Home / News I have a News Tip

M3AAWG Releases Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers

Jointly published by the Internet Infrastructure Coalition (i2C) and the Messaging, Malware and Mobile Anti-Abuse Working Group, the new document outlines proven activities that can help Web hosting services improve their operations and better protect end-users.

The new best practices describe how to identify customers that are spammers or criminals, policies to prevent abuse, and processes to remediate known threats for the hosting, DNS and domain registration provider communities.  These recommendations are intended to help hosting companies establish a stable operating environment and minimize additional customer support costs resulting from network operators frequently blocking the service for abusive activities, according to Michael Adkins, M3AAWG Chairman of the Board.

Follow CircleID on

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

regarding outbound spam control Carl Byington  –  Mar 30, 2015 2:47 PM PST

Although section 5.4 "Set up internal telemetry..." might imply this as part of traffic analysis, I propose:

Track counts of tcp syn packets sent to port 25 to ip addresses outside your network, summarized by customer. Maintain appropriate per customer thresholds. If the customer exceeds their (5 minute, hourly, daily, whatever) limit, block all subsequent outbound mail from their accounts.

There are two very different methods available to spammers. One is to attempt to stay under the radar by sending spam slowly. This generally requires a lot of ip address space. The other method that I see more frequently lately is where the spammer knows their ip address space and/or domain names will be blocked soon, so they hammer out as much as they can for relatively short periods - less than two hours.

If we can see hundreds of spam attempts in an hour on a trivially small mail server, they are sending a LOT of tcp syn packets. Those bursts should be able to get them automatically firewalled by their provider within minutes.

To post comments, please login or create an account.




Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias


Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC


Sponsored byThreat Intelligence Platform

New TLDs

Sponsored byAfilias

Brand Protection

Sponsored byAppDetex