Back in February 2012, we blogged about the fraudulent sign-up problem at IaaS providers. Today, Spamhaus posted a lengthy, extremely helpful guide for IaaS providers (they call them hosting providers) discussing how they can best avoid taking on new customers who will abuse their services.
Fraudulent sign-ups are a major problem for web hosting providers - particularly for providers offering Virtual Private Servers (VPS's) and other flexible hosting options. Spammers take advantage of these services to set up spamming operations and trade on the good name and IP reputation of the provider.
Spamhaus recommends several steps that hosting companies can take to prevent fraudulent sign-ups. I'll summarize their recommendations, and add some of my own:
- Verify User Information - Confirm the user's identity via SMS, a callback, or some other "out of band" method. This helps to filter out some of the automated methods spammers use to create large numbers of accounts with fictitious identities.
- Blacklist Abusive Customers - When customers mis-behave, add their details to a blacklist. Consult this blacklist whenever someone tries to sign up for a new account, and prevent the same blacklisted person from signing up again.
- Have a Strong Acceptable Use Policy (AUP) - Make sure you have the legal backing to terminate bad customers by having a strong AUP. Spamhaus even offers a point-and-click "AUP generator"
- Monitor Traffic - Actively monitor traffic entering and leaving your network. Sign up for "feedback loops" (Wikipedia reference) to get notifications when email recipients complain about your customers' email traffic. Implement an outbound email filter.
- Verify Customer IP Addresses - When a new user signs up, check whether their IP address is registered on a blacklist. Don't permit sign-ups that come via the Tor network.
- Have a Responsive Abuse Desk - Fraudsters look for hosting services with lax abuse policies and enforcement. Don't be one of those companies. Have a well funded abuse desk, with good response times, and fraudsters will put the word out that your service is a bad place to steal business.