amuck-landowner

How To: Reporting fraudulent, abusive, or otherwise undesirable clients.

MannDude

Just a dude
vpsBoard Founder
Moderator
There are many common sense steps that exist in the form of sensible screening of new orders that go a long way in preventing fraudulent and malicious customers from receiving service. This guide will not touch base with the manual screening and fraud prevention in detail however I will highlight some common sense points below. This guide is more geared towards what to do after you have had the misfortune of providing service to an abusive, fraudulent, or other undesirable customer.

Common red-flags seen during the order screening process that may indicate trouble ahead:

  • IP address of order does not match the location of address provided during sign up.

    There are of course legitimate reasons for this, however it's good to err on the side of caution especially in cases where the orders originate from countries of high risk (Vietnam, Russia, China, Nigeria, etc) and list an address that is less suspicious (United States, Canada, UK, etc). It is worth placing the order on hold and reaching out to the customer for identification in cases like this.

    Residential VPNs and orders being placed from spoofed IPs or infected residential machines are a thing. Recently I witnessed an order placed from a residential IP on the US east coast from a RoadRunner IP. Contact was made less than an hour later from the US west coast, apparently a Comcast connection. The address on file was a residential address in the middle of the country. Is it possible this customer was travelling faster at the speed of sound? Not very likely. Combined with other red flags, the order was tossed aside.
     
  • Obvious fake details. Fake names. Fake addresses. Etc. "Joe Smith" from "12345 New York Ave, New York City, New York State, 12345" with the phone number "555-555-5555" is probably going to be a pain in the ass... You'd be surprised how uncreative some people can be in their order attempts.
     
  • Suspicious pre-sales questions. "How many emails per hour can I send?" is a common one. This off the bat shows that the service will be mainly used for bulk mailing and shows that the customer took zero initiative to even skim your Terms of Service or Acceptable Usage Policy to find the answer themselves. This is commonly requested on shared services, though it's also a pre-sales question that is made for services that may not even have a hard set limit such as on virtual and dedicated servers.

    There are of course legitimate needs for bulk mailing, there are legitimate reasons why someone would be requesting this. Despite this, it's still a red-flag in my book and worthy of review. Generally those who have legitimate bulk mailing needs are already familiar with what is required to successfully dispatch a large sum of messages or are mentally equipped with reviewing the TOS/AUP.
     
  • Requests such as asking for larger than usual IP blocks, IP spoofing support and other random things such as IPs with specific gelocation data that doesn't match their origin or IPs from different blocks are all things worth looking into and should be a red flag and indicator that the customer may be up to no good.
     
  • Nonsensical rDNS requests for larger than average IP allocations is something I have found to be common of spammers and is something seen when reviewing the origin of spam emails (nonsenical hostnames that are just random dictionary words).
     
  • Domain name used in service hostname is not registered, or the WhoIS data reflects different information than what is shown on the order itself.
     
  • Fake looking email addresses. Remember, WHMCS does not require email verification so you can literally sign up for service using '[email protected]' or '[email protected]'... Customers can check the email dispatched to them from your WHMCS install by going to https://your-whmcs-install-url/whmcs/clientarea.php?action=emailsand do not need to include a proper email address to register for services.
You can read some additional tips/tid-bits in @Aldryic C'boas ' guide:

So, you're now faced with a fraudulent customer. What can you do?

Regardless if you screen each individual order or not (most do not) you've discovered you're providing service to a spammer, someone hosting malicious/illegal content, or a general fraudster who has abused your service and has issued a chargeback. What can you do? How can you help make this industry a better and safer place and make it harder for these individuals to find service?

The good news is, you do have options.

FraudRecord - I recently signed up for FraudRecord, and fell in love with it after having searched the database manually to review some suspicious looking orders. My support for the service will become apparent to you when/if you decide to sign up and use it as you will see vpsBoard is now a sponsor of FraudRecord as I personally believe that this is a great and valuable industry resource and would personally like to see more companies use it.

For the sake of this demonstration, I will use two commonly known spammers that were recently mentioned on WebHostingTalk. Both of these individuals have been reported to FraudRecord time and time again and I have no issue with mentioning them here for the sake of demonstration and awareness of how effective of a tool FraudRecord can be.

Ganna Sovgut of Predict Labs: https://www.fraudrecord.com/api/?showreport=f5b521dcdeacdd87

Warren Johnson of Equinox Servers: https://www.fraudrecord.com/api/?showreport=4c724510aaa06ee2

You'll see that many providers have reported these individuals to the FraudRecord database. The hosting companies that utilize the FraudRecord billing module can screen new orders from within WHMCS and then choose to provide or not to provide service based on the client history as reported by their previous hosts. It is also worth reading the comments left by others as not all reports indicate abuse and not all entries indicate the same level of severity of conflict.

FraudRecord is a single tool and by itself will only help prevent malicious clients from gaining service only by the companies who utilize it and contribute to it's database.

Contacting abuse departments - Another thing you can do is contact the abuse department of the culprit's web host directly. This takes time and is not guaranteed to yield any results as it will rely on the provider being contacted having a properly staffed abuse department that also effectively reads and responds to reported abuse. Most company's abuse departments are simply reached via email at [email protected] . Be sure to include as much details and proof as possible.

