Ban me at the IP level if you don't like me

We solved a lot of our problems by blocking all Chinese ASNs. Admittedly, not the friendliest solution, but there were so many issues originating from Chinese clients that it was easier to just ban the entire country.

It's not like we can capitalize on commerce in China anyway, so I think it's a fairly pragmatic approach.

Why stop there? Just block all non-US IPs!

If it works for my health insurance company, essentially all streaming services (including not even being able to cancel service from abroad), and many banks, it’ll work for you as well.

Surely bad actors wouldn’t use VPNs or botnets, and your customers never travel abroad?

Don't care, works fine for us.

And across the water, my wife has banned US IP addresses from her online shop once or twice. She runs a small business making products that don't travel well, and would cost a lot to ship to the US. It's a huge country with many people. Answering pointless queries, saying "No, I can't do that" in 50 different ways and eventually dealing with negative reviews from people you've never sold to and possibly even never talked to... Much easier to mass block. I call it network segmentation. She's also blocked all of Asia, Africa, Australia and half of Europe.

The blocks don't stay in place forever, just a few months.

I'm not precisely sure the point you're trying to make.

In my experience running rather lowish traffic(thousands hits a day) sites, doing just that brought every single annoyance from thousands per day to zero.

Yes, people -can- easily get around it via various listed methods, but don't seem to actually do that unless you're a high value target.

There's some weird ones you'd never think of that originate an inordinate amount of bad traffic. Like Seychelles. A tiny little island nation in the middle of the ocean inhabited by... bots apparently? Cyprus is another one.

Re: China, their cloud services seem to stretch to Singapore and beyond. I had to blacklist all of Alibaba Cloud and Tencent and the ASNs stretched well beyond PRC borders.

Google Shopping might be to blame here, and I don't at all blame the response.

I say that because I can't count how many times Google has taken me to a foreign site that either doesn't even ship to the US, or doesn't say one way or another and treat me like a crazy person for asking.

And that's perfectly fine. Nothing is completely bulletproof anyway. If you manage to get rid of 90% of the problem then that's a good thing.

As long as your customer base never travels and needs support, sure, I guess.

The only way of communicating with such companies are chargebacks through my bank (which always at least has a phone number reachable from abroad), so I’d make sure to account for these.

The percentage of US trips abroad which are to China must be minuscule, and I bet nobody in the US regularly uses a VPN to get a Chinese IP address. So blocking Chinese IP addresses is probably going to have a small impact on US customers. Blocking all abroad IP addresses, on the other hand, would impact people who just travel abroad or use VPNs. Not sure what your point is or why you're comparing these two things.

And if your competitor manages to do so without annoying the part of their customer base that occasionally leaves the country, everybody wins!

Block Russia too, thats where i see most of my bot traffic coming from

If you are traveling without a vpn then you are asking for trouble

The Seychelles has a sweetheart tax deal with India such that a lot of corporations who have an India part and a non-India part will set up a Seychelles corp to funnel cash between the two entities. Through the magic of "Transfer Pricing"[1] they use this to reduce the amount of tax they need to pay.

It wouldn't surprise me if this is related somehow. Like maybe these are Indian corporations using a Seychelles offshore entity to do their scanning because then they can offset the costs against their tax or something. It may be that Cyprus has similar reasons. Istr that Cyprus was revealed to be important in providing a storefront to Russia and Putin-related companies and oligarchs.[2]

So Seychelles may be India-related bots and Cyprus Russia-related bots.

[1] https://taxjustice.net/faq/what-is-transfer-pricing/#:~:text...

[2] Yup. My memory originated in the "Panama Papers" leaks https://www.icij.org/investigations/cyprus-confidential/cypr...

You think all streaming services have banned non US IPs? What world do you live in?

It definitely works, since you’re externalizing your annoyance to people you literally won’t ever hear from because you blanket banned them based. Most of them will just think your site is broken.

There is a Chinese player that has taken effective control of various internet-related entities in the Seychelles. Various ongoing court-cases currently.

So the seychelles traffic is likely really disguised chinese traffic.

Yes, and I’m arguing that that’s due to companies engaging in silly pseudo-security. I wish that would stop.

Chargebacks aren't the panacea you're used to outside the US, so that's a non-issue.

This is based on personal experience. At least two did not let me unsubscribe from abroad in the past.

It is not silly pseudo-security, it is economics. Ban Chinese, lower your costs while not losing any revenue. It is capitalism working as intended.

Not letting you unsubscribe and blocking your IP are very different things.

