All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Fighting Spam from LET users. Is it worth it?
Hey everyone! This is Jonathan from SharkNode and I'm relatively new here to LET so I you may have seen me around, but if you haven't, it's nice to meet you!
I was just wondering (this question is for both hosting providers and customers) what and how you combat spam from LET. Ever since I joined this forum and started some promotional offers, the number of spammers and fraud orders has nearly tripled and I'm considering giving up the low end market at this point.
1) Would customers care if smtp is disabled by default and requires manual verification of id and a deposit to enable?
2) are there any other automated systems to help fight spam? currently SharkNode uses nodewatch for openvz and manual monitoring for our Xen nodes.
3) Any thoughts from the older, more known providers here on LET will be great. Thanks!
Regards,
Jonathan
Comments
Hey jhon have you tried fraudrecords with maxmind.
I have heard people really like fraudrecords and maxmind combo.
They both have wmcs plugin for you to use.
We are gonna include fraudrecords also currently we are using
maxmind.
Hope this helps.
1) Would customers care if smtp is disabled by default and requires manual verification of id and a deposit to enable?
I doubt alot customers setup a email server - if they happen to truely need it then they always could request it right? just be clear about smtp being blocked by default on signup.
About the high fraud and spam ratios from LET.. I am not a hosting provider but personally i think it is mainly because of the low pricing - you could try to setup more restrictions on the lowend packages to cut down the abuse, customers would need to buy a higher package to unlock the restrictions or pay an extra fee.
I don't think anyone would care if tcp/25 is blocked by default, as long as they can get it opened via a ticket. When I rented a dedicated server from Dacentec they had port 25 blocked too. They opened it right up once I inquired about it.
Thanks for the recommendation. I use a similar combination but FraudRecord has been hit or miss for me. I still do some screening and it's saved me some trouble before.
It's definitely the lower pricing that is causing all these issues. With dedicated resources, CLEAN ips, and LET prices, my service is definitely a prime target.
@jonchun
i have to admit that your website looks really great! and the prices x specs is fair too. do you have any future plans of adding DDoS protection? that definitly would make me jump for it.
@jonchun
One more thing you could try mandatory mobile phone verification.
Maxmind used to provide this but recently they stopped if I remember
correctly.Their are certain alternative but I am not which one is good.
Most of spammers most probably will not take trouble to go through phone
verfication.
@Mark_R
+1 for me too.Site looks great specially when you hover
.
over vps plan and transition of bg and intel logo cool trick
Good job on design I must say.
I guess if I get a little more feedback and legitimate customers generally feel this way, then I will adopt this approach. Would you personally have qualms about sending in a valid ID before getting stuff like this enabled? Or having to provide some type of proof so that people can't get away with spamming after a manual port 25 unblock? (we charge a $50 spam cleanup/investigation fee if an account is suspended for spamming. obviously, it's never paid)
Thanks a lot for your feedback! Our Xen line is currently hosted on Incero's network which automatically prevents the most common attacks. I am looking into having a shared filtering service added through either Staminus or Psychz, but this is definitely going to be a hit or miss addition to service, so it will take a bit more research and planning.
Glad to hear you like the design as well.
Perhaps I should implement mobile phone verification for new VPS orders then? (shared hosting isn't nearly as big a deal as it's already rate-limited and it's very easy to monitor/catch spammers) I love the idea, but I have no idea how people will react to another barrier to getting their product.
Yes I guess it seems a good alternative as people are more hesitant to provide gov id
but I think they should be more comfortable with verifying phone numbers.
Also you can put a notification on website for the customer who cannot verify phone
to contact you via tickets and get their account verified. And in the ticket you can proceed
as required case by case basis.This way you can retain the customer who are unable to verify using phone due to certain reasons.
Yes, that's a deal breaker. I would never deal with a company that required sending copies of ID. Turn it off by default and have a good system for monitoring so you can catch it early.
phone verification did fail many times for me (dont recieve calls or text messages to my 06 number), it is really frustrating to the customer. maybe add an ID verification as extra option after the phone verification fails - it still will be very frustrating but its better than nothing.
