says USA, but the IP says Indonesian....then i just hit the delete key ;)

It's sad, but what else can be done when there is such a high percentage of fraud from one particular country?

Plus, we report every fraud order to the U.S Department of Treasury (Electronic Crimes Branch)

and that's no joke.

How do you determine if a source IP is a proxy IP?

We attempt to open a socket connection to ports 80, 8080, and 3128 (common proxy ports).

Oh cool workaround, but what if Apache or Personal Web Server happens to be installed and running on their PC?

Thanks
Joe

what if Apache or Personal Web Server happens to be installed and running on their PC?

They get a few points added to their 'fraud point value'. If there are other warning signs and their point value grows beyond a certain threshhold, their signup is blocked.

Everyone should head on over to http://www.combatfraud.org and check that place out.

I don't think it's an indonesian site.

dear admin,
i have idea to track indonesia`n domain

if you want please do to www.kamus.web.id to translate some word from indo to english.


~indonesia Carder~

They use free email account, such as yahoo, hotmail, etc. Many business people in Indonesian have real email address, with .id domain. Ussually, people with .id domain, not doing CC fraud. Especially *.net.id domain, they are email accounts from the ISP for the registered user. The ISP has their data.

I'm an Indonesian, but I'm not that kinda guy you've mentioned above.

I realize some of our people are fraud. :bawling: But please do not make a statement that any of Indonesian are fraudulent.
Some of us are honest people.

I'd like to make a little help.
Most of Indonesian IP addresses are:
begin with 202 ; 203 ; and 65

but.. those IP are not used by indonesian only. Some country use that too.

Let me be more spesific.

This is absolutely Indonesian IP Addresses:
202.155.XXX.XXX <-== hosted by provider indosat.net.id
202.152.XXX.XXX <-== hosted by provider idola.net.id
65.20.XXX.XXX
65.10.XXX.XXX
203.130.XXX.XXX <-== all of this 3 IP are hosted by telkom.net.id
202.138.XXX.XXX <-== hosted by provider melsa.net.id
202.159.XXX.XXX <-== hosted by provider indo.net.id
202.162.XXX.XXX <-== hosted by exolution.net
202.146.XXX.XXX <-== hosted by provider centrin.net.id
202.143.XXX.XXX <-== hosted by provider teras.net.id

Okay.. as far as I know, that are the Indonesian IP addresses.
You can block those IP's, but I'm quietly sure, that won't protect you 100% from fraudulent. They can use proxies.

I suggest you to
-make an IP track on your site. Any order that come from different address according to the billing address and the domain record, will be rejected.
-Or.. do not receipt order from free email.

And.. if you found a fraud action on your site, please don't waste your time contacting Indonesian Police. They don't know any about this Internet Crime and they can no nothing. THERE ARE NO CYBER LAW in Indonesia. That's what make those poeple so easy to place a stolen credit card order.


That's all..
I Hope that would help.
And I hope that would reduce Indonesian credit card fraud. :(
Thanks

I again recommend that everyone enhance their signup system to do more than just IP blocking. netgeo.caida.org (I think) provides IP->country lookup, which you can compare against billing address. To check for proxies, try a socket connection to 80, 8080, and 3128. Yahoo/hotmail addresses should add a few 'fraud points'. Signing up for the most expensive hosting plan should too. Signing up at 3AM, browser language settings, and other factors can all be queried.

hi,

can we actually give them a call to ensure that such a person really exist?

or may be we can call the credit card company directly to ensure everything is valid?

will this way reduce the chances of fraud?

hi guys,

I just want to add my experiences dealing with these people. I'm an Indonesian-American and yes .. .I do too had my shares dealing with these stolen credit card. I've found out few things about them :

1. About 95% of them are using proxy and for some reason, most of them are using webcache.bt.net (194.72.9.37) proxy server. I believe bt.net is based in UK. So if any of you work for bt.net or know somebody work for them, please let them know that their proxy server is open to just about anybody.

2. Eventhough they have all of the credit card informations such as name, billing address, phone number. They're still using a free web based email or they have a their own domain name which most of the time you'd able to tell from its name.

