Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Deterring Fraudulent Use
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Deterring Fraudulent Use

I'm interested in reducing fraudulent and malicious use of our servers. What policies have you all seen to be most effective at reducing malicious activity, while supporting and improving service for legitimate users.

I've had wannabe clients be so fucking brazen as to ask me if I had any email lists I'd sell them with their server! (Instant block) But is there an intelligence sharing organization perhaps, that other providers can feed in to in order to keep spammers/flooders off our networks?

Comments

  • SplitIceSplitIce Member, Provider

    FraudRecord

    Thanked by 1UnrealServers
    X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer
  • Sounds like you're sending out a sketchy vibe.

    Thanked by 1vimalware
  • @TimboJones said:
    Sounds like you're sending out a sketchy vibe.

    How so?

  • deankdeank Member, Troll

    Because flies generally flock to poop.

    I have not created a single thread. Verify it if you dare.

  • @UnrealServers said:

    @TimboJones said:
    Sounds like you're sending out a sketchy vibe.

    How so?

    Someone offers to sell you coke once, you think, that's just them. When many people offer to sell you coke, it's you looking like a coke head.

    Thanked by 1raindog308
  • Guys, be nice to @UnrealServers !
    I got an awesome BF deal from them a few years back and they have been as solid as a rock.

    Thanked by 1UnrealServers

    Long live LowEndInfo.com

  • hostworldhostworld Member, Provider

    @UnrealServers said:
    I'm interested in reducing fraudulent and malicious use of our servers. What policies have you all seen to be most effective at reducing malicious activity, while supporting and improving service for legitimate users.

    FraudRecord - https://www.fraudrecord.com

    Then maybe use something additional on top like MaxMind or FraudLabs for automatic verification.

    hostworld.uk - Web Hosting, Reseller Hosting, NVMe SSD VPS, Dedicated Servers & Domains. UK & US data centres & 24/7 UK support.

  • stefemanstefeman Member

    @deank said:
    Because flies generally flock to poop.

    Ahh, no wonder that all the DDoS boxes and abusive portscans come from digitalocean servers then.

    Thanked by 1AlwaysSkint
  • HassanHassan Member, Provider

    You gotta stop accepting shady orders. Use MaxMind or FraudRecord and actually respect the results. If you pay attention, you'll start seeing patterns with the clients that are either doing fraud or spamming. Similar generated names/addresses, high risk countries, shady hostnames that are obviously spam, requests for a shit ton of IP's, etc.

    Thanked by 1skorous
  • @deank said:
    Because flies generally flock to poop.

    It certainly feels, from what experience I've had so far in this industry, like they flock to low end hosting

    @Hassan said:
    You gotta stop accepting shady orders. ................. start seeing patterns with the clients that are either doing fraud or spamming. Similar generated names/addresses, high risk countries, shady hostnames that are obviously spam, requests for a shit ton of IP's, etc.

    We pretty much assume all name/address info given by signups is useless bullshit. For us to make decisions on high risk countries, would we not first need to verify the truthfullness of the country provided by verifying an ID or something first? I feel like that would end even legitimate sales.

    Requesting "ips in as many different subnets as we have" and requesting RDNS for every IP they have all with subdomains of the same domain that were clearly picked at random from /usr/share/dict/words, none of which have a working website or unsubscribe button.

    I've ended the notion of discounting IPs in quantity.

    I've raised the requirements pretty damn high now to get RDNS with us.

    I'd really like to start requiring some sort of a deposit, or pay for your 6th/12th month up front. The tos violators seldom last more than 2mo.

    I've heard some pretty bullshit requests/excuses, and we don't accept clearly shady clients. I don't want to give a hard time to legit clients who happen to have a weird project though.

    The word 'shady' is not going to appear in our ToS any day soon as it's near impossible to quantify/define.

    And frankly, I wouldn't mind letting a "shady" client purchase, and cancel them an hour after they log in for ToS violations and keep their money. It'd send the message amongst their scammer buddies that we're a terrible bargain, and we'd get to skim a little profit off them too. It wouldn't bother me at all to wreck them by them placing some big order, sending spam for 60 seconds, and cutting them off without a warning.

    I guess I want the deterrent to be more of 'they don't want to come here because word on the street is they will regret it' than 'we detect or predict abuse and stop/prevent it'.

    We're using maxmind, and I'm going to look into FraudRecord. I like the idea of gathering intel on violators and sharing it with other providers.

    Thanked by 1vimalware
  • jarjar Provider
    edited July 10

    Fraud record, maxmind, and in general be such a jerk to the worst of them that they remember. Being a jerk can include using PayPal billing agreements or credit cards and charging them really large sums for intentional abuse. You need to be able to tell intentional from unintentional with no margin for error, you can NEVER do this to a legit client, only a career spammer. You'd skip doing it if you had any doubt.

    Often they share information in hidden places about how usable your service is for their needs, and they come back under different identities if they find you to be hospitable to their needs, even if it just means they stay online long enough to profit from the account.

    But when you bill them $1,000 for the abuse, they don't recommend you to friends. They might lie about you in reviews though, but the worst offenders just disappear silently.

    Thanked by 1vimalware
  • deankdeank Member, Troll

    Once you get used to poop, you will know which ones send alarms.

    The flies aren't that creative, so you just need to learn the patterns.

    I have not created a single thread. Verify it if you dare.

  • I'd hope that you don't accept orders from VPNs, as a minimum.
    Just don't get too draconian. ;) Much as I really like Frantech's service the "fraud detector" is over-zealous, IMO, and contradictory at times.
    I'm sure by now you'll have recognised where the main problem countries are, though there are plenty of home-grown (USA) idiots.

    Long live LowEndInfo.com

  • deankdeank Member, Troll

    Frantech empire is evil is what you are saying?

    The empire will strike back.

    Thanked by 1AlwaysSkint

    I have not created a single thread. Verify it if you dare.

  • I've billed several for abuse before, amounts more modest than $1000. And it never gets paid. Without fail they use prepaid visas or limited paypal accounts.

    Thanked by 1jar
  • @deank Shh, wisnae me, didn't say a word. >:)

    Long live LowEndInfo.com

  • seriesnseriesn Member, Top Provider

    Manual verification + Fraudrecord + Fraudlab + Common sense/Gut feelings.

    I am super picky with who I and my company chose to business with and at the first sign of "intentional" abuse (you will know those ;) ), it is a straight termination.

    If we don't accept the order, it is a straight refund. At random, one or two may gets accepted, If we do accept it and you chose fo really ignore my TOS, hasta la vista to your service and money. Have fun disputing because we have won every single one of those disputes. There's a big difference between hacked server and a hacking server.

    We do have a 4 step internal verification system to weed out the bad ones.

    I/we try our best to ensure our family members aren't sharing their resources with criminals.

    TLDR; Go with your guts feeling.

    Thanked by 1vimalware
  • HyperK9HyperK9 Member

    I use Fraudrecord, fraudlabs pro, and sometimes using Stripe, they also have an opt-in anti-fraud system.
    If an order does not pass this and is marked as fraud, we may ask for ID or why are they using a VPN etc., or we will just give a refund if they have already paid

  • SplitIceSplitIce Member, Provider

    @stefeman said: Ahh, no wonder that all the DDoS boxes and abusive portscans come from digitalocean servers then.

    I've seen far more from AWS than DigitalOcean. In fact I suspect any higher than average statistic for DigitalOcean abuse would likely be from their early market of people looking to learn (and not necessarily understanding the importance of good SSH passwords or security in general yet).

    Thanked by 1AlwaysSkint
    X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer
  • AWS makes it very easy to programmatically roll out nodes. So I would expect spammers to flock to that.

    I know when I instituted strong, unique, random PWs on all new orders, we saw a marked decrease in ssh probes across our whole ip range! Someone was watching... They're always watching.....

    @SplitIce Is FraudReport's plugin supposed to make a 'report' button appear in whmcs' client view? I see the UI on new orders. But most of the bad encounters we have happen after we've given them a server. I'd feel uncomfortable reporting someone as a spammer / ddoser before I've actually witnessed spam from their node and by that time the order screen is long gone.

  • KatamazeKatamaze Member

    From my experience fraud protection services like MaxMind and FraudLab are more or less useless. They work like anti-spam but unlike anti-spam their accuracy is very poor. It's a risk-score based system after all. The only thing they can get with 100% accuracy is a guy placing an order from China registering as US.

    The real problem are real people placing orders with stolen credit cards, ID cards and PayPal accounts from decent IPs. The problem here is that you end up issuing invoices for fraudulent orders and God knows what it takes to reverse them :|

    In my opinion next to CAPTCHA and fraud protection services you should postpone the issuing of invoices for new customers. This way you don't have to deal with billing problems (it takes a lot of time) but just with frauds.

  • @Katamaze said: ..you should postpone the issuing of invoices for new customers.

    Seems like a reasonable scheme to me.

    Long live LowEndInfo.com

  • @Katamaze said:
    you should postpone the issuing of invoices for new customers.

    Do you mean require completed payment for all new customers? OR stop accepting new customers? Or something else?

    As it is, we don't lift a finger on an order until payment is received. The fraud I want to report is when someone rents a box here and uses it maliciously.

    My hope is that by doing so and reporting their identifiers, i can save others and myself the headache of them returning. Maybe add a term to our TOS that if they do return on a false or different name they forfeit their payment by doing so, and then we don't have to wait for them to get caught doing something nasty when they come back.

  • KatamazeKatamaze Member
    edited July 14

    @UnrealServers said: Do you mean require completed payment for all new customers? OR stop accepting new customers? Or something else?

    Nah. That's not about payment but invoicing. Normally any panel like WHMCS issues invoice as soon as the payment is received.

    Let's suppose you received a fraudulent order for 250 euro. WHMCS (or any other system) will issue an invoice of 250 euro (subtotal + VAT). Few hours/days later you realize that the payment comes from a stolen credit card or PayPal account. Now you have to face 3 problems.

    First. You have to manually terminate, suspend or cancell all products/services involved. Second. If the order included domain registrations you are f***ed. You can't get your money back.

    What most people ignore is that there's a third problem that can turn to be bigger than the previous ones depending on various things (eg. your country, tax rules and e-invoicing).

    You can't just change the status of the invoice in question from "Paid" to "Cancelled", "Fraud" or whatever you want. An invoice once issued can't be altered. Moreover your accountant and Revenue Agency strictly need a credit note to reverse the payment.

    If you don't issue a credit note (WHMCS doesn't even know what is a credit note), you're still paying taxes for a payment of 250 euro that you have never received. It sucks!

    That said, don't be tricked to think that you can solve everything by issuing credit notes. A company that issues too many credit notes looks very suspicious to Revenue Agency so you could attract unwanted attention.

    As you can see fraudulent orders can be more dangerous than expected. If you want entirely avoid this mess, the key is to postpone the issuing of invoices for new customers. Most countries allows to delay the invoice up to 1 month. This way you don't risk create an invoice for a fraudulent order that will require the issuing of a credit note.

    Thanked by 1UnrealServers
  • jackbjackb Member, Provider
    edited July 14

    @Katamaze said:
    If you want entirely avoid this mess, the key is to postpone the issuing of invoices for new customers.

    That invites a worse problem: the spammers and skids realise that you are an easy target that they can abuse without even making a payment.

    The only way you will get a reduction in people trying to abuse your services is by having a difficult barrier to entry (thorough manual screening of orders from new customers) and be ruthless when you are certain someone has abused your services.

    If your local rules mean more paperwork I think that's a better outcome than more spammers and skids.

    Thanked by 1UnrealServers

    Afterburst - Awesome OpenVZ&KVM VPS in US+EU

  • :popcorn:

    Long live LowEndInfo.com

  • KatamazeKatamaze Member
    edited July 14

    @jackb said: That invites a worse problem: the spammers and skids realise that you are an easy target that they can abuse without even making a payment.

    I don't see how postponing invoices makes you an easy target. Lamers don't give a damn about invoicing.

    I'm saying that next to CAPTCHA and anti-fraud services your last line of defense MUST protect you from billing nightmares.

    Fraudulent orders cost you both money and time. Reversing invoices based on fraud payments by issuing credit notes is a time-consuming process. If you don't handle them properly you double your losses:

    1) When chargeback occur
    2) At the end of the year when you pay taxes based on money you never received. Imagine your yearly revenue is 100k + VAT that includes 5k fraudulent payments... why should you pay taxes on 5k?

    Thanked by 1UnrealServers
  • jackbjackb Member, Provider
    edited July 15

    @Katamaze said:

    @jackb said: That invites a worse problem: the spammers and skids realise that you are an easy target that they can abuse without even making a payment.

    I don't see how postponing invoices makes you an easy target. Lamers don't give a damn about invoicing.

    The way you worded it made it sound like you activated new customers, waited a couple of weeks to be sure they're legit then invoiced them. That approach is risky because it lowers the barrier of entry to making a realistic looking fake name and address. There's plenty of skids who are capable of that, that haven't yet escalated to CC fraud.

    Perhaps what you meant is you only invoice them after manual review, and then activate after payment (with further manual review on the payment)? That should work.

    Thanked by 1AlwaysSkint

    Afterburst - Awesome OpenVZ&KVM VPS in US+EU

  • @jackb said: Perhaps what you meant is you only invoice them after manual review, and then activate after payment (with further manual review on the payment)?

    I assumed that. A fair bit of initial work, to save future hassle.

    Long live LowEndInfo.com

  • SplitIceSplitIce Member, Provider

    @Katamaze said: You can't just change the status of the invoice in question from "Paid" to "Cancelled", "Fraud" or whatever you want. An invoice once issued can't be altered. Moreover your accountant and Revenue Agency strictly need a credit note to reverse the payment.

    That's country specific. In Australia for example.

    "you need a valid adjustment note before you can make a decreasing adjustment, unless the adjustment is for GST of $75 or less.". That means a payment of $750 ex or higher.

    X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer
  • KatamazeKatamaze Member

    @jackb said: Perhaps what you meant is you only invoice them after manual review, and then activate after payment (with further manual review on the payment)? That should work.

    Yes ;)

  • HostEONSHostEONS Member, Provider

    If you are concerned just about spammers, disable SMTP Port on all your nodes and enable it on request and manually reviewing it before enabling SMTP Port and also make sure your TOS/AUP clearly states that you may block SMTP Port with or without reason.

    It's not difficult to identify spammers .. by doing this we hardly ever get any spam complain

    hostEONS - SSD KVM &OpenvZ VPS (FUSE, DOCKER, TUN/TAP Supported) | cPanel Web Hosting | VPS Locations: Los Angeles (Psychz and Internap), New York (Internap) | Free Blesta License | Latest Offer

Sign In or Register to comment.