There are some that do not provide services in most countries but Netflix, Disney, paramount are pretty much global operations.

HBO and peacock might not be available in Europe but I am guessing they are in Canada.

its not weird .its companies putting themselves in places where regulations favor their business models.

it wont be all chinese companies or ppl doing the scraping. its well known that a lot of countries dont mind such traffic as long as it doesnt target themselves or for the west also some allies.

laws arent the same everywhere and so companies can get away with behavior in one place which seem almost criminal in another.

and what better place to put your scrapers than somewhere where there is no copyright.

russia also had same but since 2012 or so they changed laws and a lot of traffic reduced. companies moved to small islands or small nation states (favoring them with their tax payouts, they dont mind if j bring money for them) or few remaining places like china who dont care for copyrights.

its pretty hard to get really rid of such traffic. you can block stuff but mostly it will just change the response your server gives. flood still knockin at the door.

id hope someday maybe ISPs or so get more creative but maybe they dont have enough access and its hard to do this stuff without the right access into the traffic (creepy kind) or running into accidentally censoring the whole thing.

I don't think these are "Chinese players" and is linked to [1], although it may be that the hands changed many times that the IP addresses have been leased or bought by Chinese entities.

[1] https://mybroadband.co.za/news/internet/350973-man-connected...

Fair point, that's something to consider.

this all from Cloud Innovation vpns,proxies,spam,bots CN Seychelles IP holder

In Europe we have all of them, with only few movies unavailable or additionally paid occasionally. Netflix, Disney, HBO, Prime and others work fine.

Funny to see how narrow perspective some people have…

omg... that's why my self-hosted servers are getting nasty trafic from SC all the time.

The explanation is that easy??

It seems to be a choice they’re making with their eyes open. If folks running a storefront don’t want to associate with you, it’s not personal in that context. It’s business.

I think a lot of services end up sending you to a sort of generic "not in your country yet!" landing page in an awkward way that can make it hard to "just" get to your account page to do this kind of stuff.

Netflix doesn't have this issue but I've seen services that seem to make it tough. Though sometimes that's just a phone call away.

Though OTOH whining about this and knowing about VPNs and then complaining about the theoretical non-VPN-knower-but-having-subscriptions-to-cancel-and-is-allergic-to-phone-calls-or-calling-their-bank persona... like sure they exist but are we talking about any significant number of people here?

Lately I've been thinking that the only viable long-term solution are allowlists instead of blocklists.

The internet has become a hostile place for any public server, and with the advent of ML tools, bots will make up far more than the current ~50% of all traffic. Captchas and bot detection is a losing strategy as bot behavior becomes more human-like.

Governments will inevitably enact privacy-infringing regulation to deal with this problem, but for sites that don't want to adopt such nonsense, allowlists are the only viable option.

I've been experimenting with a system where allowed users can create short-lived tokens via some out-of-band mechanism, which they can use on specific sites. A frontend gatekeeper then verifies the token, and if valid, opens up the required public ports specifically for the client's IP address, and redirects it to the service. The beauty of this system is that the service itself remains blocked at the network level from the world, and only allowed IP addresses are given access. The only publicly open port is the gatekeeper, which only accepts valid tokens, and can run from a separate machine or network. It also doesn't involve complex VPN or tunneling solutions, just a standard firewall.

This should work well for small personal sites, where initial connection latency isn't a concern, but obviously wouldn't scale well at larger scales without some rethinking. For my use case, it's good enough.

Lmao I came here to post this. My personal server was making constant hdd grinding noises before I banned the entire nation of China. I only use this server for jellyfin and datahoarding so this was all just logs constantly rolling over from failed ssh auth attempts (PSA: always use public-key, don't allow root, and don't use really obvious usernames like "webadmin" or <literally just the domain>).

ucloud ("based in HK") has been an issue (much less lately though), and I had to ban the whole digital ocean AS (US). google cloud, aws and microsoft have also some issues...

hostpapa in the US seems to become the new main issue (via what seems a 'ip colocation service'... yes, you read well).

Okay, but this causes me about 90% of my major annoyances. Seriously. It’s almost always these stupid country restrictions.

I was in UK. I wanted to buy a movie ticket there. Fuck me, because I have an Austrian ip address, because modern mobile backends pass your traffic through your home mobile operator. So I tried to use a VPN. Fuck me, VPN endpoints are blocked also.

I wanted to buy a Belgian train ticket still from home. Cloudflare fuck me, because I’m too suspicious as a foreigner. It broke their whole API access, which was used by their site.

