Page 2 of 13 FirstFirst 1234512 ... LastLast
Results 26 to 50 of 312
  1. #26
    Yes
    I have got "the nose" for it as well.

    Here's an e-mail sent to one of the two frauds that have got through:

    Hello
    We have recieved an order form you for web hosting.

    We are not processing the order until you have clarified the following
    points:


    1. You claim to be in Louisiana, but its 6am there at the moment.

    2. The domain name you have requested hosting for does not exist:
    braila-net2.com

    3. You are actually in Israel (194.90.229.195)

    4. The address you gave appears to have been cut and pasted into our order
    form as there were no carriage returns.


    I hope you understand why we are querying this order and look forward to
    hearing from you shortly.

    Gordon Hudson
    Hostroute.com Ltd
    http://www.hostroute.net/
    Formerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
    View my Professional Profile: www.gordonhudson.com

  2. #27
    Join Date
    Apr 2001
    Location
    Montana USA
    Posts
    673
    With evidence as clear as in your example, we don't both contacting the attempted thief. We simply nuke them immediately. I'm apt to spend more time tracking down the real card owner to let them know their card's been compromised. Typical phone conversation:


    Me: "I'm not going to ask you anything about your credit card information, but if it ends in 4254 and expires 8/02, then your card may have been compromised."

    Card Owner: "HOLY S***!!"
    John Masterson
    Former Hosting Company Owner

  3. #28
    anyone else got any other ips to block other then the ones already submitted?

  4. #29
    That depends on how strict you want to be or where your market is.

    I am considering blocking Israel as we have no customers there and don't really intend to, but its a bit like using a sledgehammer to crack a nut.
    We can cope with the odd fraud.
    Blocking those 3 main countries reduced our fraud by over 90%

    Other countries which are prone to this sort of thing are:

    Thailand (but we have had none from there for a long time)
    Romania
    Russia (again not seen one of these for a long time)
    Pakistan

    Certainly these are countries our bank is always issuing warnings about.

    Gordon
    Formerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
    View my Professional Profile: www.gordonhudson.com

  5. #30
    Join Date
    Apr 2001
    Location
    Montana USA
    Posts
    673
    Originally posted by magnafix
    Here's our International IP checker.


    PHP Code:
        sscanf($ip"%d.%d.%d.%d", &$quad1, &$quad2, &$quad3, &$quad4);
      
        switch(
    $quad1)
        {
          case 
    57:
          case 
    61:
          case 
    62:
          case 
    80:
          case 
    151:
          case 
    193:
          case 
    194:
          case 
    195
          case 
    202:
          case 
    203:
          case 
    210:
          case 
    211:
          case 
    212:
          case 
    213:
          case 
    217:
          case 
    218:
          case 
    219:
            return 
    true;

          case 
    24:
            if(
    $quad2 132 && $quad2 136) return true;

          case 
    130:
            if(
    $quad2 == 237 ||
               
    $quad2 == 242 || 
               
    $quad2 == 243) return true;

          case 
    134:
            if(
    $quad2 == 75) return true;

          case 
    141:
            if(
    $quad2 86) return true;

          case 
    165:
            if(
    $quad2 == 21) return true;

          case 
    169:
            if(
    $quad2 207 && $quad2 224) return true;

          case 
    170:
            if(
    $quad2 == 60) return true;

          case 
    192:
            if(
    $quad2 == 36 ||
               
    $quad2 == 164 ||
               
    $quad2 == 165 || 
               
    $quad2 == 166 ||
               
    $quad2 == 167) return true;
        }
      
        return 
    false;
      } 

    Little bug in the above code -- make sure to insert 'break;' where appropriate....
    John Masterson
    Former Hosting Company Owner

  6. #31
    Join Date
    Nov 2001
    Posts
    852
    Here you can add these IP's to your list. This guy has Names, Addresses Zips all matching the cards, but they all come back as chargebacks. A lot of the accounts use this domain/password info **but not all the time**

    expl0de.net
    870621345
    d0pe@expl0de.net

    195.24.130.57
    212.45.192.10
    24.186.135.216
    203.146.138.103
    24.186.135.216

    He has charged about 1000 dollars, but we catch them before the batch runs and void them before they even hit the persons CC

  7. #32
    Join Date
    Nov 2000
    Location
    Boston, MA (USA)
    Posts
    773
    Worst fraud attempt ever.....

    Prepaid Dedicated Server that cost $10,000 a year... The order was filled...... Good thing I caught the culprit before Revecom processed it.

