Re: Blocking IP's / e-com fraud

[Stian Øvrevåge <sovrevage () gmail com>]

Hello,

I would advise you to look up the ip-addresses in question in the
respective Whois databases, such as ARIN, RIPE, APNIC, etc.
The databases usually tells you who "owns" the entire subnet, and
there is also likely contact information on who to contact in case of
abuse, which fraud attempts most certainly are!

For example, I ran a whois on microsoft.com at ARIN and the database showed:
OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName:   Hotmail Abuse 
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse () hotmail com

It also told me what range of ip-s they are assigned:
NetRange:   207.46.0.0 - 207.46.255.255 

I cannot give a detailed guide of IIS but the subnet masks of 10.0.*.*
is 255.255.0.0, it is a certain chance you can block several subnets
in one go, but this does require some binary math. So unless it is 30+
different nets I would think "classfull" blocking is easiest.

Note: If IIS supports CIDR notation in network/subnet specification
you might want to use a /16 instead of 255.255.0.0.

Good Luck, Stian


On Wed, 29 Dec 2004 19:44:38 -0600, Dan Tesch <dan.tesch () comcast net> wrote:
> Hello, I am working with an e-commerce company.
> They get a fair amount of attempted fraud but do a
> decent job at ferreting this out during order processing.
>
> There are several persons who attempt orders over
> and over again - we can track their IP and the e-mail
> address they attempt to use - we have blocked single
> IP's in IIS before but one person in particular keeps
> coming back placing small orders (like $40), our
> suspicion is they are probing.
>
> I have several questions:
>
> Is there a resource anyone knows of to search for IP's
> like this and/or e-mails people consistently use for fraud?
> (Google hasn't been any help at all)
>
> The person I referenced before keeps coming from different
> IP's but all from the same range (home user with DHCP?)
>
> In IIS if I want to block an entire range like:
>
> XXX.78.0.0 - XXX.83.255.255
>
> how should that look in the IIS Mgr?
>
> do I need to make multiple entries like:
> XXX.78.0.0
> XXX.79.0.0
> XXX.80.0.0, etc.?
>
> and what should the subnet masks look like?
>
> Thanks for any help or reference.