Good Carder
Carder
- Messages
- 63
- Reaction score
- 22
- Points
- 8
Hello, carders! Today I want to touch on the topic of IP addresses in your work. I thought everything had been covered long ago, but newbies still have questions and problems. We'll figure out why IP is so important, how systems detect it, and how to minimize the risks.
IP is your digital passport. You can change browsers, clear cookies, play Canvas — but a bad IP is like a date with a girl: the first milliseconds decide whether she wants to hook up with you or you'll remain a sweetheart and get a cancellation pass to second base. In anti-fraud systems, IP is checked first because it provides a wealth of information about you: where you're from, how you connect, and even your activity history. Ignoring this means risking your entire order.
How do they detect IP? Basic detection methods
1)
ASN tag:
Anti-fraud looks at where the traffic is coming from. An ASN (Autonomous System Number) is the number of the autonomous system that manages a block of IP addresses. Addresses from data centers (server IPs, such as those from AWS, Google Cloud, DigitalOcean, and other VPS/hosting providers) carry a higher risk because they are often used by automated scripts, bots, and scammers. Residential providers (like Comcast, Verizon) and mobile providers (AT&T, T-Mobile) are usually perceived neutrally or even positively because they are associated with real users.
We need to look like the majority of real users, blend in, and not stand out.
2)
Geo Mismatch:
If the IP address indicates that the user is connecting from, say, Paris, but the profile/order indicates Chicago and a local number, the algorithms won't appreciate it: location inconsistencies are a common risk indicator. GeoIP databases (like MaxMind GeoIP2) determine the country, city, and even the ZIP code based on the IP address. If the map is from the US, the delivery address is New York, and the IP address is from Los Angeles, this is a typical example of a mismatch. Systems like Sift or Riskified integrate these databases and compare data.
3)
TZ Mismatch, Time Mismatch.
Time and time zone are also analyzed: if an order is placed at 3:00 AM local time, but the IP address indicates daytime in a different zone, this is also cause for a flag — as is a discrepancy between the IP address and the time set in the system. Such discrepancies may result in a decline or manual verification.
4)
Proxy detection databases:
There are services that sell ready-made databases of "dirty" proxies. These databases collect IP addresses known as proxy, VPN, or Tor exits.
Services like IPQS, FraudGuard, or ProxyCheck scan for open ports (80, 8080, 3128), check headers (Via, X-Forwarded-For), and even test for anonymity. If an IP is in such a database, the risk increases. For example, you bought SOCKS5, and it's already in the IPQualityScore database. The antifraud software detects it and adds additional flags.
5)
IP reputation:
If this address has experienced chargebacks or fraudulent transactions, it lights up red.
Reputation is built on history. Services like Spamhaus, AbuseIPDB, or IPReputation store data on spam, attacks, fraud, and even refunds. If an IP has experienced a chargeback, a card rejection, or a spam complaint, its score drops. It's like a credit history: one mistake, and your credibility plummets.
You successfully submitted an order, but the holder charged you. The IP shows up in the processing database (Stripe). The next order from this IP is a direct path to a decline, even if you hit a different shop with different merch; they exchange this information.
I mentioned the basics, but anti-fraud systems evolve. Here are some other factors that beginners often overlook.
IP Velocity: Anti-fraud systems track how many requests or transactions come from a single IP in a short period of time. If your IP makes 10 orders in different shops in an hour, that's a red flag.
The average user doesn't make a ton of purchases at once. Velocity checks are limits: for example, no more than 3 transactions per hour from a single IP.
For example, you're testing cards on several shops using a single proxy. The system detects this and blocks everything.
Tor and VPN: Using Tor or well-known VPN services (NordVPN, ExpressVPN, etc.) immediately raises suspicion. Anti-fraud systems have lists of IPs associated with these services. If you need a VPN, choose lesser-known services with residential IPs or buy configs from forum sellers. Tor nodes are public, and websites easily detect exit nodes and cancel them or send them for verification.
IP History: Some systems store months of IP activity history. If an IP has been used for suspicious activity (for example, login attempts with an incorrect password or multiple card refusals), it may be marked as risky. Databases like MaxMind minFraud store events: logins, purchases, refusals. If your history is "dirty", you can easily get into trouble even if everything else is perfect.
Device-IP Binding: Antifraud links an IP address to a device fingerprint (browser, OS, screen). If a device changes its IP address too frequently, it's suspicious.
IPv6: provides more stable unique features for tracking, and earlier interpretations can even reveal your MAC address.
Anti-fraud is built not on a single solution, but on a combination of several systems and data sources to reduce the risk of false positives and improve efficiency. In addition to anti-fraud processing (Stripe, Adyen, CloudPayments, etc.), there are internal and external blacklist databases:
- Internal: Client blacklist, IPs exposed in fraud, chargeback abusers. Shops store their data: if an IP was involved in fraudulent orders, it is permanently banned.
- External: Spamhaus (spam IPs), FraudScore (fraud scoring), IPQS (proxy detection), proxy/VPN detection, compromised card databases. These are updated daily.
- Third-party anti-fraud services: Riskified (ML-based), Forter (real-time analysis), Sift (behavioral analytics), MaxMind (GeoIP and minFraud). They aggregate data from thousands of sources.
They all look at your IP address, and every little detail can give you away. For example, ML models in Sift analyze patterns: if the IP changes but the device stays the same, it's fraud.
Useful links:
whoer.net
vytal.io/scan
ip-score.com
webbrowsertools.com/timezone/
ipqualityscore.com/free-ip-lookup-proxy-vpn-test/
getipintel.net/free-proxy-vpn-tor-ip-lookup/#web
pixelscan.net/ip
fv.pro
browserscan.net
antcpt.com/eng/information/demo-form/recaptcha-3-test-score.html
IP is your digital passport. You can change browsers, clear cookies, play Canvas — but a bad IP is like a date with a girl: the first milliseconds decide whether she wants to hook up with you or you'll remain a sweetheart and get a cancellation pass to second base. In anti-fraud systems, IP is checked first because it provides a wealth of information about you: where you're from, how you connect, and even your activity history. Ignoring this means risking your entire order.
How do they detect IP? Basic detection methods
1)
ASN tag:Anti-fraud looks at where the traffic is coming from. An ASN (Autonomous System Number) is the number of the autonomous system that manages a block of IP addresses. Addresses from data centers (server IPs, such as those from AWS, Google Cloud, DigitalOcean, and other VPS/hosting providers) carry a higher risk because they are often used by automated scripts, bots, and scammers. Residential providers (like Comcast, Verizon) and mobile providers (AT&T, T-Mobile) are usually perceived neutrally or even positively because they are associated with real users.
We need to look like the majority of real users, blend in, and not stand out.
2)
Geo Mismatch:If the IP address indicates that the user is connecting from, say, Paris, but the profile/order indicates Chicago and a local number, the algorithms won't appreciate it: location inconsistencies are a common risk indicator. GeoIP databases (like MaxMind GeoIP2) determine the country, city, and even the ZIP code based on the IP address. If the map is from the US, the delivery address is New York, and the IP address is from Los Angeles, this is a typical example of a mismatch. Systems like Sift or Riskified integrate these databases and compare data.
3)
TZ Mismatch, Time Mismatch.Time and time zone are also analyzed: if an order is placed at 3:00 AM local time, but the IP address indicates daytime in a different zone, this is also cause for a flag — as is a discrepancy between the IP address and the time set in the system. Such discrepancies may result in a decline or manual verification.
4)
Proxy detection databases:There are services that sell ready-made databases of "dirty" proxies. These databases collect IP addresses known as proxy, VPN, or Tor exits.
Services like IPQS, FraudGuard, or ProxyCheck scan for open ports (80, 8080, 3128), check headers (Via, X-Forwarded-For), and even test for anonymity. If an IP is in such a database, the risk increases. For example, you bought SOCKS5, and it's already in the IPQualityScore database. The antifraud software detects it and adds additional flags.
5)
IP reputation:If this address has experienced chargebacks or fraudulent transactions, it lights up red.
Reputation is built on history. Services like Spamhaus, AbuseIPDB, or IPReputation store data on spam, attacks, fraud, and even refunds. If an IP has experienced a chargeback, a card rejection, or a spam complaint, its score drops. It's like a credit history: one mistake, and your credibility plummets.
You successfully submitted an order, but the holder charged you. The IP shows up in the processing database (Stripe). The next order from this IP is a direct path to a decline, even if you hit a different shop with different merch; they exchange this information.
I mentioned the basics, but anti-fraud systems evolve. Here are some other factors that beginners often overlook.
IP Velocity: Anti-fraud systems track how many requests or transactions come from a single IP in a short period of time. If your IP makes 10 orders in different shops in an hour, that's a red flag.
The average user doesn't make a ton of purchases at once. Velocity checks are limits: for example, no more than 3 transactions per hour from a single IP.
For example, you're testing cards on several shops using a single proxy. The system detects this and blocks everything.
Tor and VPN: Using Tor or well-known VPN services (NordVPN, ExpressVPN, etc.) immediately raises suspicion. Anti-fraud systems have lists of IPs associated with these services. If you need a VPN, choose lesser-known services with residential IPs or buy configs from forum sellers. Tor nodes are public, and websites easily detect exit nodes and cancel them or send them for verification.
IP History: Some systems store months of IP activity history. If an IP has been used for suspicious activity (for example, login attempts with an incorrect password or multiple card refusals), it may be marked as risky. Databases like MaxMind minFraud store events: logins, purchases, refusals. If your history is "dirty", you can easily get into trouble even if everything else is perfect.
Device-IP Binding: Antifraud links an IP address to a device fingerprint (browser, OS, screen). If a device changes its IP address too frequently, it's suspicious.
IPv6: provides more stable unique features for tracking, and earlier interpretations can even reveal your MAC address.
Anti-fraud is built not on a single solution, but on a combination of several systems and data sources to reduce the risk of false positives and improve efficiency. In addition to anti-fraud processing (Stripe, Adyen, CloudPayments, etc.), there are internal and external blacklist databases:
- Internal: Client blacklist, IPs exposed in fraud, chargeback abusers. Shops store their data: if an IP was involved in fraudulent orders, it is permanently banned.
- External: Spamhaus (spam IPs), FraudScore (fraud scoring), IPQS (proxy detection), proxy/VPN detection, compromised card databases. These are updated daily.
- Third-party anti-fraud services: Riskified (ML-based), Forter (real-time analysis), Sift (behavioral analytics), MaxMind (GeoIP and minFraud). They aggregate data from thousands of sources.
They all look at your IP address, and every little detail can give you away. For example, ML models in Sift analyze patterns: if the IP changes but the device stays the same, it's fraud.
Useful links:whoer.net
vytal.io/scan
ip-score.com
webbrowsertools.com/timezone/
ipqualityscore.com/free-ip-lookup-proxy-vpn-test/
getipintel.net/free-proxy-vpn-tor-ip-lookup/#web
pixelscan.net/ip
fv.pro
browserscan.net
antcpt.com/eng/information/demo-form/recaptcha-3-test-score.html