  8. #33
    Join Date
    Oct 2001
    Posts
    264
    Originally posted by magnafix



    Little bug in the above code -- make sure to insert 'break;' where appropriate....
    return exits from the function so there is no need for a break statement.
    eat me

  9. #34
    Originally posted by magnafix
    Here's our International IP checker.


    PHP Code:
        sscanf($ip"%d.%d.%d.%d", &$quad1, &$quad2, &$quad3, &$quad4);
      
        switch(
    $quad1)
        {
          case 
    57:
          case 
    61:
          case 
    62:
          case 
    80:
          case 
    151:
          case 
    193:
          case 
    194:
          case 
    195
          case 
    202:
          case 
    203:
          case 
    210:
          case 
    211:
          case 
    212:
          case 
    213:
          case 
    217:
          case 
    218:
          case 
    219:
            return 
    true;

          case 
    24:
            if(
    $quad2 132 && $quad2 136) return true;

          case 
    130:
            if(
    $quad2 == 237 ||
               
    $quad2 == 242 || 
               
    $quad2 == 243) return true;

          case 
    134:
            if(
    $quad2 == 75) return true;

          case 
    141:
            if(
    $quad2 86) return true;

          case 
    165:
            if(
    $quad2 == 21) return true;

          case 
    169:
            if(
    $quad2 207 && $quad2 224) return true;

          case 
    170:
            if(
    $quad2 == 60) return true;

          case 
    192:
            if(
    $quad2 == 36 ||
               
    $quad2 == 164 ||
               
    $quad2 == 165 || 
               
    $quad2 == 166 ||
               
    $quad2 == 167) return true;
        }
      
        return 
    false;
      } 
    How do we use this ?

  10. #35
    Join Date
    Oct 2001
    Posts
    264
    Originally posted by dbnet


    How do we use this ?
    Actually this is much better than putting it in .htaccess

    just insert this code in a function and call it from your order form and if it returns true, then you just say "sorry we are currently not accepting orders from your area"

    Note tho... that this script blocks 202.* which includes Australia as well!

    Cheers
    eat me

  11. #36
    add this IP to your list

    202.162.34.30

    This guys pissin me off

  12. #37
    Hello
    As the person who started this thread I thought I should give an update.
    We are continuing to block certain countries and our credit card fraud rate has decreased to practically zero.
    All we get now is the odd malicious chargeback where a real card has been used but someone fancies some free services.

    However, we have noticed some very odd logs with repeated multiple (automated?) attempts to access our web sites thousands of times from the same IP's in the countries we have blocked.

    e.g.

    1 3335 4.04% 0 0.00% 997 0.46% 1 0.02% 202.155.37.233


    3335 attempts to access our main website resulting in 0 files being served to the visitor.
    The IP is in Indonesia

    Our logs are full of these by the thousands from Malaysia and the Philippines also.

    SO........... I guess we have pissed some people off big time and they have decided to retaliate.
    Not quite a ddos attack but strange none the less.

    Gordon
    Formerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
    View my Professional Profile: www.gordonhudson.com

  13. #38
    Join Date
    Oct 2001
    Posts
    264
    Hi Gordon,

    Could you post your latest IP list? Much appreciated thanks
    eat me

  14. #39
    Hello

    Haven't really updated it since, but I am about to add the new IP blocks for the three countries i am interested in blocking.
    At the time I drew up the original list they had been allocated but not delegated to APNIC.
    Now some of them are being used I need to add them.
    I will post the list or the raw data when I get round to updating it.

    I would also say that the majority of these issues come from IP's on the academic/university networks.

    While we are at it, could someone explain why these countries produce credit card fraudsters, but others don't seem to?
    I mean, yes these countries have some poor rural areas but they are not that poor.
    We have never had a credit card fraud from Singapore but we have from Malaysia (an d we do a lot of business with Singapore).
    We have never had a fraud from India but we have from Pakistan.
    We have never had a fraud from a central or south american country, even relatively poor countries like ecquador and bolivia where we have customers have not proved to be any problem.

    So..... what gives?
    Why these countries?

    Gordon
    Formerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
    View my Professional Profile: www.gordonhudson.com

  15. #40
    Join Date
    Oct 2001
    Posts
    264
    Culture perhaps?

    By the way have you had any experience good or bad with China?
    eat me

  16. #41
    Funny you should mention China.
    About 10 minutes ago we had a domain registration from the US but an IP in china.
    Just phoned the card holder - he has no knowledge of the transaction.

    Thats our first fraud for a very long time.

    As always it was a 5 year domain registration.
    I don't think we have ever had a genuine domain registration longer than 3 years and every 10 year one we have had was a fraud.

