Results 1 to 13 of 13
  1. #1

    How to check anonymous proxies

    I am getting a million fradulent orders. All from different U.S.-based IPs. Since most of those orders come in at night, I assume there is a big chance that they originate from overseas through U.S.-based anonymous proxies. Does anybody know how you can check if the customer is using an anonymous proxy by his IP address?

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    Are you looking for an automated solution (http://www.maxmind.com/app/proxy) or a manual way to check each IP address if it is an open proxy?
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  3. #3
    Join Date
    Aug 2002
    Location
    Denmark
    Posts
    432
    Well you cant really block proxies but you migth block a few of the, as mentioned above.
    Checkout www.crunzh.com for nice freeware programs. Including a program for monitoring your webserver.
    Any opinions in this post, unless otherwise noted, are my own personal opinions.

  4. #4
    Quote Originally Posted by Pat H
    Are you looking for an automated solution (http://www.maxmind.com/app/proxy) or a manual way to check each IP address if it is an open proxy?
    I actually am using maxmind to check IP addresses for anonymous proxies, but according to maxmind those are not anonymous proxies. Here are just some examples of IPs of the person that was trying to steal. Is there a different way to check if they are anonymous proxies?

    69.222.162.122
    24.16.37.49
    69.255.40.30
    24.216.249.20
    67.190.241.209
    65.35.138.129
    66.189.180.39
    72.48.73.241
    69.145.74.77
    67.184.206.106
    65.184.19.140
    67.187.194.247
    70.240.208.152
    64.234.2.102

  5. #5
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    The problem is that those IP addresses are not using the common proxy ports, so it's very possible that they could be part of a botnet of infected computers.

    If you're starting to lose money due to fraudulent orders, you may have to use other techniques to verify the origin of the credit card.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  6. #6
    Quote Originally Posted by Pat H
    it's very possible that they could be part of a botnet of infected computers.
    Yes, I thought about it too. What techniques are usually used to fight this kind of fraud in addition to calling the customer on the phone?

  7. #7
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    You can check the IP addresses geographic location and compare it to the information on the order form... of course if they have an infected computer in that area it'll be pointless.

    If it's a large (expensive) order (dedicated servers, software, etc) you could always ask for a copy of their ID. This might be subject to privacy laws in your area that you would have to look into.

    It also doesn't hurt to do a quick Google search on their email address, and a WHOIS on their domain name to see if anything unusual turns up.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  8. #8

    Open Proxies

    Are you using the minFraud service? If so, the proxyScore output field should tell you that these IPs are open proxies. The anonymous proxy indicator only covers a limited set of proxies. For more details on how we categorize the open proxies vs anonymous proxies, go to maxmind.com /app/ipauthentication

    If you migrated over from the old Credit Card Fraud Detection service from a few years back, you might not be seeing the proxyScore field, since that field was added a couple of years ago. I would check your script to make sure you are capturing the proxyScore output from MaxMind.

    -TJ Mather
    MaxMind LLC

  9. #9
    Thanks TJ. Below is an extended list of IPs that this guy was using (I got tired of writing down his IPs after a while) yesterday. Are you saying minFraud was supposed to indicate to me that every single of them is an open proxy?

    12.205.165.173
    12.240.44.192
    24.16.37.49
    24.216.249.20
    64.234.2.102
    65.184.19.140
    65.35.138.129
    66.1.174.150
    66.142.44.137
    66.189.180.39
    66.66.68.126
    67.168.77.70
    67.184.206.106
    67.187.150.108
    67.187.194.247
    67.190.241.209
    68.206.111.119
    68.47.65.117
    69.112.28.157
    69.145.74.77
    69.146.27.172
    69.173.149.206
    69.209.34.28
    69.214.212.52
    69.222.162.122
    69.255.40.30
    70.240.208.152
    71.56.225.164
    71.56.225.164
    72.48.73.241
    75.4.108.181
    75.45.78.40

  10. #10
    Quote Originally Posted by tjmather
    you might not be seeing the proxyScore field
    I do see it, and I just checked all the responses for all those orders. For every single of the proxyScore equals to 3.00. Only one order has a value of 1.50 (IP: 65.35.138.129). Is 3 generally high enough? I see that your scale for that field is from 0 to 10.

  11. #11

    proxyScore

    Yes a proxyScore of 3 or above is high risk.

    Here's the probability of fraud given the proxyScore:
    Proxy Score Fraud likelihood
    0.5 15%
    1.0 30%
    2.0 60%
    3.0 or higher 90%

    -TJ

  12. #12
    Join Date
    Aug 2002
    Location
    Denmark
    Posts
    432
    The trouble is that there are a lot of proxies that are not open. Services like cotse.net and anonymizer.com
    Checkout www.crunzh.com for nice freeware programs. Including a program for monitoring your webserver.
    Any opinions in this post, unless otherwise noted, are my own personal opinions.

  13. #13
    I have spesial software for it

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •