It may well be that they're using anonymous proxies. I know of a couple that spread the visiting IP addresses over a wide range of IP addresses, although everything does make it back eventually. Also possible is that they are using infected Windows machines and proxies.
In the case of anonymous proxies, it should be possible to get the full range of IP addresses from somewhere and block all access through anonymous proxies - serious customers won't wast time going through such proxies, only people who really have something to hide go through such proxies. In the case of infected windows machines, you have a different problem because there are millions of such machines which act as spam relays, virus distributors, ... Keeping in mind that you want to make sales on your site as easy as possible, the best I can think of is to create a session cookie for the visitor which contains their IP address and check that IP address against one that you have stored locally for that session. If the IP address differs, blow the whistle on that visitor. To conceal that you are checking their IP address, call the cookie something like 'SaleID' or 'ItemID' and run the IP address through md5sum to get an md5 checksum and use that instead of the IP address itself. It wont get all of them, but it will make a difference, and make them have to work harder to get around the security on your site. In a case like this, you would also have to keep a database entry of what credit card number came from what IP address. If that card tries and fails more than twice and comes from different iP addresses every time, block that card number. Does Amex keep an online database of stolen/disabled credit cards? Maybe being able to query something like that in real time would be of advantage (actually I think some idea like this was presented very early in the thread). At the moment I don't have any other ideas. Hopefully what I've suggested here helps. best regards Markus On Monday 23 August 2004 23:33, Brian Dunning wrote: > The plot thickens. I added AVS *and* CVM to the site - and the Amex > orders are still going through. Amex ignores CVM, and the address was > correct, so the thieves must have gotten ahold of printed statements > that show the billing address. Any idea how to combat THAT? They are > using fake IP addresses now so I can't keep up by blocking IP's. > > Your clever ideas appreciated. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