    Gordon
    Formerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
    View my Professional Profile: www.gordonhudson.com

  17. #42
    Join Date
    Oct 2001
    Posts
    264
    How do you find out / phone the real CC card holder?

    Which payment gateway did you use, does the card info get through you first?

    Sorry if this is too many questions But I will be opening CC order soon so these things are pretty important.

    Thanks
    eat me

  18. #43
    The fraudster had actually put the card holders real number on the order.
    Normally I look them up in one of the online telephone directories.
    The purchase had already been cleared so we have lost $4.55 because of the commission we have to pay on the transaction.
    We use Worldpay and its possible to do manual authorisation but if you do this it prevents you doing monthly payments as it would all get too complicated.

    Gordon
    Formerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
    View my Professional Profile: www.gordonhudson.com

  19. #44
    Join Date
    Oct 2001
    Location
    Philadelphia, Pa
    Posts
    76
    Yeah, I've had the same experience where they actually use the correct phone number during signup of the cardholder. God, what a horrible call to have to make!! Needless to say, we no longer have fully automated transactions.

    We have also blocked Indonesia, and other similar areas, but...

    Just last night, I watched in real time as someone who said they were from Texas
    1. signed up with a card from Texas - denied
    2. signed up with a card from Florida - denied
    3. signed up with card from Montana - ok
    4. IP address from MA

    Then they provided me the phone number of the credit card bank, which was in New Jersey!

    Boy these people are creative

    jv
    BlackStar Web Hosting
    www.blackstarhosting.com

  20. #45

    Two Steps we Take

    One-We do require phone number and verify it with the address, calling it if at all suspicious.

    Two-we require the security code from the back of the card-the three digit code-this is not as readily available and, at least to this point, requires physical presence of card.

  21. #46
    Join Date
    Feb 2002
    Location
    Indiana
    Posts
    49
    Originally posted by muppie


    Actually this is much better than putting it in .htaccess

    just insert this code in a function and call it from your order form and if it returns true, then you just say "sorry we are currently not accepting orders from your area"

    Note tho... that this script blocks 202.* which includes Australia as well!

    Cheers
    Hello All!

    First let me say that it was great to stumble across this thread, it is the most useful material I have ever read on this subject in one place!

    We have been dealing with this problem for years and have come to the same conclusions you have. Our deny list was not as complete as the one here however so I am going to update it.

    I want to warn you that there are some problems associated with this if you have a high bandwidth site. Artbycheryl.com transfers about 30-40 gb per month and a deny list half as long as the one posted here ground our normally spectacular shared server to a complete halt. Remember that every single request goes through that routine, every image, every document, etc.

    Fortunately, our cart that handles orders across all of our domains is located on a different server and has significantly less traffic. We use the htaccess deny list on it and just deny crooks access to our cart for placing fraudulant orders.

    Unfortunately, this forces us to allow users from countries who habbitually abuse our goodwill to have access to our popular sites that contribute to the legitimate web community. If I had my way I would deny all of our sites to everyone in those countries. Why should we offer them anything when we could not accept an order from them anyway, they are just wasted bandwidth.

    The php script discussed might solve the problem, I can think of a couple of ways to implement it that might work. I dont understand how use it though... can you be more specific? I am perl literate but have worked very little with php... what does the html tag look like to call the function and how (where) do you install the script?

    We registered combatfraud.org out of sheer frustration with the system that allows fraud to flourish. It is not complete yet but the content will be very similar to this thread. I am writing it with the new web merchant in mind in order to pass along our trial and error learned knowledge to the less experianced.

    I would like to offer this script along with detailed instructions on how to install and implement it. Of course you will get full credit for authoring it and a link if you allow me to share it.

    I have some more to add but I will do it in another post. I can't tell you how happy I am to have found a group of people who share and talk about this serious problem! We were really starting to feel like an island under siege here.

    Rick Thompson
    fortweb.com
    artbycheryl.com
    photoimpact-objects.com
    etc., etc., etc.

  22. #47
    OK Rick
    Well I felt the same way.
    Somwthing had to be done.
    We don't have the problem because our business sites are on dedicated servers.
    The .htaccess deny list works but its not very elegant.
    I don't like the php solution suggested because it blocks too many countries including Australia which would lose us money.

    We have had three frauds recently.
    One from Nepal with someone using a satelite internet connection with a US IP address.
    The others from China.

