Recently in abuse Category

So I had an incident the other day that highlighted a problem prgmr.com has. See, my standard pricing is $1/month per every 64MiB ram and 1.5TiB disk, and proportional share of CPU, plus another $4/month for abuse and support costs.

Now, the first problem here is that the small customers are usually okay with $4/month worth of support. I mean, they aren't paying me much. Larger customers, on the other hand, believe they are entitled to better support because they are paying more. There is a disconnect there, as from my point of view, they are paying the same $4/month. (For me, small customers who don't need help are by far the most profitable customer demographic.)

The second problem is that the support you get for $4/month is not very good. I have skimped on coverage rather than skimping on technical skill, but either way, my support sucks. You often have to wait a while to get an answer, which is bad.

Now, a big part of that is that sometimes it is a skilled job to figure out if the problem is mine (prgmr.com hardware or network) or yours, so having some unskilled worker online 24/7 won't really help us any more than an autoresponder would.

However, having crappy support means my service is significantly less useful. As I grow larger coverage will improve; I mean, as it stands I probably get less than 10 tickets on a day with no new signups, so it's hard to justify hiring more people.

So, yeah; the incident was that some guy was disconnected because he was attacking other hosts. Now, almost always this just means the guy was compromised and is now part of a botnet.

So we emailed the guy and shut him down. the thing was, his email was on the VPS, so he never got that.

Now, in this case, the guy was past due. "The check is in the mail" so I'm less sympathetic. often, we email and then shut down 12 hours or so later. (this is a very 'soft' policy... it all depends on how 'legitimate' the customer looks. If you have an account name of 'bestwatches' well, we tend to shoot first and ask questions later. God, I hate watch spam. This customer got vetted to the 'shoot first' pile, I believe, because he was past due, though there was an account note that said the check was in the mail, so maybe that was a mistake.)

This is, I think, a reasonable abuse setup for $4/month. Note, I've never shut someone down for a mistaken abuse report (I've forwarded a few to customers... that was embarrassing.)

However, this clearly damages the value I provide to businesses.

Now, the first thing I need to fix is the email notification. Emailing a dude when I'm taking down his mailserver is just stupid. I think I need to start calling people when I shut things down.

Good god I hate the phone. And I think Nick hates it even more, and I don't really feel good about making employees talk to irate customers, so I'd be making the calls. But we're talking maybe one or two of these things a week at a thousand customers, so it's not that big of a deal for me to do it myself.

Next, right now, the policy is to boot 'em into single user mode; I think we should leave them with a fresh image, and their old image mounted read-only. Otherwise, they are much less likely to actually fix the problem. (you always format and re-install after a compromise) Of course, this might piss off some customers even more. so many people think they can run 'virus scan' and be okay again.

That's still a pretty poor way to treat hacked customers. "sorry dude, you got hacked. Here, I finished the job. go now and rebuild from scratch" but anything else (well, besides booting 'em into single user mode and letting them deal with it, which just pushes the cost on to the customer) would be super expensive.

As I grow, support coverage will improve. I'll eventually get a support person from somewhere else who can look at tickets during the pre-noon hours when Nick and I are not available.

I'm especially looking for feedback on how to handle compromised domains. The more I think about it, the more I like the idea of giving the customer a completely fresh install with the old image mounted read-only for a certain number of days so they can retrieve any data that isn't backed up.

New rdns policy

| | Comments (1)
so, having rdns point back to me makes handling abuse reports much easier (that is, it makes it much more likely I will get the complaint rather than my upstream)  -  so I am going to require you to stay on a .xen.prgmr.com rdns until you have been a paying customer for 3 months. 

Like everything, exceptions can be made, but if I don't know you, it's three months (or you can pay up-front for three months, with the understanding that you won't get it back if I shut you down for AUP violations.) 

the prgmr.com AUP:
http://prgmr.com/aup.html

pretty standard, except for the bit where I prohibit all bulk mail without my approval. 
I'm not interested in hosting even most double-opt in lists-  most of the larger lists, even if they are legitimately double-opt in, generate more complaints than I am willing to deal with at these prices.    If you are a legitimate mail sender, I would suggest you start with http://isipp.com 

Snort IDS installed.

| | Comments (0)
One way to make your network unattractive to spammers is to make setting up new accounts more expensive for the abuser- either through collecting AUP violation fees, or through high setup fees. Of course, this is difficult with the real black-hats, as they usually pay with fraudulently obtained credit cards. It works ok for the 'grey' spammers- those who mail people who 'opted-in' when they bought something, and now get tangentially related offers.

Another way to do it is to be more proactive about disconnecting abusive customers. See, most of the time, one can expect 4-24 hours between when the abuse is reported and when the provider does something about it- and in my experience, it takes quite a lot of abuse to get a complaint- sometimes the abuse has been going on for a week or more before it hits someone with the spare time and the knowledge to complain.

So my thought is this: why not run an IDS system, but instead of alerting on the constant stream of abuse coming in from the Internet, alert on abuse going out from your customers? you could even then automatically kill the ports belonging to obviously compromised or abusive hosts.

So that's what I did tonight. I setup a VPS on my new server, set my bridge to not remember MAC addresses (that is, I turned it into a hub) and installed snort on that VPS. Right now, it's pretty much just using the default rules and scanning all traffic, incoming and outgoing. Next, I need to set up some good e-mail rules (I want to allow people to run secondary MX servers, but I want to prohibit mailing lists beyond a certain size without my prior approval... I've not quite figured out how to do that.)

I figure if I'm going to be watching you, I should give you something back- so I have decided to give you access to see the snort alerts about people from the Internet trying to attack you. If you are on lion and interested, let me know via email.

I've got a shell script parsing the output, and putting it in a file for each user to watch, if they like. If it encounters an attack coming from one of my e-mail addresses, it e-mails me, meaning a worst-case response of around 8 hours. That's not a great response time if you count from when someone files an abuse report, but if you count from when the abuse starts (and that is what is happening) 8 hours isn't bad at all.

bulk e-mail

| | Comments (0)
So today I got an automated abuse report (incidentally from http://junkemailfilter.com they seem to be up on things;  Marc Perkel answered my questions right quick, and the automated message was clear and had all the info I needed to track down the problem.) It Turns out a free trial customer (who is no longer a customer)  had a business of mailing 'opt-in' lists He even provided documentation of the sign up (But the message looked a lot like spam to me, and was blocked not because the reciever complained, but because it contained a link to a site that is blacklisted)  Because he had documentation of the double opt-in,  I'm not taking action against this customer, aside from terminating my business relationship with them, but I am changing the prgmr.com AUP to disallow all bulk mail (you can ask me for an exception if you want to run a mailing list)

About this Archive

This page is a archive of recent entries in the abuse category.

billing is the next category.

Find recent content on the main index or look in the archives to find all content.

April 2010: Monthly Archives