I wanted to order something while I was in America at my friend’s place. Fuck me of course. Not just my IP was problematic, but my phone number too. And of course my bank card… and I just wanted to order a pizza.

The most annoying is when your fucking app is restricted to your stupid country, and I should use it because your app is a public transport app. Lovely.

And of course, there was that time when I moved to an other country… pointless country restrictions everywhere… they really helped.

I remember the times when the saying was that the checkout process should be as frictionless as possible. That sentiment is long gone.

Won't help: I get scans and script kiddy hack attempts from digital ocean, microsoft cloud (azure, stretchoid.com), google cloud, aws, and lately "hostpapa" via its 'IP colocation service'. Ofc it is instant fail-to-ban (it is not that hard to perform a basic email delivery to an existing account...).

Traffic should be "privatize" as much as possible between IPv6 addresses (because you still have 'scanners' doing the whole internet all the time... "the nice guys scanning the whole internet for your protection... never to sell any scan data ofc).

Public IP services are done for: going to be hell whatever you do.

The right answer seems significantly big 'security and availability teams' with open and super simple internet standards. Yep the javascript internet has to go away and the app private protocols have too. No more whatng cartel web engine, or the worst: closed network protocols for "apps".

And the most important: hardcore protocol simplicity, but doing a good enough job. It is common sense, but the planned obsolescence and kludgy bloat lovers won't let you...

> So the seychelles traffic is likely really disguised chinese traffic.

Soon: chineseplayer.io

Changing the SSH port also helps cut down the noise, as part of a layered strategy.

We solved a similar issue by blocking free user traffic from data centres (and whitelisted crawlers for SEO). This eliminated most fraudulent usage over VPNs. Commercial users can still access, but free just users get a prompt to pay.

CloudFront is fairly good at marking if someone is accessing from a data centre or a residential/commercial endpoint. It's not 100% accurate and really bad actors can still use infected residential machines to proxy traffic, but this fix was simple and reduced the problem to a negligent level.

Most of the traffic comes from China and Singapore, so I banned both. I might have to re-check and ban other regions who would never even visit my stupid website anyway. The ones who want to are free to, through VPN. I have not banned them yet.

Which site is it?

Only if your bank isn't competent in using them.

Visa/Mastercard chargeback rules largely apply worldwide (with some regional exceptions, but much less than many banks would make you believe).

My own shitty personal website that is so uninteresting that I do not even wish to disclose here. Hence my lack of understanding of the down-votes for me doing what works for my OWN shitty website, well, server.

In fact, I bet it would choke on a small amount of traffic from here considering it has a shitty vCPU with 512 MB RAM.

> Not letting you unsubscribe and blocking your IP are very different things.

How so? They did not let me unsubscribe via blocking my IP.

Instead of being able to access at least my account (if not the streaming service itself, which I get – copyright and all), I'd just see a full screen notice along the lines of "we are not available in your market, stay tuned".

Are you familiar with port knocking? My servers will only open port 22, or some other port, after two specific ports have been knocked on in order. It completely eliminates the log files getting clogged.

Did you really notice a significant drop off in connection attempts? I tried this some years ago and after a few hours on a random very high port number I was already seeing connections.

Obligatory side note of "Europe is not a country".

In several European countries, there is no HBO since Sky has some kind of exclusive contract for their content there, and that's where I was accordingly unable to unsubscribe from an US HBO plan.

I forgot about that: all the nice game binaries from them running directly on nearly all systems...

Not sure I'd call dumping externalities on a minority of your customer base without recourse "capitalism working as intended".

Capitalism is a means to an end, and allowable business practices are a two-way street between corporations and consumers, mediated by regulatory bodies and consumer protection agencies, at least in most functioning democracies.

No, outside the US, both Visa and Mastercard regularly side with the retailer/supplier. If you process a chargeback simply because a UK company blocks your IP, you will be denied.

> be a hero and die a martyr

I believe it's "an hero".

People get weird when you do what you want with your own things.

Want to block an entire country from your site? Sure, it’s your site. Is it fair? Doesn’t matter.

> Why stop there? Just block all non-US IPs!

This is a perfectly good solution to many problems, if you are absolutely certain there is no conceivable way your service will be used from some regions.

> Surely bad actors wouldn’t use VPNs or botnets, and your customers never travel abroad?

Not a problem. Bad actors which are motivated enough to use VPNd or botnets are a different class of attacks that have different types of solutions. If you eliminate 95% of your problems with a single IP filter them you have no good argument to make against it.

Oh thank you kind sir.

The vpn is probably your problem there mate.

