1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

know thine enemy -- "IP address reputation"

Discussion in 'Black Hat SEO' started by MaDeuce, Dec 3, 2010.

  1. MaDeuce

    MaDeuce Newbie

    Oct 24, 2008
    Likes Received:
    Austin, TX
    I'm a firm believer in disclosing information about myself only when there is a clear and compelling need for the recipient to have the info. Much of what I do online is, therefore, done anonymously and with prepaid credit cards, etc.. Recently, I've had a couple of transactions declined, even though I actually spoken with the service provider. It seems that providers are becoming more and more intrusive, wanting copies of credit cards, drivers licenses, and the like. Sorry -- that ain't happening. It's all an effort on their part to cover their ass, regardless of the personal exposure it creates for me.

    Because of my recent experiences, I decided to do a little research to find out what's going on. I figured I'd share it here, in case anyone is interested.

    One name that kept coming up was MaxMind. So, I checked them out, read their whitepapers, etc. They tout 'Fraud detection through IP address reputation and a mutual collaboration network'. While their focus really seems to be fraud detection/prevention, which is fine with me as I'm not doing anything illegal, the problem it creates is that someone simply wishing to disclose minimal personal information often appears to be, at least in their eyes, potentially engaging in fraud.

    From their site:

    Given the Internet's built-in anonymity and ability to execute transactions from anywhere, authenticating the identity of the customer can be fairly difficult. Traditional tools such as AVS and *** have become less effective since sophisticated fraudsters generally have access to complete credit card information of the individual they are trying to impersonate.


    MaxMind collaborates with websites where users are asked to "self-geolocate" themselves by providing their physical location, which we refer to collectively as user entered data.


    The user's IP address and user entered data are forwarded to MaxMind after all personally identifiable information has been removed to protect the user's privacy. MaxMind then runs millions of these IP location pairs through a series of algorithms that scrub and extrapolate relevant location data. Less tractable IP addresses are manually reviewed resulting in resolutions with 99.8% accuracy on the country level and 93% on the US state level. On top of determining where IP users are coming from, over time, this methodology allows MaxMind to develop a reputation of the IP's usage given its historic activity.

    MaxMind spends considerable resources and uses a variety of methods to identify and track anonymizing proxies. By building on top of GeoIP, MaxMind uncovers anonymizing proxies by analyzing the deviations and irregularities between the transaction data (e.g. billing address), an IP's expected behavior, and other relevant IP information (e.g. ISP, Netblock owner, etc). In addition, MaxMind incorporates several 3rd party data sources that provide additional risk indicators to complement internal analytics used during automated and manual review. Approximately 32% of the highly suspicious transactions flagged by MaxMind come from anonymizing proxies.

    I never use free proxies as they are frequently unreliable and nearly worthless. But this long-term memory for activity sourced from a specific IP could end up creating problems for those who use higher-quality, dedicated proxies.

    Here's where it gets really interesting:

    Rather than building higher walls for individual sites, MaxMind focuses on the the development of the minFraud Network, a distributed protection system that allows thousands of participating members to indirectly share non-personally identifiable but relevant fraud information for mutual protection. The minFraud Network complements the data that is being provided through IP reputation. If suspicious behavior is uncovered at one merchant site, changes are made to the minFraud system to protect other merchants within the minFraud Network in real-time.

    MaxMind analyzes and data-mines transactions from the entire network through a series of automated and manual review processes. The review processes incorporate IP reputation and proxy detection analysis, but on a network level rather than at the individual merchant level. Where one merchant may see one transaction over one IP address, MaxMind may see twenty transactions over the same IP from twelve merchants, making it easier to detect suspicious behavior or emerging threats.


    Reputation can be positive or negative depending on inherent and observed historic activity. MaxMind has developed reputation for IP addresses, anonymizing proxies, corporate proxies, online domains, organizations, hashed e-mail, satellite providers, and hosting providers through the analysis of over 100 million historic online transactions. ​

    What's really interesting (spooky too) is the mention of 'hashed e-mail' in the previous paragraph. So not only are these guys keeping track of activity based on IP, they are keeping track of who is ostensibly conducting the transaction via a hash of your email address. Wow.

    About that hashed email -- they act like this method guarantees that the customer's identify remains confidential. It doesn't. Much like the days when /etc/passwd was world readable and actually had encrypted passwords, all that a nefarious person has to do is to take email addresses that are in the clear, hash them, and then see if the results matche any of the hashes that they already have on file. If they get a match, then they know exactly who you are. So much for privacy -- now they know who you are, what you buy, how much you spend, and from whom you buy it.

    So, what does this mean? Clearly, it proves what we've all felt -- that it is becoming harder and harder to remain anonymous on the net. For those of us who take anonymity seriously, it means that the only long-term way to maintain anonymity is through a careful management of the identity/identities used. And by 'careful', I mean really careful -- ensuring that names, user agent, os, addresses, IP addresses, email addresses, are managed as an entity and that they remain consistent over time. No small task. But that's what makes it all fun anyway.

    • Thanks Thanks x 1