I thought I would post this. A few days ago I noticed a substantial amount of leads coming into my offer. Upon further investigation I seen allot of these leads had the same IP's.
A number of red flags went off instantly for me.
1) I'm only targeting the US and CA.
2) Alot of these leads used the same IP's.
3) The email addresses were international ie yahoo.com.ar
And the below is just over-kill observations as by this point I knew they were illegitimate leads.
4) None of the leads were from my affiliate tracking software (offerit), they went directly to the website
5) My ESP noticed a 15% increase in Bounced Rates.
6) The ip's didn't match the COUNTRY/STATE
Upon further investigation, it turns out that all the IP's were TOR EXIT NODES. So I went googling and put in place a tor-exit-node block script. This seem to stop the attacker dead in his tracks. Why he/she was doing this was is extremely puzzling, as I do not pay out on leads, only sales. I can only summarize an affiliate must of spammed him (to which I have no control over) then decided to insert a ANTI LIST into my system in the hopes that my guys would contact them or email them. He could of at least used private socks instead of publicly available tor-exit node ip's Rookies, I tell you....
#!/bin/bash
=================torblock.sh=============
if [[ -z "$1" ]]; then
echo Usage: $0 "127.0.0.1"
exit 1
fi
hostip=$1
for i in $(wget https://check.torproject.org/cgi-bin/TorBulkExitList.py\?ip=$hostip -O- -q |\
grep -E '^[[:digit:]]+(\.[[:digit:]]+){3}$'); do
sudo iptables -A INPUT -s "$i" -j DROP
done
=================torblock.sh=============
The guy inserted about 3,000k anti list. Some of the email addresses were
abuse@alibaba-inc.com
admin@limestonenetworks.com
abuse@ip.telmexchile.cl
postmaster@esmt1.com.ar