San Francisco, March 17, 2015 – Spamvertising, malware and other online threats could be significantly reduced by hosting companies following the necessary hygiene and security processes outlined in the new M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers released today. Jointly published by the Internet Infrastructure Coalition (i2C) and the Messaging, Malware and Mobile Anti-Abuse Working Group, the new document outlines proven activities that can help Web hosting services improve their operations and better protect end-users.
The new best practices describe how to identify customers that are spammers or criminals, policies to prevent abuse, and processes to remediate known threats for the hosting, DNS and domain registration provider communities. Implementing these recommendations can help hosting companies establish a stable operating environment and minimize additional customer support costs resulting from network operators frequently blocking the service for abusive activities, according to Michael Adkins, M3AAWG Chairman of the Board.
“We took on this work at M3AAWG because of the pivotal role hosting companies play in the ecosystem. The same services that maintain domains and websites for legitimate customers are also needed by spammers, phishers and other miscreants to carry out their clandestine activities that defraud end-users, clog inboxes with junk mail or steal personal identity information. These best practices detail the current policies and technologies used by successful hosting and cloud service providers to weed out criminals and fix other common problems caused by well-intentioned but problematic customers that pose a threat to end users everywhere,” Adkins said.
The M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers are intended for the technical staff at both large organizations and smaller start-up hosting companies. The document was developed by industry professionals who face these challenges every day and outlines reasonable steps that can be integrated into a company’s basic operations and policies, as explained in the video Improving Your Business with the M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers at www.youtube.com/maawg.
Christian Dawson, i2C chairman and co-founder, said, “As a group constructed of the organizations that build the Internet infrastructure, including the Web hosting services, we have the honor and responsibility to work together to make the Internet a safer place. We are thrilled to collaborate with M3AAWG on this important best practices initiative and focus on implementation within this community.”
Hosting Practices to Improve Business and Protect End-Users
The new best practices address both preventing abuse and what to do when a rogue customer is identified on the network. For example, because Web hosting services often suffer from the negligent actions of their customers, the document recommends instituting effective vetting processes to verify the legitimacy of new clients before allowing them on the network. It also advises that the company’s Terms and Conditions should require customers to keep current on all software updates, as older versions can be susceptible to malware attacks.
Among other recommended best practices, hosting companies should consider hardware-based intrusion detection systems (IDS) that help prepare for and deal with an attack, use software-based security scans and firewalls, and implement internal network telemetry reporting. Feedback loops from network operators providing the hosting company with reports on abusive email sent from their servers can also help identify potential problems. When a problem is found, the best practices outline processes for remediating a compromise, including when to suspend service or terminate a customer.
The M3AAWG Hosting Special Interest Group was formed last year to develop these best practices, as explained in the video How the M3AAWG Hosting SIG Can Help You; Fighting Spam, Phishing, Malware and Emerging Threats. The SIG is continuing in its efforts to promote industry collaboration and develop the necessary processes to identify illegitimate hosting customers and respond to emerging issues.
Adkins said, “We are partnering with i2C on these best practices because they are aggressively working to address emerging anti-abuse issues in the cloud service provider area and to help these services improve their business model by reducing risk from abusive customers. Their support for this document reflects the hosting industry’s commitment to safe practices and to their role as reliable partners in the Internet ecosystem.”
The M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers (https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Hosting_Abuse_BCPs-2015-03.pdf) is available on both the M3AAWG website at www.m3aawg.org under Best Practices and from the i2C website at http://www.i2coalition.com/wp-content/uploads/2015/03/M3AAWG_Hosting_Abuse_BCPs-2015-031.pdf.
About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.M3AAWG.org) represents more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.
# # #
Media Contact: Linda Marcus, APR, +1-714-974-6356 (U.S. Pacific), LMarcus@astra.cc, Astra Communications
M3AAWG Board of Directors and Sponsors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); Constant Contact (NASDAQ: CTCT); Cox Communications; Damballa, Inc.; Facebook; Google; LinkedIn; Listrak; Mailchimp; Message Systems; Orange (NYSE and Euronext: ORA); PayPal; Return Path; Time Warner Cable; Verizon Communications; and Yahoo! Inc.
M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; iContact/Vocus; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Level 3; Litmus; McAfee Inc.; Microsoft Corp.; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; Proofpoint; Spamhaus; Sprint; Symantec; and Twitter.
A complete member list is available at http://www.m3aawg.org/about/roster.