GeoIP rewite rule?, redirect CHINA users to an error page.

Jim Ohlstein jim at
Mon Feb 15 17:27:24 MSK 2010

On 2/15/10 1:26 AM, CLIFFORD ILKAY wrote:
> On 02/15/2010 12:40 AM, Cliff Wells wrote:
>> Incidentally I'm not trying to lecture you, but I think this
>> conversation is worth having in this public forum as there are many
>> people who will read this at some future date, and without some
>> counter-argument, they might be led into thinking this is a good
>> solution to a security-related problem without considering all the
>> implications first.
> This was not done for reasons related to the security of the server. It
> was done purely to reduce the number of scam emails originating from the
> aforementioned TLDs to the advertisers of the goods on my client's web
> site. If the governments of the countries represented by those TLDs took
> Internet fraud and other Internet-related malfeasance more seriously and
> prosecuted the criminal gangs that are often behind these activities,
> then we wouldn't have to resort to such drastic measures.

While scam emails are a nuisance, and perhaps apropos of nothing, a 
great deal of the attempted credit card fraud that we see originates in 
the good old United States of America.

We use geographic blocking simply to block unprofitable or nuisance 
traffic. For instance, one of the issues we had with our proxies were 
requests from Iran consuming huge amounts of bandwidth. While I am 
sympathetic to the fact that internet access is restricted there, 
advertisers who pay our bills could care less. They don't pay much if 
anything for impressions in Iran. Another country created problems with 
excessive downloads of large files, again consuming bandwidth at what 
seemed like all hours. We didn't want to rate limit everyone because the 
issue was really with one country, so we used a redirect to a different 
domain. That domain *only* had traffic from that one country, and 
requests were rate limited after a couple of megabytes. This had the 
effect that smaller files were easy to download but large files went 
very s-l-o-w-l-y. Users quickly adapted their usage of our service.

For credit card processing, we pre-screen with MaxMind's paid service. I 
think it costs $0.004 per request. It's the best four-tenths of a cent I 
can imagine paying. Many if not most of the frauds never even get to our 
processor to decline.

We use none of this in "server security". For what it's worth, we see 
break in attempts from all corners of the globe. The Western Hemisphere 
is well represented.

Jim Ohlstein

More information about the nginx mailing list