Uh, no, it's definitely not. Hero begins with a consonant, so it should be preceded by "a", not "an".

This. If someone wants to target you, they will target you. What this does is remove the noise and 90%+ of crap.

Basically the same thing as changing the ssh port on a public facing server, reduce the automated crap attacks.

Welcome to British English. The h in hero isn’t pronounced, same as hospital, so you use an before it.

In other words, a smart business practice.

This is wrong.

Unless maybe you're from the east end of london.

One of requirements of Visa/Mastercard is for the customer to be able to contact merchant post-purchase.

I’m not claiming everyone pronounces it that way. But he’s an ero, we need to find an ospital, ninety miles an our. You will find government documents and serious newspapers that refer to an hospital.

I guess this is what "Identity aware proxy" from GCP can do for you? Outsource all of this to google - where you can connect your own identity servers, and then your service will only be accessed after the identity has been verified.

We have been using that instead of VPN and it has been incredibly nice and performant.

Only via the original method of commerce. An online retailer who geoblocks users does not have to open the geoblock for users who move into the geoblocked regions.

I have first-hand experience, as I ran a company that geoblocked US users for legal reasons and successfully defended chargebacks by users who made transactions in the EU and disputed them from the US.

Chargebacks outside the US are a true arbitration process, not the rubberstamped refunds they are there.

And usually hackers/malicious actors from that country are not afraid to attack anyone that is not russian, because their local law permits attacking targets in other countries.

(It sometimes comes to funny situations where malware doesn't enable itself on Windows machines if it detects that russian language keyboard is installed.)

Thanks, appreciate it. I would hope so. I do not care about down-votes per se, my main complaint is really the fact that I am somehow in the wrong for doing what I deem is right for my shitty server(s).

Visa and Mastercard aren't even involved in most disputes. Almost all disputes are settled between issuing and acquiring bank, and the networks only step in after some back and forth if the two really can't figure out liability.

I've seen some European issuing banks completely misinterpret the dispute rules and as a result deny cardholder claims that other issuers won without any discussion.

That's not right. It's:

a hospital

an hour

a horse

It all comes down to how the word is pronounced but it's not consistent. 'H' can sound like it's missing on not. Same with other leading consonants that need an 'an'. Some words can go both ways.

I have my jellyfin and obsidian couchdb sync on my Tailscale and they don’t see any public traffic.

> I wanted to order something while I was in America at my friend’s place. Fuck me of course. Not just my IP was problematic, but my phone number too.

Your mobile provider was routing you through Austria while in the US?

This isn't coming from nowhere though. China and Russia don't just randomly happen to have been assigned more bad actors online.

Due to frosty diplomatic relations, there is a deliberate policy to do fuck all to enforce complaints when they come from the west, and at least with Russia, this is used as a means of gray zone cyberwarfare.

China and Russia are being antisocial neighbors. Just like in real life, this does have ramifications for how you are treated.

Not OP, but as far as I know that's how it works, yeah.

When I was in China, using a Chinese SIM had half the internet inaccessible (because China). As I was flying out I swapped my SIM back to my North American one... and even within China I had fully unrestricted (though expensive) access to the entire internet.

I looked into it at the time (now that I had access to non-Chinese internet sites!) and forgot the technical details, but seems that this was how the mobile network works by design. Your provider is responsible for your traffic.

> if you are absolutely certain there is no conceivable way your service will be used from some regions.

This isn’t the bar you need to clear.

It’s “if you’re comfortable with people in some regions not being able to use your service.”

Oddly, my bank has no problem with non-US IPs, but my City's municipal payments site doesn't. I always think it's broken for a moment before realizing I have my VPN turned on.

Huh? Who is them in this case?

> Visa and Mastercard aren't even involved in most disputes. Almost all disputes are settled between issuing and acquiring bank, and the networks only step in after some back and forth if the two really can't figure out liability.

Yes, the issuing and acquiring banks perform an arbitration process, and it's generally a very fair process.

We disputed every chargeback and post PSD2 SCA, we won almost all and had a 90%+ net recovery rate. Similar US businesses were lucky to hit 10% and were terrified of chargeback limits.

> I've seen some European issuing banks completely misinterpret the dispute rules and as a result deny cardholder claims that other issuers won without any discussion.

Are you sure? More likely, the vendor didn't dispute the successful chargebacks.

Maybe, but it doesn't change the fact, that no one is going to forbid me to ban IPs. Therefore I will ban IPs and IPs ranges because it is the cheapest solution.

Likewise, when I was at school, many of my older teachers would say things like "an hotel" although I've not heard anyone say anything but "a hotel" for decades now. I think I've heard "an hospital" relatively recently though.

Weirdly, in certain expressions I say "before mine eyes" even though that fell out of common usage centuries ago, and hasn't really appeared in literature for around a century. So while I wouldn't have encountered it in speech, I've come across enough literary references that it somehow still passed into my diction. I only ever use it for "eyes" though, never anything else starting with a vowel. I also wouldn't use it for something mundane like "My eyes are sore", but I'm not too clear on when or why I use the obsolete form at other times - it just happens!

Yeah, I suppose it's something like that. Except that my solution wouldn't rely on Google, would be open source and self-hostable. Are you aware of a similar project that does this? Would save me some time and effort. :)

There also might be similar solutions for other cloud providers or some Kubernetes-adjacent abomination, but I specifically want something generic and standalone.

Usually CC companies require email records (another way of communicating with a company) showing you attempted to resolve the problem but could not. I don’t think “I tried to visit the website that I bought X item from while in Africa and couldn’t get to it” is sufficient.

Ignore the trolls. Also, if they are upset with you they should focus their vitriol on me. I block nearly all of BRICS especially Brazil as most are hard wired to not follow even the simplest of rules, most data-centers, some VPN's based on MSS, posting from cell phones and much more. I am always happy to give people the satisfaction of down-voting me since I use uBlock to hide karma.

In ublock -> my filters

    # HN Block Karma View
    news.ycombinator.com##.comhead .score:style(overflow: hidden; display: inline-block; line-height: 0.1em; width: 0; margin-left: -1.9em;)
    news.ycombinator.com###hnmain > tbody > tr:first-of-type table td:last-of-type .pagetop:style(font-size: 0!important; color: transparent!important;)
    news.ycombinator.com###hnmain > tbody > tr:first-of-type table td:last-of-type .pagetop > *:style(font-size: 10pt; line-height: 1.45em;)
    news.ycombinator.com###logout::before:style(content: "|"; padding: 0.25em;)
    news.ycombinator.com##form.profileform tbody tr:nth-child(3)

I use a non standard port and have not had an unknown IP hit it in over 25 years. It's not a security feature for me, I use that to avoid noise.

My public SFTP servers are still on port 22 and but block a lot of SSH bots by giving them a long "versionaddendum" /etc/ssh/sshd_config as most of them choke on it. Mine is 720 characters long. Older SSH clients also choke on this so test it first if going this route. Some botters will go out of their way to block me instead so their bots don't hang. One will still see the bots in their logs, but there will be far less messages and far fewer attempts to log in as they will be broken, sticky and confused. Be sure to add offensive words in versionaddendum for the sites that log SSH banners and display them on their web pages like shodan.io.

Generic American English pronounces the 'h' in hospital, hero, heroine, but not hour.

Same is true for RP English.

Therefore, for both accents/dialects, the correct phrases are "a hotel", "a hero", "a heroine", and "an hour".

Cockney, West Country, and a few other English accents "h drop" and would use "an 'our", "an 'otel", etc.

It all started with an inverted killfile...

I've used that solution in the past. What happens when the bots start port knocking?

Now do historic. Suddenly all Brits turn into Cockney's.

Fail2ban :)

Worked great for us, but I had to turn it off. Why? Because the IP databases that the two services I was using are not accurate enough and some people in the US were being blocked as if they had a foreign IP address. It happened regularly enough I reluctantly had to turn it off and now I have to deal the non-stop hacking attempts on the website.

For the record, my website is a front end for a local-only business. Absolutely no reason for anyone outside the US to participate.

Interesting: https://techafricanews.com/2025/07/24/smart-africa-calls-for...

Sure, and all Americans sound like they're from Ocracoke or Tangier.

Moving a cost outside the business and then calling it improved margin is exactly what MBA school teaches and the market rewards.

If you IP block all of China then run a resolver the logs will quickly fill with innocuous domains with NS entries that are blocked. Add those to a dns block list then add their ASN to your company IP block list. Amazing how traffic you don’t want plummets.

The bots have been port scanning me for decades. They just don't know which two ports to hit to open 22 for their IP address. Simply iterating won't get then there, and fail2ban doesn't afford them much opportunity to probe.

I don’t use VPN generally, only in specific cases. For example, when I want to reach Australian news. Because of course, as a non Australian, I couldn’t care about local news. Or when American pages rather ban Europe than they would tell who they sell my data to.

Yes, newer backends for 4G and 5G networks work exactly that way.

