Home page logo
/

basics logo Security Basics mailing list archives

Re: Blocking IP's / e-com fraud
From: Stian Øvrevåge <sovrevage () gmail com>
Date: Thu, 30 Dec 2004 20:37:02 +0100

Hello,

I would advise you to look up the ip-addresses in question in the
respective Whois databases, such as ARIN, RIPE, APNIC, etc.
The databases usually tells you who "owns" the entire subnet, and
there is also likely contact information on who to contact in case of
abuse, which fraud attempts most certainly are!

For example, I ran a whois on microsoft.com at ARIN and the database showed:
OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName:   Hotmail Abuse 
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse () hotmail com

It also told me what range of ip-s they are assigned:
NetRange:   207.46.0.0 - 207.46.255.255 

I cannot give a detailed guide of IIS but the subnet masks of 10.0.*.*
is 255.255.0.0, it is a certain chance you can block several subnets
in one go, but this does require some binary math. So unless it is 30+
different nets I would think "classfull" blocking is easiest.

Note: If IIS supports CIDR notation in network/subnet specification
you might want to use a /16 instead of 255.255.0.0.

Good Luck, Stian


On Wed, 29 Dec 2004 19:44:38 -0600, Dan Tesch <dan.tesch () comcast net> wrote:
Hello, I am working with an e-commerce company.
They get a fair amount of attempted fraud but do a
decent job at ferreting this out during order processing.

There are several persons who attempt orders over
and over again - we can track their IP and the e-mail
address they attempt to use - we have blocked single
IP's in IIS before but one person in particular keeps
coming back placing small orders (like $40), our
suspicion is they are probing.

I have several questions:

Is there a resource anyone knows of to search for IP's
like this and/or e-mails people consistently use for fraud?
(Google hasn't been any help at all)

The person I referenced before keeps coming from different
IP's but all from the same range (home user with DHCP?)

In IIS if I want to block an entire range like:

XXX.78.0.0 - XXX.83.255.255

how should that look in the IIS Mgr?

do I need to make multiple entries like:
XXX.78.0.0
XXX.79.0.0
XXX.80.0.0, etc.?

and what should the subnet masks look like?

Thanks for any help or reference.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]