Hosting providers are increasingly asking Spamhaus how they can prevent so-called "fraudulent sign-ups" -- new customers whose only intention is to spam, host malware, host botnet controllers, or engage in other activities that are forbidden by the hosting provider's acceptable use policy (AUP). Such customers normally target cheap VPS and cloud hosting with automated sign-up procedures. These customers know that their accounts will be terminated swiftly when the host becomes aware of their activities, so they usually use stolen credit cards or compromised Paypal accounts to obtain service. This allows them to hide their real identities and avoid spending their own funds.
Spamhaus has received several independent reports from hosting providers that the volume of such fraudulent sign-ups has increased dramatically in the past few months. Some hosting providers report that 50% of all new subscriptions are fraudulent -- every second subscription. No hosting company is immune, neither small local operations nor large multinational hosting firms with data centers on several continents.
While Spamhaus' mission is to protect internet users and organizations from spam and other cyber-threats, we lack the resources and time to act as an abuse reporting service (FBL - Feedback Loop) or a consulting company. However, we would like to do what we can to help. This article provides some tips to help hosting providers prevent fraudulent sign-ups and increase the detection rate for such sign-ups. These tips are not a solution, but should help mitigate the damage and administrative costs caused by criminals.
Verify User Information
First, create and implement a verification mechanism for automated sign-ups. It should verify at least some personal information from new subscriptions. For example:
Customer email address (by sending an email with a confirmation link) Customer phone number (for a mobile, by sending an SMS with a confirmation code, or for a land line, by making a verification phone call) If you are unable to verify any of this information, place the account on hold until the customer contacts you and you can verify their identity by other means. If a criminal must provide an email address or telephone number that he answers, he must either risk identifying himself to you or move on to a less vigilant provider. You can also block subscriptions from customers who use phone numbers previously used in a fraudulent sign-up. While it is easy to compromise an email account, it is more difficult to compromise a phone number assigned to another person.
Blacklist Abusive Customers
Maintain a blacklist of the names, postal addresses, telephone and mobile numbers, and email addresses of customers who have violated your AUP, and check the blacklist for every subscription. Do not allow blacklisted customers or those using the same information to sign up for service with you again.
Include some or all of the following types of information on the blacklist:
First name Last name Postal address Phone number Mobile number Email address PayPal, Webmoney, etc. payment service data IP address used to sign up Browser (User-Agent) Blacklisted customers often try to sign up for service again under a new name and postal address, but frequently do not change the email address and often attempt to sign up from the same IP address. By using a blacklist, you can detect such sign-ups.
Have a strong Acceptable Use Policy (AUP) or Terms of Service (ToS)
A key point in fighting abuse and fraudulent customers on your network is to implement a strong Acceptable Use Policy, also known as Terms of Service. If you are in the hosting business, it is vital to have an AUP. Without one, you leave yourself open to legal threats when you terminate services to abusive customers or refuse to allow a previously terminated customer to sign up again. Spammers specifically seek out hosts with weak AUPs, or hosts who are known to be lax on spam/security issues. Lack of an effective AUP permits them to abuse your network and then threaten to sue when you terminate their service.
Several hosts have excellent AUPs which, among other measures, allow the ISP to terminate a customer account upon receiving an SBL notification from Spamhaus. In addition, hosts that state clearly on their corporate web sites that they will fully cooperate with law enforcement and private anti-spam and security companies such as Spamhaus when their AUP is violated, discourage abusers from signing up in the first place.
To help hosts revise or implement their AUPs, Spamhaus has set up a small tool:
AUP Document Builder
You can use this tool to create or revise an AUP for your company.
Active Netflow / Traffic Monitoring
We have seen some cases where it is nearly impossible to determine that a customer is fraudulent when they sign up. In such cases, you may be able to detect the abuse after they sign up but before you get feedback reports from third parties such as Spamcop, Spamhaus or other security firms. You do this by actively monitoring network traffic for patterns that do not normally occur with legitimate use, but often occur when a user is spamming, hosting malware, or running a botnet from your network.
For example, spammers and malware hosts frequently use a VPN to forward traffic from their permanent, back-end locations on your server to botnet or snowshoe spam cannons or web proxies on a compromised server. They use stolen personal data obtained from an infected computer, or even the computer itself, to sign up. As soon as Spamhaus detects and reports abuse, the host terminates the account, but the spammer just signs up again using a different (stolen) identity. Often there is one constant amidst the changed identities: the VPN end node (back-end)! A host that monitors network traffic for connections to known blackhat VPN nodes can detect abusers quickly and prevent them from profiting from their abuse.