> RP English

One might think RP English certainly doesn't determine correctness.

I think you might be talking about "fraudulent transaction/cardholder does not recognize" disputes. Yes, when using 3DS (which is now much more common at least in Europe, due to often being required by regulation in the EU/EEA), these are much less likely to be won by the issuer.

But "merchant does not let me cancel" isn't a fraud dispute (and in fact would probably be lost by the issuing bank if raised as such). Those "non-fraudulent disagreement with the merchant disputes" work very similarly in the US and in Europe.

> Chargebacks outside the US are a true arbitration process, not the rubberstamped refunds they are there.

What's true is that in the US, the cardholder can often just say "I've never heard of that merchant", since 3DS is not really a thing, and generally merchants are relatively unlikely to have compelling evidence to the contrary.

But for all non-fraud disputes, they follow the same process.

Even 2G and 3G data roaming used to work that way.

If anything, the opposite behavior (i.e. getting a local or regional IP instead of one from your home network) is a relatively new development.

Sure, you can keep blocking IPs, and I'll keep arguing for a ban on IP country bans (at least for existing customers) :)

No, you're just wrong here. Merchant doesn't let me cancel will almost always be won by the vendor when they demonstrate that they do allow cancellations within the bounds of the law and contracts. I've won many of these in the EU, too (we actually never lost a dispute for non-compliance with card network rules, because we were _very_ compliant).

I can only assume you are from the US and are assuming your experience will generalise, but it simply does not. Like night and day. Most EU residents who try using chargebacks for illegitimate dispute resolution learn these lessons quickly, as there are far more card cancellations for "friendly fraud" than merchant account closures for excessive chargebacks in the EU - the polar opposite of the US.

As commented elsewhere, you're just wrong. It's a significant burden of proof for a cardholder to win a dispute for non-compliance with card network rules and it very rarely happens (outside of actual merchant fraud, which is much rarer in the EU).

Again, you're not aware of the reality outside the US.

They're referring to the fact that Chinese game companies (Tencent, Riot through Tencent, etc.) all have executables of varying levels of suspicion (i.e. anti-cheat modules) running in the background on player computers.

Then they're making the claim that those binaries have botnet functionality.

At that point, I wonder if an online shop is even necessary. Just sell in-person.

In my experience can cut out the vast majority of ssh connection attempts by just blocking a couple IPs. ... particularly if you've already disabled password auth because some of the smarter bots notice that and stop trying.

"Visiting the website" is the method. It's nonsense to say that visiting from a different location is a different method. I don't care if you won those disputes, you did a bad thing and screwed over your customers.

They tried a VPN as a backup for one of those problems.

So no. It's not.

> Not letting you unsubscribe and blocking your IP are very different things.

When you posted this, what did you envision in your head for how they were prevented from unsubscribing, based on location, but not via IP blocking? I'm really curious.

Personal sites are definitely interesting, way more interesting than most of the rest of the web.

I was thinking I would put your site into archive.org, using ArchiveBot, with reasonable crawl delay, so that it is preserved if your hardware dies. Ask on the ArchiveTeam IRC if you want that to happen.

https://chat.hackint.org/?join=%23archiveteam-bs

> Visiting the website" is the method. It's nonsense to say that visiting from a different location is a different method.

This is a naive view of the internet that does not stand the test of legislative reality. It's perfectly reasonable (and in our case was only path to compliance) to limit access to certain geographic locations.

> I don't care if you won those disputes, you did a bad thing and screwed over your customers.

In our case, our customers were trying to commit friendly fraud by requesting a chargeback because they didn't like a geoblock, which is also what the GP was suggesting.

Using chargebacks this way is nearly unique to the US and thankfully EU banks will deny such frivolous claims.

If you don't see that your campaign is futile and want to waste you time, just go ahead, don't ask for my permission.

The ancestor post was about being unable to get support for a product, so I thought you were talking about the same situation. Refusal to support is a legitimate grievance.

Are you saying they tried a chargeback just because they were annoyed at being unable to reach your website? Something doesn't add up here, or am I giving those customers too much credit?

Were you selling them an ongoing website-based service? Then the fair thing would usually be a prorated refund when they change country. A chargeback is bad but keeping all their money while only doing half your job is also bad.

Those are nice filters, I checked out your profile too!

Thank you. :)

It is a public git repository for the most part, that is the essence of my website, not really much writings besides READMEs, comments in code and commits.

so you just raw dog hotel and conference wifi?

> Surely bad actors wouldn’t use VPNs or botnets, and your customers never travel abroad?

