We announced a while back that we were increasing our focus on web hosting providers with an eye to addressing some of the inconsistency within the industry about how to respond to malware reports. For the last several months, we’ve been plugging away at putting together a set of best practices for hosting providers to follow when malware is reported on their networks. We received fantastic insight from our distinguished Web Hosting Working Group and had quite a few spirited and highly productive discussions. After listening to concerns and pondering practicalities, we have a working draft of our document available for review. You can read the full draft of StopBadware's Best Practices for Web Hosting Providers: Responding to Malware Reports here in doc and pdf format.
This draft is the first public iteration of the Practices; it’s not meant to be set in stone. As ever, the thoughts and concerns of our community are of paramount importance to us: it’s our intent to clarify expectations and elevate standards within the hosting industry so as to better protect and empower users. Thus, we gladly welcome thoughtful critique of the Practices in the comments below or via e-mail: contact <at> stopbadware <dot> org.
We’ll accept comments until January 31, 2011. Further draft(s) will also be available for public review as the Practices evolve and near completion. If you’re interested in being kept up to date on our activities with regard to web hosting and other network providers, you can subscribe to our mailing list here.
Hi folks,
Looks like a great start in discussing the matter frankly and openly.
Since most hosts do not have the expertise to handle malware reports, and because so many web hosts charge so little for hosting it seems unlikely that most hosts will pay more than lip service to assisting their clients for free in the ways your best practices document describe.
After all if you charge $60 a year for hosting are you as a host going to hire more technical staff just to help client’s fix their hacked website issues… which in my experience requires dedicating a level 2/3 tech from 1 – 3 hours to resolve (about $100-200 in labor costs)?
That said, it’s a matter of pride that we go the extra mile to help clients who’s sites are exploited and always resolve these matters same day. We’ve been following the same standards described in your report for over a decade; they work and result in happier customers in the longer term. It’s just good business in the long term to help your clients succeed IMHO.
I can’t see a single line in your report I don’t agree with. Nice work!
Best Wishes,
Jim Walker
TVCNet.com
Hello!
Overall your best practices is really good. But more attention should be given to taking action now, and not tip toeing around about it.
Having dealt with hundreds of hosts all over the globe concerning hacking and spamming, there are a couple items I disagree with.
“A provider need not take further action if the report does not apply to its Zone of Control.”
This is true, as they have no control, but the provider should let the reporter know that it is not within their Zone of Control. Most will just ignore the report and never respond to the reporter.
“whether the report corroborates other reports the provider has received.”
They should NEVER wait for other reports. The longer a provider waits the more malware is spread. THIS is a problem with a LOT of hosts. They just sit there until they have hundreds of complaints before they decide there “might” be a problem. I’ve watched infected sites go uncorrected for months because the host only received a “few” complaints and “did not warrant their attention at this time”
“Reporting the issue to the downstream provider or site owner”
Yes…let them know and shutdown the site/server to stop the further spread. (see Best Practice 4) To many providers will just forward the report and forget about it. They should always take some action to stop the malware.
“the risk of negatively affecting legitimate site content and traffic, balanced with
the risk of propagating further malware infection”
I don’t care if it’s Google, stop the spread ASAP. (see Best Practice 4)
Hosts/providers do not, by a long shot, understand the importance of stopping the spread of malware. But they would if they ended up living in a homeless shelter because they visited a malicious site that stole their identity.
It’s not that the hosts don’t have the expertise to do anything, it’s that they don’t know what to look for. I don’t know how many times I’ve had to give a hacking 101 class to a tech support person.
That’s my nickles worth! (inflation you know)
Keep up the Great Work!!!
Thanks for the great comments, Jim & Mike! We appreciate the input.
“2. Evaluate reports in a timely fashion.”
and
”
“3. Report issues to affected downstream providers or site owners in a timely manner.”
While the meaning of these titles should be clear, I believe guidance should be given as to the phrase timely in the scope of malware as well. Currently some providers deem 6 weeks as timely to action malware issues, then give the downstream 2 weeks to resolve such an issue.
Thank you to you all for your hard work.
There many hosters like mediaon.org that care for nothing. If you go to some sites there (warez and porn, some camgirl pages, some advertising pages, wikileaks mirrors) via google, you get the warning. Many sites there are also advertised by spam, so thats the job to keep these hosting companys out of the buissness. The tech support person there wont even answer. Cause there buissness is to host stuff like that and thats where the money comes from for them. Also many things are legal in turkie.