3. Most of them made their order not from their house or office, but from Internet Cafe. So it can be pretty hard to track down.

4. They do not have a CVV number !!! That's the key to protect yourself from these people. I think authorize.net support CVV now and since I added CVV to my order form .. that seems to stop them.

So if your merchant account support CVV checking, use it ... it helps a lot.

I hope these informations help everyone here. If you need help identifying or translating some Indonesian domain/words .. send me PM .. I'll be glad to help.


Cheers,

Originally posted by NinthSwat


REMOTE_ADDR: 203.130.238.56

Track IP :D

Just a note for everyone that tracks Remote IP's. It doesn't always tell you the correct location that they signed up from. A lot of these guys use proxy servers when they order an account from you to disguise where they came from. A good majority of the time, the Remote IP on a fraudulent signup is a proxy. :(

A suggestion to detect Proxy upon signup:

Check for the environment variable "HTTP_VIA" or the HTTP header "Via". If it is defined, it's through Proxy.

Cheers
Jing Wee

* Frauds usually order the Domain registeration with the hosting .. or order with un-registered domain ..

* Frauds not care a lot about money .... so may order "extra 10 pop accounts" and buy also in same order "unlimited pop accounts"

* frauds usually not care about chars case ..... they type name address all in lower case, they type a phone number without spaces or '-'

* not filled any optional fields ,,,,,

when i have grat doubt about order .. i send the buyer an email ask for any thing ( code area, ..) .. Fraud never respond

Originally posted by dhlsg


I agree, trust no one with this information.
Especially from Indonesia
Steve :)

Dear All;

I understand the problems and difficulties caused by certain Indonesians. But please do not stereotype that ALL Indonesian cannot be trusted.

I'm Indonesian, and I use my own credit card (citibank) to purchase many things over the internet, especially books. I also found that nowsaday it is becoming difficult to purchase over the internet from Indonesia..., including purchasing for domain name and hosting services. And, frankly speaking, it is SUCKS..! I hate those guys who do the carding..., they also make my live difficult..!

If you guys need any information with regards to Indonesian ISP or anything related to the internet, please let me know, I will try my best to answer your questions. I will try to find out IP's used in Indonesia, but it should be a way that Indonesians who really would like to do a transaction over the net could be done. Honestly, I, myself, do not have any ideas about that matters...

The carding activities in Indonesia usually comes from what we called "WARNET" stand for "WARUNG INTERNET" which is actually Internet Cafe which mostly utilize dial-up or cable internet without fix IP (Our ISP providing temporary IPs for dial-up and cable internet using DHCP), that's why the IP's are always different.

I cannot promise solving this problem for you, but for sure, I could help you guys by providing explanations and answers to you queries and questions. Please do not hasitate to contact me at: lucky26@indosat.net.id or ibnu@esolusi.com or my mobile: +62-812-909-3007

Thank you for your time reading this message.

Best Regards,
Ibnu Tatang.

Originally posted by valens
They use free email account, such as yahoo, hotmail, etc. Many business people in Indonesian have real email address, with .id domain. Ussually, people with .id domain, not doing CC fraud. Especially *.net.id domain, they are email accounts from the ISP for the registered user. The ISP has their data.

I agree with the above message. Such as my email: lucky26@indosat.net.id It means that my email account is from Indosat ISP in Indonesia, and ISP only provide you email address when you subscribe a dial-up internet connection, then, my data complete data is in Indosat, since they will bill me for the internet connection I use.

Therefore, it is most likely person who utilize xxxx@xxxxx.net.id or others indonesian email address except for free email service do not do carding..., since the ISP have their complete data. If you have a transaction from Indonesia which uses free mail such as @hotmail.com or @yahoo.com, you should be carefull.

Dear All webmaster.......
I do apologize for everything, all the fraud have been made by Indonesian. I am Indonesian and I do ashame for what my people have done.

All I can do is suggest you all not to trust any card from Indonesia before :
1. You check the valid email address and the card name is the same name with the email.
2. Call them. Amazon did call me to ensure everything.

that's it !

apologize, and regards.

Ashame Indonesian !

