«Table of Contents 1. Introduction 2. Types of Hosting 3. Types of Abuse 4. Prevention 5. Detection and Identification 6. Remediation Appendix 1: ...»
Message, Mobile and Malware Anti-Abuse Working Group
M3AAWG Anti-Abuse Best Common Practices
for Hosting and Cloud Service Providers
System abuse drains time and revenue for hosting and cloud providers. Providers must maintain constant
vigilance to make sure systems are not compromised. Just as crucially, they must ensure that their customers
are vigilant. This document categorizes types of abuse, suggests appropriate responses and reviews practices
for dealing with customers and complaints. It provides current best common practices in use with the hosting, DNS and domain registration provider communities. The intended audience is anti-abuse technical operations staff and their management.
Table of Contents
2. Types of Hosting
3. Types of Abuse
5. Detection and Identification
Appendix 1: Glossary of Standard Terms
Appendix 2: Legal and Other Resources
Appendix 3: A Note about Data Security
Appendix 4: Ticketing Systems
M3AAWG Messaging, Malware and Mobile Anti-Abuse Working Group P.O. Box 29920 San Francisco, CA 94129-0920 www.M3AAWG.org info@M3AAWG.org
1. Introduction The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) and the Internet Infrastructure Coalition (i2C) offer these best practices for hosting, DNS and domain registration providers in support of the M3AAWG mission to reduce all types of messaging and other forms of network abuse. The goal of this paper is to educate providers about methods they can adopt in order to more efficiently use their resources to fight abuse.
Hosting providers must adhere to these requirements to avoid industry and regulatory actions and to avoid the risk of incurring additional regulations. Providers should also consider joining relevant coalitions and adhering to relevant self-regulatory initiatives, such as those prescribed by other industry trade associations.
Hosting providers must be in compliance with the requirements of all upstream network providers and applicable regional governments’ regulations. (See Appendix 2.) This document outlines industry best common practices. It is understood that not all hosting providers or reporting agencies will implement all of these practices due to the complexity of network infrastructures, public policy considerations, and the scalability of network platforms.
2. Types of Hosting Hosts offer varying levels of support, equipment provision and help with abuse issues related to their customers.
*Where the customer is the owner of the hardware, as it is in a hosting environment, responsibility for hardware maintenance will be shared between the hosting provider and the customer.
● Cloud hosting This is shared hosting with redundancy. (See below.) ● Dedicated Hosting The hosting provider owns and provides the server, physical space in a facility, connectivity, electricity and physical security. The customer controls and maintains the server, OS (operating system), software, administrative and end-user access. The hosting company provides a dedicated box that only has one customer assigned to it. Usually the customer has admin-level access to the box.
● Hosting Provider Any entity which offers end users the ability to create their Web presence on hardware they do not actually own.
● Managed Hosting The hosting provider owns and provides the server, the OS and the software and/or technical support. The customer controls administrative and end-user access.
● Reseller Hosting An arrangement under which the hosting company provides space to a customer who acts as an independent hosting company. The business arrangement can be either unmanaged or dedicated hosting, as detailed above. Customers can then position themselves as hosting providers in their own right and sell services to customers. Resellers can resell to other resellers, thus adding degrees of separation that create potential latency in the abuse-handling process.
● Shared Hosting The hosting provider owns and provides server, provides physical space in facility, connectivity, electricity, physical security, and provides OS and software. The provider controls administrative access. The customer controls end-user access. Abuse issues in a shared system require the provider to point the customer in the right direction to a resolution.
● Unmanaged Hosting The hosting provider provides physical space in a facility, connectivity, electricity and physical security. The customer owns, controls and maintains the server, OS, software, administrative and end-user access.
● Virtual Private Server (VPS) An arrangement under which customers are given a virtual server environment in which they usually have admin-level control of that environment. In some cases they may also have guaranteed processes or hardware allocations. The hosting provider owns and provides the virtual server environment and the OS. The customer controls administrative and end-user access and software.
M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers 3
3. Types of Abuse Below is a list of the types of abuse most commonly seen at hosting and cloud service providers. The list does not purport to be complete and will invariably change over time.
● Spam (outbound) Spam is any email sent to end users that the receiver has specified they did not want to receive.
Providers should ensure that customers are following the M3AAWG Sender Best Current Practices.1 Hosting providers will also want to subscribe to as many relevant Feedback Loop reports as it is possible to process. (See more about Feedback Loops in Section 5 below.) ● Spamvertising (hosted redirect and payloads) Spamvertising occurs when a hosting provider’s end user engages a third party to advertise its Web presence. Most spam complaints are caused by end users sending emails to potential customers that tout some overhyped product or service. Spamvertising is done via a third party. Providers who receive one of these complaints are most likely in the loop either as the sender of the email or the host of the site being advertised.
● Phishing outbound (hosting and inbound for client credentials) Phishing happens primarily when an end-user account has been compromised, almost always as a result of outdated scripts run by end users. A phishing site is a fraudulent site purporting to be a legitimate company, like Bank of America or PayPal, that directs the individual to enter confidential information. The phishers then have everything they need to rob the individual who has just been scammed.
