Setting up protection against fraudulent orders in 1C-Bitrix

Fraudulent Order Protection Configuration in 1C-Bitrix

Fraudulent orders follow recognizable patterns: a single IP placing dozens of orders in an hour, disposable email addresses, a mismatch between the delivery city and IP geolocation, large orders with no purchase history. A set of checks in 1C-Bitrix covers 80–90% of such cases without external services.

Multi-level verification

Protection is embedded in the OnBeforeOrderFinalAction event. Three levels of action: pass, flag for manual review, or block.

// /local/php_interface/init.php
AddEventHandler('sale', 'OnBeforeOrderFinalAction', ['\Local\Fraud\OrderGuard', 'check']);

namespace Local\Fraud;

class OrderGuard
{
    public static function check(\Bitrix\Sale\Order $order): \Bitrix\Main\EventResult
    {
        if ($order->getId() > 0) {
            return new \Bitrix\Main\EventResult(\Bitrix\Main\EventResult::SUCCESS);
        }

        $violations = self::runChecks($order);

        if (in_array('block', array_column($violations, 'action'), true)) {
            return new \Bitrix\Main\EventResult(
                \Bitrix\Main\EventResult::ERROR,
                new \Bitrix\Main\Error('Order blocked by security system. Please contact support.')
            );
        }

        if (!empty($violations)) {
            $comment = implode('; ', array_column($violations, 'reason'));
            $order->setField('COMMENTS', '[REVIEW] ' . $comment);
        }

        return new \Bitrix\Main\EventResult(\Bitrix\Main\EventResult::SUCCESS);
    }

    private static function runChecks(\Bitrix\Sale\Order $order): array
    {
        $violations = [];
        $ip    = $_SERVER['REMOTE_ADDR'] ?? '';
        $props = $order->getPropertyCollection();
        $email = $props->getItemByOrderPropertyCode('EMAIL')?->getValue() ?? '';
        $phone = $props->getItemByOrderPropertyCode('PHONE')?->getValue() ?? '';

        // 1. IP order limit exceeded
        $ipOrders = self::countOrdersByIp($ip, 1); // within 1 hour
        if ($ipOrders >= 10) {
            $violations[] = ['action' => 'block',  'reason' => "IP {$ip}: {$ipOrders} orders/hour"];
        } elseif ($ipOrders >= 3) {
            $violations[] = ['action' => 'review', 'reason' => "IP: {$ipOrders} orders/hour"];
        }

        // 2. Disposable email
        if (self::isDisposableEmail($email)) {
            $violations[] = ['action' => 'review', 'reason' => 'Disposable email'];
        }

        // 3. Delivery city / IP mismatch
        $deliveryCity = $props->getItemByOrderPropertyCode('CITY')?->getValue() ?? '';
        if ($deliveryCity && self::isCityMismatch($ip, $deliveryCity)) {
            $violations[] = ['action' => 'review', 'reason' => 'City/IP mismatch'];
        }

        // 4. Large order from a new user
        $userId = (int)$order->getUserId();
        if ($order->getPrice() > 50000 && $userId > 0 && self::getPreviousOrderCount($userId) === 0) {
            $violations[] = ['action' => 'review', 'reason' => 'High amount + new user'];
        }

        return $violations;
    }

    private static function countOrdersByIp(string $ip, int $hours): int
    {
        $ip   = \Bitrix\Main\Application::getConnection()->getSqlHelper()->forSql($ip);
        $from = date('Y-m-d H:i:s', time() - $hours * 3600);

        return (int)\Bitrix\Main\Application::getConnection()->query(
            "SELECT COUNT(*) cnt FROM b_sale_order
             WHERE CREATED_BY_IP = '{$ip}' AND DATE_INSERT >= '{$from}'"
        )->fetch()['cnt'];
    }

    private static function isDisposableEmail(string $email): bool
    {
        $domain  = strtolower(substr(strrchr($email, '@'), 1));
        $domains = ['mailinator.com', 'guerrillamail.com', 'tempmail.com', 'throwam.com',
                    'yopmail.com', '10minutemail.com', 'trashmail.com', 'dispostable.com'];
        return in_array($domain, $domains, true);
    }

    private static function isCityMismatch(string $ip, string $deliveryCity): bool
    {
        // Simple geoip check: flag if discrepancy > 1000 km
        if (!function_exists('geoip_record_by_name')) return false;
        $geo = @geoip_record_by_name($ip);
        if (!$geo || empty($geo['city'])) return false;

        // Normalize and compare
        $geoCity      = mb_strtolower(trim($geo['city']));
        $deliveryNorm = mb_strtolower(trim($deliveryCity));

        return $geoCity !== '' && !str_contains($deliveryNorm, $geoCity)
               && !str_contains($geoCity, $deliveryNorm);
    }

    private static function getPreviousOrderCount(int $userId): int
    {
        return (int)\Bitrix\Main\Application::getConnection()->query(
            "SELECT COUNT(*) cnt FROM b_sale_order
             WHERE USER_ID = {$userId} AND STATUS_ID NOT IN ('C')"
        )->fetch()['cnt'];
    }
}

Manager notification for suspicious orders

When the [REVIEW] status is set, an agent runs every 15 minutes to check for new orders with that tag and sends a notification to the manager:

$suspiciousOrders = \Bitrix\Sale\OrderTable::getList([
    'filter' => [
        'STATUS_ID' => 'N',
        '%COMMENTS' => '[REVIEW]',
        '>=DATE_INSERT' => new \Bitrix\Main\Type\DateTime(date('Y-m-d H:i:s', time() - 900)),
    ],
    'select' => ['ID', 'PRICE', 'COMMENTS', 'DATE_INSERT'],
])->fetchAll();

Implementation timelines