Security Basics mailing list archives
Re: Blocking IP's / e-com fraud
From: Stian Øvrevåge <sovrevage () gmail com>
Date: Thu, 30 Dec 2004 20:37:02 +0100
Hello, I would advise you to look up the ip-addresses in question in the respective Whois databases, such as ARIN, RIPE, APNIC, etc. The databases usually tells you who "owns" the entire subnet, and there is also likely contact information on who to contact in case of abuse, which fraud attempts most certainly are! For example, I ran a whois on microsoft.com at ARIN and the database showed: OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: abuse () hotmail com It also told me what range of ip-s they are assigned: NetRange: 207.46.0.0 - 207.46.255.255 I cannot give a detailed guide of IIS but the subnet masks of 10.0.*.* is 255.255.0.0, it is a certain chance you can block several subnets in one go, but this does require some binary math. So unless it is 30+ different nets I would think "classfull" blocking is easiest. Note: If IIS supports CIDR notation in network/subnet specification you might want to use a /16 instead of 255.255.0.0. Good Luck, Stian On Wed, 29 Dec 2004 19:44:38 -0600, Dan Tesch <dan.tesch () comcast net> wrote:
Hello, I am working with an e-commerce company. They get a fair amount of attempted fraud but do a decent job at ferreting this out during order processing. There are several persons who attempt orders over and over again - we can track their IP and the e-mail address they attempt to use - we have blocked single IP's in IIS before but one person in particular keeps coming back placing small orders (like $40), our suspicion is they are probing. I have several questions: Is there a resource anyone knows of to search for IP's like this and/or e-mails people consistently use for fraud? (Google hasn't been any help at all) The person I referenced before keeps coming from different IP's but all from the same range (home user with DHCP?) In IIS if I want to block an entire range like: XXX.78.0.0 - XXX.83.255.255 how should that look in the IIS Mgr? do I need to make multiple entries like: XXX.78.0.0 XXX.79.0.0 XXX.80.0.0, etc.? and what should the subnet masks look like? Thanks for any help or reference.
Current thread:
- Blocking IP's / e-com fraud Dan Tesch (Dec 30)
- Re: Blocking IP's / e-com fraud Allan Wind (Dec 30)
- Re: Blocking IP's / e-com fraud Stian Øvrevåge (Dec 31)
- Re: Blocking IP's / e-com fraud Stian Øvrevåge (Dec 30)
- Re: Blocking IP's / e-com fraud Allan Wind (Dec 30)