● Hacked or defaced pages (hosted client-side) While phishing complaints will often fall into this category, not all hacked accounts will be used for phishing. Some may simply be defaced and the end users’ data corrupted or destroyed. Frequently hackers will also inject malicious code or upload bots that are set to cause additional problems. Third parties and law enforcement agencies analyze these events and provide information about how to repair hacked sites. Most accounts are compromised due to end users’ out-of-date CMS (Content Management System) installations such as Joomla or WordPress.
● Child sexual abuse material (hosted client-side) For appropriate handling of these issues, see the M3AAWG Disposition of Child Sexual Abuse Materials Best Common Practices (https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Disposition_CAM-2015-02.pdf ).
● Copyright and trademark/intellectual property issues (hosted client-side) For online U.S. copyright law, see http://www.copyright.gov/reports/studies/dmca/dmca_executive.html.
Other copyright regimes apply in other jurisdictions.
● Distributed denial of service and other outbound hostile traffic (hosted amplification, redirect, botnet C&C hosts) ● Malicious signups (whack-a-mole/multi-account, multi-platform)
M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers 4
4. Prevention Vet customers before they cause problems.
Hosting providers are at the mercy of their clients’ worst practices. Providers must have some type of vetting process to proactively identify malicious clients before they undertake abusive activities. A sound vetting process prior to provisioning will help the provider determine the difference between the truly bad actors and the customer who simply needs some guidance on proper online conduct. Vetting of clients is integral to maintaining a good reputation, decreasing costs and decreasing online abuse.2 Require customers to keep software updated.
Failure to maintain up-to-date software and hardware or firmware in the environment is one of the primary causes of abuse in the hosting space. Customer agreements should specify that customers will make a best
effort to keep their systems up to date. This includes:
● OS/installs ● Plugins ● Content Management Systems (CMS) ● Themes ● Hardware/Firmware Agreements should specify that out-of-date software may violate the prevailing contract with customers, as it can cause risks to the security both of their own environment and that of others. Where possible, customers should have automatic software updates enabled for their environment.
Prevent abusers from becoming customers.
Stopping parties intent upon abusive activities before they even get into a host’s system must be given high priority when developing a prevention plan. The practices below will aid in preventing fraudulent accounts from gaining entrance to hosting systems.
● Institute preauthorization of new accounts.
● Personally contact accounts that are deemed suspicious.
● Keep records of previously terminated fraud accounts.
● Put limits on new accounts that require credible customer need to be raised.
● If possible, institute a fraud scoring system and automatically reject prospective accounts that fall below the specified threshold.
● Provide sales teams with specific questions and specific red flag statements made by prospective accounts to help identify potential fraud.
The M3AAWG Sender Committee “Vetting Best Common Practices” may be of some use in this regard.
https://www.m3aawg.org/sites/maawg/files/news/MAAWG_Vetting_BCP_2011-11.pdf M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers 5 Train customer-facing staff in security awareness.
Customer-facing teams such as support, sales and marketing do not face the majority of daily challenges that are the norm for the abuse or security teams. Training provides these teams with knowledge of when to tell a customer or prospect that their practices do not abide by the terms and Acceptable Use Policy of the system they are on or where they are trying to provision an environment. Making efforts to target clients who will be a good fit for the hosting company is another way to preserve the safety of the hosting environment. Overall, a training program for customer-facing teams can reduce the number of problematic customers and provide them with advice about what to tell customers to fix when they encounter an issue.3 Prevent abuse at the network edge.
1. Consider hardware-based intrusion detection systems (IDS).
At the highest levels, M3AAWG recommends exploring Intrusion Detection Protection measures on networks. These systems help prepare for and deal with attacks.
2. Use software-based security scans and firewalls.
Automated and configurable web application security and penetration testing tools can be used to mimic real-world hacking techniques and attack. This enables companies to analyze complex Web applications and services for security vulnerabilities. At a minimum, a hardware- or software-based firewall is required for every network. It is also common to protect individual networks and computers with additional softwarelayer firewalls.4
3. Promote the use of Web application firewalls.
Hosting providers should encourage use of Web application firewalls (WAF) such as ModSecurity for their hosted clients. Managed providers should also consider managing a core set of WAF rules on their client servers.5
4. Use tiered-rights allocation for valued customers.
Access to the provider’s network should be limited for new accounts. Seasoned, trusted accounts should be granted progressively wider access as their tenure and reputation within the system increases.
Reduced access restrictions can include, for example, limits to:
● API access ● server creation ● new domain creation ● bandwidth increases Access privileges should not be granted to the majority of customers. They can be reserved for customers
● proactive against any potential abuse ● have been hosted for an extended period of time (over 12 months) ● are responsive to your company’s requests
See M3AAWG Abuse Desk Common Practices document for more information:
http://www.maawg.org/sites/maawg/files/news/MAAWG_Abuse_Desk_Common_Practices.pdf NIST Guidelines on Firewalls and Firewall Policy http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf ModSecurity is an open source, cross-platform WAF.
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers 6 As with any privileges, these rights must be revoked in circumstances where customers previously in good standing commit multiple abuses or become non-responsive to company inquiries.
5. Contract with customers to protect security.
Hosting providers must require their clients to maintain a secure environment on their network and within the services they offer and the resources they consume from the provider. These requirements must be communicated to the client prior to provisioning and must form part of the contractual obligations. Clients must have a contractual obligation to notify the provider of breaches and issues.