I did the same thing with geo IP blocks + blocks of non-consumer IP ranges. I don't completely block the transaction - I just send them into a different workflow where we manually call them to run the transaction. This works fine for legitimate customers.