They usually don't bother. Plus it's easier to take action against malicious traffic within your own country or general jurisdiction.

You’re assuming wrong.

And have you won one of these cases in a scenario where the merchant website has a blanket IP ban? That seems very different from cardholders incapable of clicking an “unsubscribe” button they have access to.

I was thinking of 'hotel'. Wrong building. Ooops.

> It's a significant burden of proof for a cardholder to win a dispute for non-compliance with card network rules

That's true, but "fraud" and "compliance" aren't the only dispute categories, not by far.

In this case, using Mastercard as an example (as their dispute rules are public [1]), the dispute category would be "Refund not processed".

The corresponding section explicitly lists this as a valid reason: "The merchant has not responded to the return or the cancellation of goods or services."

> Again, you're not aware of the reality outside the US.

Repeating your incorrect assumption doesn't make it true.

[1] https://www.mastercard.us/content/dam/public/mastercardcom/n...

A public git repository is even more interesting, for both ArchiveTeam Codearchiver, and Software Heritage. The latter offers an interface for saving code automatically.

https://wiki.archiveteam.org/index.php/Codearchiver https://wiki.archiveteam.org/index.php/Software_Heritage https://archive.softwareheritage.org/save/

They can exploit local priviledge escalation flaws without "RCE".

And you are right, kernel anti-cheat are rumored to be weaponized by hackers, and making the previous even worse.

And when the kid is playing his/her game at home, if daddy or mummy is a person of interest, they are already on the home LAN...

Well, you get the picture: nowhere to run, orders of magnitude worse than it was before.

Nowadays, the only level of protection the administrator/root access rights give you, is to mitigate any user mistake which would break his/her system... sad...

Okay, so you're grasping at straws here, because:

a) a Refund Not Processed chargeback is for non-compliance with card network rules,

and b), When the merchant informed the cardholder of its refund policy at the time of purchase, the cardholder must abide by that policy.

We won these every time, because we had a lawful and compliant refund policy and we stuck to it. These are a complete non-issue for vendors outside the US, unless they are genuinely fraudulent.

Honestly, I think you have no experience with card processors outside the US (or maybe at all) and you just can't admit you're wrong, but anyone with experience would tell you how wrong you are in a heartbeat. The idea you can "defeat" geoblocks with chargebacks is much more likely to result in you losing access to credit than a refund.

If you read back in the thread, we're talking about the claim that adding geoblocking will result in chargebacks, which outside the US, it won't.

> Are you saying they tried a chargeback just because they were annoyed at being unable to reach your website?

In our case it was friendly fraud when users tried to use a service which we could not provide in the US (and many other countries due to compliance reasons) and had signed up in the EU, possibly via VPN.

What was inaccessible to them: The service itself, or any means to contact the merchant to cancel an ongoing subscription?

I can imagine a merchant to win a chargeback if a customer e.g. signs up for a service using a VPN that isn't actually usable over the same VPN and then wants money for their first month back.

But if cancellation of future charges is also not possible, I'd consider that an instance of a merchant not being responsive to attempts at cancellation, similar to them simply not picking up the phone or responding to emails.

Are you even trying to see things from a different perspective, or are you just dead set on winning an argument via ad hominems based on incorrect assumptions about my background?

It's quite possible that both of our experiences are real – at least I'm not trying to cast doubt on yours – but my suspicion is that the generalization you're drawing from yours (i.e. chargeback rules, or at least their practical interpretation, being very different between the US and other countries) isn't accurate.

Both in and outside the US, merchants can and do win chargebacks, but a merchant being completely unresponsive to cancellation requests of future services not yet provided (i.e. not of "buyer's remorse" for a service that's not available to them, per terms and conditions) seems like an easy win for the issuer.

After initial save, do they perform automatic git pulls? What happens if there are potential conflicts? I wonder how it all works behind the surface. I know I ran into issues with "git pull --all" before, for example. Or what if it is public software that is not mine? I saved some git repositories (should I do .tar.gz too for the same project? Does it know anything about versions?).

> If you read back in the thread, we're talking about the claim that adding geoblocking will result in chargebacks, which outside the US, it won't.

As a response to someone talking about customers traveling and needing support. But yeah geoblocks can occur in different situations with different appropriate resolutions.

> In our case it was friendly fraud when users tried to use a service which we could not provide in the US (and many other countries due to compliance reasons) and had signed up in the EU, possibly via VPN.

If you provided zero service at all, they should get their money back. And calling a chargeback in that situation "friendly fraud" is ridiculous.

If they weren't even asking for a refund and using a chargeback out of spite, that's bad, but that's a different problem from fraud.