    We also had one from Taiwan although it has not been confirmed as a fraud yet (it was warez soI assume the card was a stolen number)

    Gordon
    Formerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
    View my Professional Profile: www.gordonhudson.com

  23. #48
    Join Date
    Feb 2002
    Location
    Indiana
    Posts
    49
    Originally posted by GordonH
    Actually I looked at this page earlier (found it on Google) but I can't work out what should be here:

    RewriteRule ^/.* - [F]

    The rule needs to point to a file.
    I will need to read through the manual.

    Gordon
    Mod rewrite to redirect... remember that you have to redirect them to another server, they can't get anything from the domain you have the deny on except the error message.

    Can you specify an entire path to your 403 file? I am not sure about this but you can try it...

    Instead of ...

    ErrorDocument 403 /403.shtml

    use the entire path to another file located on another server for your 403 error document.


    How about this, I think you can pass error messages through the default 403 document like this...

    ErrorDocument 403 "We're sorry, but your access has been denied due to idiots who share your IP address.

    Rick Thompson

  24. #49
    Join Date
    Nov 2001
    Location
    Singapore
    Posts
    769
    Just want to check - no one is blocking out Singapore, right?

    Since recently, I've not been able to access a few web hosting services - including mine with spiral - did you guys block us Singaporeans out by mistake? Cos the ISP that I'm on is quite major in SE Asia

  25. #50
    I posted this on hosting software and control panels forum, this is a freeware and open source script I made that checks a IP mask list and redirects a person to a different page if his IP belongs from a specific mask.

    Here are the contents from that thread
    Well, I was hit with about 2 fraudlent orders from Indonesia this month, so I decided to make this script, I saw couple of posts by some people with ways to disable access to the site completely using httpd.conf but I really think thats just a way to loose a fraction of customers from asian countries, small fraction but it does matter.

    Therefore I made this script, what it does is that if a person's ip belongs to the one in the ipmasks it redirects him to some other page you specify and if it isnt then it redirects him to the order page you specify. On my site I made it redirect to a page where it asks the person to send faxed copy of their CC front and back side and provide other information.

    It supports ability to check proxies by opening connections on ports 8080, 8008, 1080 etc (You can add your own by editing config.php) and also the ability to check the extensions of reversed hostmask (say most isps in malaysia use .my hostmasks instead of normal ips, check hostmasks.txt for adding your own) and also the ability to check a certain email address and see if it belongs to the free email providers list.

    Here is the extract from readme.txt I wrote:


    quote:
    --------------------------------------------------------------------------------

    //######################
    // CC Fraud Checker Script v1.0
    //######################
    // Copyright (c) 2001 Varun Shoor
    // Email: varun@kayako.com
    //######################
    // You are free to redistribute this script
    // provided this header is kept intact
    //######################

    I made this script in my part time because I had processed about 2 fraudlent orders from indonesia
    this month alone and I was getting tired of gettting hit with transaction fees and all.

    Requirements:
    PHP 4.0.1pl1 or later

    Usage:
    To use this script, edit the config.php to suit your needs, once you have failed url and success url set up
    replace the current order links at your pages with the ones in this script, Example:
    <a href="http://www.yourdomain.com/checker/index.php">Click Here to Order!</a>

    If the person's IP belongs to the one in mask, he will be redirected to the failed url page else he will be
    redirected to the success url page, I recommend you ask the person to fax his credit card's front and back
    sides at the failed url page so you dont loose on customers.

    Extended Functionality:
    You can further make it check the emails, for this purpose you can redirect a person to say:
    http://www.yourdomain.com/checker/i...aud@hotmail.com if the email host matches the
    one in emailist.txt it will redirect the person to the failed url page. It is recommended you use email functionality
    from within your order form script if its in PHP.

    Adding more ips, hosts, emails:
    Look into ipmasks.txt, all ips should have a * as a wildcard, example: 202.*.54.*
    hostmasks.txt contain the last domain name TLD, I have yet to implement wildcard functionality into it
    emailist.txt contains the list of free email providers
    To add more proxy ports look into config.php

    If you have any more questions or improve the listing of ipmasks or hostmasks then do email me at varun@kayako.com

    --------------------------------------------------------------------------------



    Just thought this might help other people suffering from these problems, I have yet to thoroughly test proxy checking+hostmask checking but AFAIK it should work perfectly.

    Hope that helps

    Regards,

    Varun Shoor
    EDIT: My site is down as I am moving it to a different provider so you cant see it in working but if anyone else has used this script they can post the URL's for others to see
    Attached Files Attached Files
    eSupport - Feature Packed & Robust Support System (Supports email+web based interface)
    LiveResponse - The Ultimate Live Support Package (Unmatched features & Speed)
    http://www.kayako.com

Page 2 of 13 FirstFirst 1234512 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •