I think I may have solved it by an even simpler method: I emailed the perpetrator to "thank him for all of his orders" to see what he'd say. His first few orders came with real email addresses, and even a few under what appears to be his own name "Abang Batax." Ever since I sent that email I haven't had a single order come through from him. That alone may have scared him off.
Nevertheless, I think I will implement a few of your suggestions. I like the idea of an SQL table to store IP addresses that are blocked, though I'd make it last for a couple of days to be extra safe rather than 30 minutes.
Anyone know who the "proper authorities" are, to whom I could give my logs? Amazingly, my CardService rep didn't know. He also didn't seem to care or think it was a very big deal. The total orders that went through are about 100 orders at $15 each. My guess is that "Abang Batax" is probably overseas, so it may not be worthwhile following up.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