For someone that did sign up via VPN, would they be able to access the cancellation page via VPN?

On Software Heritage: for forges (GitLab, cgit etc), every couple of months SWH lists all repos, pulls new/updated ones. I think if you save an individual repo, it gets pulled later too, but I'm not sure of the schedule. They have custom tooling (open source) for doing the importing of repos, tarballs and other things. They deduplicate on the backend, so if you cloned some repos then the files/commits that are shared between them are saved once. They import the git tags (and other refs) too.

ArchiveTeam Codearchiver is quite a bit different, it does one-shot archiving of repos into VCS-native export formats, like git bundles. There is some deduplication based on commit hashes I think.

I really wish I could just email companies, but at least many US based ones don’t offer that way of communicating.

It’s usually phone support only, or some horrible web chat that leaves only the company with a permanent record of what was said. (I suspect that’s on purpose.)

> Are you even trying to see things from a different perspective, or are you just dead set on winning an argument via ad hominems based on incorrect assumptions about my background?

I'm very open to a different perspective if it's grounded in reality. I'm only judging you on your comments, which to date have been factually inaccurate (to the point that I wonder if you're trolling?),

> Both in and outside the US, merchants can and do win chargebacks,

At vastly different rates (~10% vs ~80%)

> but a merchant being completely unresponsive to cancellation requests of future services not yet provided (i.e. not of "buyer's remorse" for a service that's not available to them, per terms and conditions)

Geoblocking a region is not being unresponsive and will not result in a breach of network rules. Lots of precedent and completely uncontroversial but yet you believe otherwise.

> seems like an easy win for the issuer.

Seems is the operative word here, but it only seems so from your uninformed position. Even after quoting the MC terms that show that you're incorrect, you're still not open to new information.

> If you provided zero service at all, they should get their money back. And calling a chargeback in that situation "friendly fraud" is ridiculous.

No, if a company upholds their side of a contract, the customer must too, within the bounds of the law.

A chargeback in that situation is the _definition_ of "friendly fraud" and is actual criminal fraud.

> If they weren't even asking for a refund and using a chargeback out of spite, that's bad, but that's a different problem from fraud.

That's also criminal fraud.

US consumer are often shocked that "customer is always right" customer service doesn't extend beyond their borders and that they can't chargeback their way out of contracts they've signed.

> For someone that did sign up via VPN, would they be able to access the cancellation page via VPN?

It doesn't matter. If our terms prohibited VPN use to avoid geoblocking (which they did), it's irrelevant whether your VPN can or cannot access the cancellation page on a given day. You can email or write to us. All perfectly legal, lawful, and backed by merchant account providers.

> At vastly different rates (~10% vs ~80%)

Is that your observed rate or an industry-wide trend?

If it's the former, I'll stick with my theory – you're extrapolating from a pretty specific scenario to a different one. My guess would be that you're conflating geoblocking of content (what you seem to have experience with) with geoblocking of the cancellation method (what this thread is about).

If it's the latter, you're wildly off base:

> Merchants win an average of 50% of representments, though there are differences by country: U.S.: 54%, U.K.: 49.1%, AU: 46.7% and Brazil: 36.9%.

(from https://www.mastercard.com/us/en/news-and-trends/Insights/20...)

In fact, this is the opposite of what you're claiming (i.e. a higher win rate for merchants outside the US).

> You can email or write to us.

How do I find your email or postal address if you're blocking every request from a given region? My original point was about companies that do that.

If you're not, I agree that there's much less of a problem (some jurisdictions require online cancellation methods, though).

> No, if a company upholds their side of a contract, the customer must too, within the bounds of the law.

The company upholding their side by... doing nothing? Just give a refund if you're not providing service. And what is this about upholding your side if you're legally unable to provide the service in the first place?

> A chargeback in that situation is the _definition_ of "friendly fraud" and is actual criminal fraud.

They have to get the thing and then chargeback. Your definition is nonsense if it doesn't include them getting the thing.

> That's also criminal fraud.

It might be if they lie about something. But this isn't worth going on a tangent.

> It doesn't matter. If our terms prohibited VPN use to avoid geoblocking (which they did), it's irrelevant whether your VPN can or cannot access the cancellation page on a given day. You can email or write to us. All perfectly legal, lawful, and backed by merchant account providers.

Do they know who to email while the site is blocked? At least that's something.

But I'm not even asking about things fluctuating from day to day, I'm worried about a situation where a VPN can sign up but the same VPN at the same time can't be used to cancel.