Netblock reassigned from Chile to US ISP...

James Hess mysidia at
Sat Dec 13 08:22:01 UTC 2008

>> On 08.12.13 09:33, Tomas L. Byrnes wrote:
>>> anyone with half a brain blocks proxies from their e-commerce site.
>> can you know at a reasonable confidence level that it's a proxy?
> Give me an IP address (privately, of course). I can tell you if it is, with
> consult from other colleagues in the security community.
> That's almost a no-brainer.

Oh, but can you tell if an IP address is a compromised  workstation or
host of a VPN application that only allows the proxy access to the
Not all proxies are plainly visible.

Geography of an IP address can be a useful heuristic to assist
detection, when most
 transactions attempted from certain regions are bad;  esp. when
combined with other factors

This is a strategy well-known to be probalistic, and thus imperfect
(not every fraud attempt will be noticed by a detector, and there will
be false positives, but probably very few in relation to
the total transaction throughput of say a large online retailer).

E-mail spam filters use imperfect methods like this all the time;
there is no magic check
to prove a message spam or not spam.

Instead,  _many_  randomized spam checks are strung in sequence for
the same message.
And if any one or two checks fail, filters drop the message.

A successful message (or E-commerce transaction)  is one that clears
substantially all spam/
fraud checks.

An in-depth strategy with hundreds or thousands of factors  examined
results in a smaller
(but still present) possibility of the filter/detector being fooled.

IP-based methods can be combined with the other stronger analysis of
transaction details and other info that can be gathered about a
submitter  for detection of attempted abuse.


More information about the NANOG mailing list