> Is there some kind of blacklist if you do something like that?
No; but oddly enough, the people who "do things like that" generally tend to come from certain countries — I guess countries with cultures that don't place much weight on the concept of "incurring a debt of honor" by consuming someone else's resources without them ever knowing about it.
So most systems don't generally need a big, manually curated and ever-growing blacklist; they just need to block registrations from IP addresses / ASNs of ISPs headquartered in these countries; and/or block payment attempts from credit cards issued by banks headquartered in these countries. That immediately stops 90% of such abuse.
And of the remaining 10%, half of it is still people from those same countries — just using foreign IPs through residential-botnet VPNs, and stolen credit cards they purchased on scammer forums. Blocking these is a bit of an art, but it's possible: there's always patterns to the requests themselves, often because those same scammers try to solve all their problems with money, and so have also purchased scam-site kits to run on the hosting they acquire — things like cryptocurrency "drainers." If you're a VPS hosting provider, you can just detect these by the SHAs of the files; if you're a dedicated hosting provider with no access to customers' disks, it's still pretty easy to pick these out by the outbound signature of the network traffic they generate — as they almost always rely on making requests to particular third-party SaaS information systems, that you can turn into an IDS detection fingerprint.
(I'm personally in a different position in this ecosystem — my company operates one of the public informational SaaS services that these scam-site kits like to use. From my company's perspective, these scammers are perfectly normal paying customers, not intent to scam us... but we don't want these people as customers, so we still detect this fraudware by the fingerprint it makes in our API request logs, and permaban the users who deploy such kits by every fingerprinting metric we can.)
---
Though, on another note, I suppose you could call the observational "IP reputation" metrics gathered by providers like https://www.ipqualityscore.com/ something like a blacklist — and I'm sure hosting providers like Hetzner check your "IP score" before letting you register. But these aren't blacklists in the sense of being manually curated.
Instead, what these providers curate is something like a distributed version of an SSHGuard blocklist: a bunch of the provider's own "observer nodes", all over the world, observe what IPs are hitting them with DDoSes and other botnet-like activities, and consider these IPs temporarily compromised for as long as that activity persists (because any device infected by a botnet can potentially be repurposed as a part of a residential-proxy VPN network — and that means that any traffic observed to come from such a device, can't be trusted to be originating from that device.)
IIRC, these providers will also "go undercover" to buy access to both commercial and residential-botnet VPNs; cycle through them to find out what all the available exit-node IP addresses are from a client's perspective — and then mark all these as compromised as well.
As far as I can tell, the author is French and lives in France. I've heard plenty of stereotypes about the French, but them bit caring about debts if any kind doesn't come to mind.
Then again, I seriously doubt Netlify's cost actually reflected the damage incurred. Cloud providers inflate their bills massively, and if they did incur a loss serious enough, they'd pursue the matter in court; a couple of thousands of euros lost is worth getting your legal team involved for. Deleting your account doesn't clear your debt, not does it make you untraceable.
Most likely, Netlify noticed the large bill associated with a deleted account, concluded that the resources spent didn't incur them enough loss to care, and waived the fee. Companies like Amazon will sometimes waive huge bills due to bugs if you ask nicely anyway.
I don't think there's an international fraud registry that works for this kind of abuse. The best you can do is verify the identity of your customers and let the banks and/or legal system handle frauds.
Outside of France there are places that register debt to your name, making it hard to get loans or mortgages or even things like phone contracts exceeding a certain monthly fee. There's also the American credit score system, of course, which will bite offenders in other ways down the line.
With the popularity of services like privacy.com where you can create virtual credit cards that will just disappear when you don't want to pay your bills anymore, I think this type of abuse had been calculated into the pricing structure.
Cards from privacy.com are easy to ban because they always come from the same banks, and their card numbers always start with the same eight digit sequence. Just ban anything from that starting eight digit sequence, and you're done.
Sadly, that also hurts all of the legitimate customers from privacy.com.
> As far as I can tell, the author is French and lives in France. I've heard plenty of stereotypes about the French, but them bit caring about debts if any kind doesn't come to mind.
No, I wasn't implying anything about France; but then, the author wasn't doing the thing that most "people causing problems for hosting providers" do, which goes more like so:
1. register with a stolen credit card that validates at the time, but won't accept payment when the provider goes to collect for the month;
2. rack up billable usage doing some kind of scam; and then
3. when the account gets closed for non-payment, immediately register again, from a new (VPNed) IP, using a new (stolen) identity, with a new (stolen) card.
