Re: Blocking IP's / e-com fraud

From: Stian Øvrevåge (sovrevage_at_gmail.com)
Date: 12/30/04

  • Next message: Ajay.Mitra_at_iflexsolutions.com: "RE: Firewall for restricting ips based on dynamic acls" 
    Date: Thu, 30 Dec 2004 20:37:02 +0100
To: Dan Tesch <dan.tesch@comcast.net>

    Hello,

    I would advise you to look up the ip-addresses in question in the
    respective Whois databases, such as ARIN, RIPE, APNIC, etc.
    The databases usually tells you who "owns" the entire subnet, and
    there is also likely contact information on who to contact in case of
    abuse, which fraud attempts most certainly are!

    For example, I ran a whois on microsoft.com at ARIN and the database showed:
    OrgAbuseHandle: HOTMA-ARIN
    OrgAbuseName: Hotmail Abuse
    OrgAbusePhone: +1-425-882-8080
    OrgAbuseEmail: abuse@hotmail.com

    It also told me what range of ip-s they are assigned:
    NetRange: 207.46.0.0 - 207.46.255.255

    I cannot give a detailed guide of IIS but the subnet masks of 10.0.*.*
    is 255.255.0.0, it is a certain chance you can block several subnets
    in one go, but this does require some binary math. So unless it is 30+
    different nets I would think "classfull" blocking is easiest.

    Note: If IIS supports CIDR notation in network/subnet specification
    you might want to use a /16 instead of 255.255.0.0.

    Good Luck, Stian

    On Wed, 29 Dec 2004 19:44:38 -0600, Dan Tesch <dan.tesch@comcast.net> wrote:
    > Hello, I am working with an e-commerce company.
    > They get a fair amount of attempted fraud but do a
    > decent job at ferreting this out during order processing.
    >
    > There are several persons who attempt orders over
    > and over again - we can track their IP and the e-mail
    > address they attempt to use - we have blocked single
    > IP's in IIS before but one person in particular keeps
    > coming back placing small orders (like $40), our
    > suspicion is they are probing.
    >
    > I have several questions:
    >
    > Is there a resource anyone knows of to search for IP's
    > like this and/or e-mails people consistently use for fraud?
    > (Google hasn't been any help at all)
    >
    > The person I referenced before keeps coming from different
    > IP's but all from the same range (home user with DHCP?)
    >
    > In IIS if I want to block an entire range like:
    >
    > XXX.78.0.0 - XXX.83.255.255
    >
    > how should that look in the IIS Mgr?
    >
    > do I need to make multiple entries like:
    > XXX.78.0.0
    > XXX.79.0.0
    > XXX.80.0.0, etc.?
    >
    > and what should the subnet masks look like?
    >
    > Thanks for any help or reference.
    >

  • Next message: Ajay.Mitra_at_iflexsolutions.com: "RE: Firewall for restricting ips based on dynamic acls"
    • Quantcast