Hosting Companies: Anti-Abuse Tips and Tricks

·

Hosting Companies: Anti-Abuse Tips and Tricks

I’ve been running the Abusix Mail Intelligence blocklists for over 4 years now, and I’ve seen a lot of repeated issues that come from hosting.

So, I wanted to share some anti-abuse tips and tricks based on that experience and what I would do if I were running a hosting company.

1) Knowledge is (anti-abuse) power

Utilise tools like NetFlow and NTOP to know what each customer is doing, e.g., which ports are open and what their traffic volumes to those ports look like.  And make this information available to your anti-abuse teams.

Know which of your customers are running WordPress, Magento, etc., and other commonly targeted applications and which software versions they are running.

This information can even be used to build new products and sales strategies e.g. offing WordPress hosting.

2) Focus on new customers

Everyone loves new customers, but not when they’ve come to your platform because they’ve been kicked off someone else’s platform.
Try and segment these new customers where they can do less harm, look for early signs of abuse, and act on these quickly.

3) Block port 25 by default

For dedicated machines or VPS hosting, this can help prevent many issues whilst still allowing anyone to send email as a client to a mail relay using the mail submission port (587/tcp).

You can use a request form to allow port 25 access, but treat anyone requesting a large range for SMTP with suspicion and watch this carefully for abuse if you allow this.

4) Learn from every abuse incident

This is something that I see a lot of companies not doing so well.

Abuse happens to everyone, but how you handle this separates you from your competitors. 

The best companies learn something new from every single anti-abuse tips incident so they can improve processes to strengthen against the same or similar issues happening again in the future.

Keep detailed records with documented evidence that can be easily referenced when looking at similar issues, and the patterns might become more obvious.

5) Provide trace headers on any email that you send

On any mail sent through your platform, you should be able to easily identify which customer sent it by looking at the message headers. 

Likewise, if a message is being generated by a form submission, then the resultant message should contain a header that contains the IP that submitted the form which generated the message.

6) Be wary of customers using bulk mail-sending tools

Customers using bulk mailing tools that are commonly (mis)used, like “Interspire” or “Smart Send,” should be monitored.

Common mistakes when using these tools are poor address-capturing methods (e.g., no opt-in, purchased lists, or very old lists being imported) and poor or completely missing bounce management (e.g., unsubscribing addresses that bounce).

7) Use rate limits as a last resort to catch issues

There are many ways to catch spam before it leaves your systems, and I’ve covered a few in previous blog posts.  Whilst many systems will differ in their set-up, you should, at a very minimum, have a fairly aggressive rate-limits set-up.

Most importantly, exceeded rate limits should trigger administrative alerts for your abuse team to monitor and check for compromised accounts, spam, etc.

8) Don’t allow your users to send emails from domains that you do not handle inbound for them.

If you provide email hosting and handle customer domains, do not allow authenticated users to send emails with a return-path domain that does not match their account.  This will prevent a whole class of very common spam emitted when an account is compromised and can serve as a useful way to identify compromised accounts.

For example: do not allow a customer to send an email with a return path of @gmail.com or @yahoo.com – both of these will fail email authentication protocols (e.g., SPF and DMARC) when received by the recipient.

9) Have strong terms of service and handle abuse reports quickly

The worst I’ve seen is where it took one company 10 days to handle some abuse that I reported directly to one of their staff via live chat.  If you have to contact your customer before you’re allowed to take action, then you’re doing it wrong…

I hope that is useful; if you have any comments or suggestions for anything I missed on anti-abuse, please let me know!

Read More

·

As an IT Security Consultant, your primary job is to protect client networks from potential threats and ensure their ongoing...

·

Network abuse, ranging from phishing to Distributed Denial-of-Service (<a class="glossaryLink" aria-describedby="tt"...