I think it's just not fair to blame all Indonesian people for frauding done by less than 0.001% people. FYI, Indonesia has more than 220 million people!

I'm not ashamed being an Indonesian, I condemn them who did such a crime without looking at their nationality, race, religion... :angry:

After considering this issue for some time, and even though we had received many orders from Indonesia that were all fraudulent, and never a real order, we have decided to stop blocking Indonesian IP addresses. Basically instead of blocking the IP addresses, we will now manually screen those orders, as I believe it was unfair before blocking everyone, even though the vast majority of Indonesians are no doubt honest people.

I hope we have made the right choice in so doing. :)

wise decision Robin! :)

I have put my .htaccess to block indonesia from even viewing site... along w a 2nd one in the Order forms (just in case).
IMHO it doesn't matter if alot of ppl are legit their are way to many instances of people from there w/ fraud and they don't stop w/ 1 try.. no they will try to order as much as possible.. To me thats too much headache/risk/bs to deal with.
Especially since the countries own goverment is helpless (or not willing) to stop this.
Maybe when your country is blocked COMPLETELY from even using the internet, they will get their heads out their azz'z and do something to stop this junk. Till then IMHO it is not worth my time/merchant account/stress !!!!

Originally posted by avara
Today we received an order for our $240/yr hosting package, from Indonesia. The credit card was stolen (thanks TomD and the team at 2Checkout, for figuring this out). :)

Anyway my question is does anyone have a sample .htaccess file which only blocks Indonesian IP addresses? I saw some posted previously, but they contained lots of other countries as well.

Edit: By the way, TomD, if you are reading this... How about giving us an option to block out only a select few "high risk" countries such as Indonesia?

Dear Avara, we certainly know how you feel. Approx. 1 month ago we had a user literally reap havoc on our system to the point where we had to tighten up our credit card security and at certain times completely shutdown our credit card gateway. The user first dialed in from Indonesia and left valid credit card charges totalling more than 1800.00. Fortunately we caught them all and voided them before the card holders found out. He continued to charge up literally hundreds of dollars in charges over the next 3 days. We did our own investigation and identified the user as calling in from Virginia. He made so many stupid mistakes when he signed up that we were surprised how easy it was to identify him. All the credit cards he used were VA resident names and addresses. We even found his real email address, his real name and everthing but that did not seem to be enough when we reported him to 5 and i repeat 5 fraud agencies and NOT ONE of them ever got back with us. Your other high rick countries are Asia, Turkey, France even Australia. We have blocked Asia completely from our servers including Indonesia.

hello, i came from indonesia.
i'm so sorry i have bad english..
i'm interested reading this thread, maybe this is usefull for me ..

but, maybe i can do for all of you..?
ps: you can call me romzie, or manusiafitrah. :)

Blocking indonesia IP and free email is not a good idea
indonesia is good market

If order from indonesia
credit card number and country must be from indonesia, cause usualy we use same address for credit card billing and address.

like this
Billing info and shipping address
Name : hotdude
card number : 4541 7800 xxxx xxxx
country : indonesia

Shipping info
Name : hotdude
card number : 4541 7800 xxxx xxxx
Address : bla bla bla
country : indonesia

and fraud one :

Name : hotdude
card number : 4xxxx xxxx xxxx xxxx
country : usa

Shipping info
Name : hotdude
Address : bla - bla - bla - bla - bla
country : indonesia

----------- Use your ****in' brain ----
It called fraud.

Hi everyone, I strongly belive blocking ip ranges is not a good idea to prevent fraud as you may loose many legite customers and most of all more then 50% of total online fraud comes from a anonymous proxies and fraudsters these days are smart enough to get a anonymous proxy that match billing address of credit card. I think there is one solution to this by recording pc clock time of computer from where order is placed and this stime should match local time of card billing address to process transaction. As some one said before there is only 1% of fraud comming from states and as far as i know 60% of fraudsters have credit/debit cards from us. This makes a lot of difference in time zones of actual billing address of stolen cards and location of fraudsters. I dont know if some solution is available for this time recording thing but i think this can be easily done with java.

Hope this might help.