Customer IP address verification
When a new customer signs-up, you should check the IP address that they use against a number of blocklists, and either not accept or not activate any subscription that originates from an IP address that is listed on the Spamhaus SBL or XBL.
Spamhaus SBL: http://www.spamhaus.org/sbl/
Spamhaus XBL: http://www.spamhaus.org/xbl/
In addition, do not accept any subscriptions from Tor nodes. There are several Tor-DNSBL services that you can query before accepting a subscription.
The benefit of these DNSBL checks (SBL/XBL/Tor) is that they are fast and can be done automatically.
Use Spamhaus DROP/EDROP to filter bad traffic
A significant number of malware hosting sites and botnet control sites are in fact proxy nodes, forwarding traffic to a back-end server. These back-end servers are often hosted on rogue networks that are already listed on one of the Spamhaus Don't Route Or Peer Lists (DROP/EDROP). You can prevent these criminals from abusing your network by implementing DROP and EDROP on your network routers, and then denying all traffic from or to those listed IP addresses. The text-version of these lists is available free-of-charge. Spamhaus also offers a BGP feed (BGPf) for an annual fee.
Spamhaus DROP list: http://www.spamhaus.org/drop/drop.txt
Spamhaus EDROP list: http://www.spamhaus.org/drop/edrop.txt
Spamhaus DROP/EDROP listing policy: http://www.spamhaus.org/drop
Spamhaus BGP feed (BGPf): http://www.spamhaus.org/bgpf
Geo-specific customer handling
Frequently, small or medium sized hosting providers accept business from foreign customers without any limitation. Such providers are likely to be overwhelmed with fraudulent sign-ups, especially when they open for business or add a new VPS or cloud service. Criminals want to test how good or bad your abuse handling is. So -- before you start accepting business from foreign customers -- please be sure that you have sufficient abuse expertise and resources to deal with the increase in fraudulent sign-ups. If you deal with the initial spate of sign-ups quickly and effectively, before long the criminals will give up on you and move to a less prepared and knowledgeable service provider.
While many companies offer hosting with monthly billing, you might want to require foreign customers, especially customers from countries with high rates of online fraud and abuse, to sign up and pay for at least 6-months of service. If you also require a payment method that is not easily reversible for the first payment (such as wired funds or a cleared check), cybercriminals will usually avoid you. They do not want to pay for six months of service when they know that you will terminate their accounts as soon as you realize what they are doing.
In extreme cases, you might also demand a scanned copy of a customer's passport. Several ISPs are requiring that for a few countries that have extremely high rates of fraud and abuse. However, be aware that some cybercriminals actually use stolen and forged documents to circumvent such security checks.
Abuse Desk Response Time
While one part of a hosts responsibility is to keep cybercriminals away, the second part is to react quickly to abuse that gets past preventive measures. An understaffed and overwhelmed abuse desk will make your service attractive to cybercriminals. Hosts should null-route a customer's IP address upon a credible report of spam, malware hosting, or botnet activity until they can contact the customer and find out what happened. In cases of fraudulent sign-up, the customer usually will not respond to emails or return phone calls.
If you make sure that your AUP or ToS allows you to suspend a user's access and null-route traffic upon credible reports of abuse, you will not risk legal action because you shut down an abuser. Simply state in your AUP/ToS that you reserve the right to null route the customer's IP address if you get credible abuse reports (e.g. botnet hosting, spammer sites, malware DNS etc).
Outsourcing fraud checks
Some hosts do not have the time or resources to implement anti-fraud checks into their systems. There are companies that offer services that are specifically aimed towards these hosts. Spamhaus cannot endorse a specific service, but we strongly recommend using these if you're overwhelmed by criminals seeking hosting on your network.
While it takes effort to keep cybercriminals away from your network, it takes even more effort to deal with the effects when you ignore abuse and abusers then flock to your network. It requires considerably more resources (human and financial) to stop abuse on a network after having ignored abuse issues. It will also cost more, partly because the "business" that abusers bring to your network is short-lived and they usually pay by using stolen credit cards or other fraudulent means, and partly because cleaning up a poor reputation takes time during which legitimate paying customers may avoid your network. To avoid this situation, you must find a good balance between abuse prevention and abuse handling.