4. Optionally: do this "in bulk" with multiple accounts at once, perhaps even with scripted automatic bulk account registrations, account "aging" to avoid registration-recency being used as a fraud-score calculation, etc. (You're more likely to see this type of attacker on API services where the service has some kind of per-customer rate-limiting and the attacker doesn't appreciate being rate-limited — they just configure their client software to round-robin their workload across many accounts.)
If you were raised to see this as "using up someone else's resources and depriving others of those resources", then this probably sounds unethical to you, and you will avoid doing it even if it's "easy" to do. But if you weren't, then this probably just looks like an "infinite money glitch" in real life.
If you want me to be concrete about the part of the world where these fraudulent users come from: it's CIS countries. It's hard to tell which people are responsible any more specifically than that — the various CIS countries crop up pretty evenly in attack logs. This is likely because there are many VPN services run in each of these countries, that specifically serve the "other CIS countries" market, and even more specifically serve the "your country is blacklisted from service X? we got you, bro" market.
(I have been witness to posts on scammer forums over the last year or two, that specifically said something to the effect of "full identity kits [IP VPN, identity and matching credit card] for sake! Russian kits on discount because they're unlikely to be accepted pretty much anywhere useful. Ukranian kits marked up with a premium right now, because the west is a big fan of them at the moment, and so is more hesitant to ban them / write rules against them.")
> With the popularity of services like privacy.com where you can create virtual credit cards that will just disappear when you don't want to pay your bills anymore, I think this type of abuse had been calculated into the pricing structure.
There's a simple switch on pretty much every payment processor, that when enabled, rejects cards known to be prepaid/gift cards, only accepting cards that can actually carry a negative balance. Any post-paid usage-based-billing subscription service would have this switch enabled.
A paranoid provider like Hetzner, in addition, probably blocks the Privacy.com partnering card issuer's BIN numbers from being accepted at subscription time. I know our service sure does. (We block the BINs for Venmo and CashApp "cards" too.)
No; but oddly enough, the people who "do things like that" generally tend to come from certain countries — I guess countries with cultures that don't place much weight on the concept of "incurring a debt of honor" by consuming someone else's resources without them ever knowing about it.
So most systems don't generally need a big, manually curated and ever-growing blacklist; they just need to block registrations from IP addresses / ASNs of ISPs headquartered in these countries; and/or block payment attempts from credit cards issued by banks headquartered in these countries. That immediately stops 90% of such abuse.
And of the remaining 10%, half of it is still people from those same countries — just using foreign IPs through residential-botnet VPNs, and stolen credit cards they purchased on scammer forums. Blocking these is a bit of an art, but it's possible: there's always patterns to the requests themselves, often because those same scammers try to solve all their problems with money, and so have also purchased scam-site kits to run on the hosting they acquire — things like cryptocurrency "drainers." If you're a VPS hosting provider, you can just detect these by the SHAs of the files; if you're a dedicated hosting provider with no access to customers' disks, it's still pretty easy to pick these out by the outbound signature of the network traffic they generate — as they almost always rely on making requests to particular third-party SaaS information systems, that you can turn into an IDS detection fingerprint.
(I'm personally in a different position in this ecosystem — my company operates one of the public informational SaaS services that these scam-site kits like to use. From my company's perspective, these scammers are perfectly normal paying customers, not intent to scam us... but we don't want these people as customers, so we still detect this fraudware by the fingerprint it makes in our API request logs, and permaban the users who deploy such kits by every fingerprinting metric we can.)
---
Though, on another note, I suppose you could call the observational "IP reputation" metrics gathered by providers like https://www.ipqualityscore.com/ something like a blacklist — and I'm sure hosting providers like Hetzner check your "IP score" before letting you register. But these aren't blacklists in the sense of being manually curated.
Instead, what these providers curate is something like a distributed version of an SSHGuard blocklist: a bunch of the provider's own "observer nodes", all over the world, observe what IPs are hitting them with DDoSes and other botnet-like activities, and consider these IPs temporarily compromised for as long as that activity persists (because any device infected by a botnet can potentially be repurposed as a part of a residential-proxy VPN network — and that means that any traffic observed to come from such a device, can't be trusted to be originating from that device.)
IIRC, these providers will also "go undercover" to buy access to both commercial and residential-botnet VPNs; cycle through them to find out what all the available exit-node IP addresses are from a client's perspective — and then mark all these as compromised as well.