Domain Fraud - Got a particularly nasty customer? Do you suspect that they defrauded more than just you, and that their WhoIS registrant information is inaccurate? It's quite possible, and luckily you can express this concern to ICANN using their WhoIS Inaccuracy Complaint Form . ICANN will take action and require additional verification or proof of identity for the domain registrant.

Reporting Phishing / Spam / Virus and other malicious websites - Filing a complaint about a domain name hosting such data is once again made simple by ICANN's online forms. Do not hesitate to report such content to ICANN directly using their online resources.

Other notes

  • Professional spammers who hop around from host to host know how to bypass the basic fraud checks, and they know most providers do not manually review orders. It's your duty as a service provider to screen your orders and ensure you are not servicing such individuals, even if by mistake. While it can be tempting to accept orders you are unsure about, it should be noted that these type of customers do not stick around for the long term and will likely dump you after a short period and can cause you headaches.
     
  • Learn to detect patterns. In the case of "Ganna Sovgut" / Predict Labs notorious spam ring, patterns were detected that automatic screening would never catch. Things like recycled hostnames and recycled passwords. They will order servers from resellers so it is in your approved reseller's name, not theirs, and the only indicator of it being for them would be the hostname of the machine or the root password supplied which was consistent with their previous failed order and fraud attempts.
     
  • Does your customer order multiple dedicated servers of the same specs, cancel one, and re-order the exact same configuration again shortly after? This is a pattern consistent with spammers and should be looked into further if detected.

In closing - Be vigilant. This is a vastly lax and unregulated industry and while that is "good" in many ways, it also serves as a breeding ground for spam, scams, fraud and service abuse. That will cost honest providers time and money to clean up after, but even worse, can create havoc and ruin for honest people who fall victim to phishing sites and scams. Do not show mercy with spammers and online fraudsters. These are not good people. They are not customers who will stay with you long term. They will always leave a trail and although there is no shortage of providers in the industry for them to choose from and try next, you do have options in reporting them and making their actions known. Please make it a part of your normal operating procedure to actively report abuse of all forms through the proper channels in an increased effort in combating such activities and to help make this a better industry to work in.
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
Maybe they were talking about selling IPs to spammers and getting ranges banged up....
 

MightWeb-Greg

Member
Verified Provider
@MannDude Thanks for the How To article. This is something that I'm adjusting to after launching our VPS product. We had to sign up for maxmind and found fraudrecord to help combat the bad sign ups that we were getting.

I've noticed that some spammers or people that "mass email" want to wait a week or so before they start sending email. I notice that this wasn't in your article so I'm not sure if this is a new tactic or not? I've seen it about 5 different people in the last month. I even had one that did a resolution case with PayPal over me suspending her 2 VPSs. I made sure to report the abusers via the fraudrecord just tomake sure others are aware of it.
 

MannDude

Just a dude
vpsBoard Founder
Moderator
@MannDude Thanks for the How To article. This is something that I'm adjusting to after launching our VPS product. We had to sign up for maxmind and found fraudrecord to help combat the bad sign ups that we were getting.

I've noticed that some spammers or people that "mass email" want to wait a week or so before they start sending email. I notice that this wasn't in your article so I'm not sure if this is a new tactic or not? I've seen it about 5 different people in the last month. I even had one that did a resolution case with PayPal over me suspending her 2 VPSs. I made sure to report the abusers via the fraudrecord just tomake sure others are aware of it.
Yep, that's not uncommon. Didn't think to add it to the original wall of text but that is also something you will find mentioned in FraudRecord comments as well, that they ordered and did nothing at all for a couple weeks then all of a sudden started spamming.
 

MarkTurner

New Member
Verified Provider
You can also check things like ROKSO for the prolific spammers, also check the signup IP for being  a proxy, IP location vs published address, if you are offering credit card payment check the BIN corresponds with the country of sign up. You can also call the credit card issuer and have them verify the information if you need additional verification. Sometimes they'll make a referral and validate the charge with the card holder if there has been a spate of transactions on that card.

Services like Neustar, PacificEast can also help weed out scammers
 

winnervps

New Member
Verified Provider
Yep, that's not uncommon. Didn't think to add it to the original wall of text but that is also something you will find mentioned in FraudRecord comments as well, that they ordered and did nothing at all for a couple weeks then all of a sudden started spamming.
Frequently found this MO (modus) ;) I'll try rate limit port 25 if found one, for first contingency step.

Btw, what other providers similar to Maxmind that could protect us?

Well, I found that Maxmind always flagged my country's IP as (risk) 'SPAMMers' as my order often directly come from my country itself.
 

MichaelFindlay

New Member
Verified Provider
I must admit I have started to use Fruad Record to check customers prior to allowing purchases, got two with high scores, one who has proven to a bit a pain recently. But the other has been fine. So if he does not cause any issues with myself I may post a more positive report for him. Everyone deserves a second chance and all that!
 

winnervps

New Member
Verified Provider
I must admit I have started to use Fruad Record to check customers prior to allowing purchases, got two with high scores, one who has proven to a bit a pain recently. But the other has been fine. So if he does not cause any issues with myself I may post a more positive report for him. Everyone deserves a second chance and all that!
Yes when it comes to FraudRecord, it doesn't really tell us (providers) the 'true' story, indeed. The chance is 50:50 per my experiences. But I still use and respect the results ;)
 
Top
amuck-landowner