Well verifying your identity through support ticket and getting a manual activation should ALWAYS be an option through any provider IMO. It doesn't matter what other methods they have. If SharkNode decides to take the verification approach, manual verification over ticket will 100% be an alternative option.
Good to hear this. I know privacy issues are paramount and this type of verification could cause issues with some clients. Guess it's a no-go.
Best way is fraud record + maxmind also manual rdns then you can normally tell who are spammers, Basically you need to check the domain see if its a legit site if not, Then its likly to be spam, Or keep watching it until it hits the processes qmail que etc
Mobile Phone verification (a la twilio/etc) is still a bit too easy to fake, but might provide some protection. I have a VOIP account that happens to have the ability to receive most SMSes - mainly because I am out of the house most of the time and cell phone service here is all tied up in 3 year, highly expensive contracts that I have to worry about paying in addition to my tuition....
So, if someone wanted to spam, they could get a VOIP account, and receive SMSes there.
If you really want to make sure that it can't be bypassed by a VOIP-based phone number, the best way is to make sure your chosen SMS verification provider sends out verifications using short code SMS. Most providers (i.e. Voip.ms, callcentric, anveo/etc) do not support receiving short code SMSes. They probably never will since a lof of stuff like pay by phone/etc use it. Some companies (i.e. Google) also non-short code sending in some countries such as Canada, so you will have to make sure they don't do that as well.
Yeah, phone calls or texts of the automated variety are easy to fake. I've used linphone and a bunch of phone # providers to record calls and transcribe authorisation codes to text, and turned the process into an API. It used to be the case you could sign up to Google voice and verify accounts with Google voice phone numbers...
A real person to person phone call offers much more protection.
I think your ideas in the OP are reasonable, but hope you'd state it clear enough before sign up for those cases where people have their deposit kept.
Another suggestion to you is charge a higher $ monthly fee until a person verifies their account to your satisfaction.
Fraudrecord and disabled SMTP keeps 99% of crap away I find, although I don't offer much in the way of VPS.
I was thinking then... considering how easy it is to fake phone verification, and how most spammers can easily bypass this, what about giving customers 2 options?
SMTP is disabled by default.
If you wish to enable it, you can:
1) You may verify your identity by submitting a scan/photo of an official ID.
2) You may prepay 2 months (on top of your current month so 3 total if you're a new signup) if you do not wish to submit an ID. This is non-refundable, and will be lost in the event that your account is suspended due to spam. So it is a "deposit", that will be used towards their hosting plan. I figure that most spammers aren't going to deal with this and wait 3 months before starting to spam.
Any thoughts on these options? I was really liking the phone verification idea until about half the thread shot that down too.
The above measures will be taken on TOP of fraudrecord.
If you accept credit cards then always remember to verify each and every order manually try to match and verify each and every information
and regarding PayPal it's better to accept payments from only verified paypals.
Mostly every company at LET gets a lot of those fraud orders daily but giving up is not the solution
I wouldn't go as far to say avoid using phone verification, it's just another layer and like all other solutions, isn't a 100% guarantee of an answer one way or another. Anything computable can be automated, but not everyone has the resources at hand to do it, or feel the need to.
Phone verification, fraud record check and disabling SMTP sounds like the actions of a proactive provider.
If you're using WHMCS, I'd bet just adding a random hidden field would reduce the number of fraudulent/problematic orders. Bear in mind that a lot of the problems stem from a systematic approach to getting the resources they need (in your case, server resources).
I would recommend requiring a picture of the credit card as well to avoid people who pay using prepaid credit cards, but that is non PCI-Compliant, and will get you into legal tangles if your not doing it right.
Yea. It's better to requiring a picture of the credit card, let it take time but it will save you from alll those chargebacks which is going to be a pain in ass!
And when your DB storing those credit card pictures (esp amex with the front CVV) gets hacked, you are going to be in deep legal crap unless you have been fully PCI-verified by an external company. Even if you have been given a green light by a PCI auditor, you end up being involved in cases like http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936
Don't do it unless your ready to create a encrypted method of transferring the pictures, along with a secure way of deleting them after you've verified. In addition, if you don't have a pci-verified way of transferring the pictures between company and customer, you will get sued if someone intercepts the picture as well.
For most LET hosts, I doubt they want to go through all this crap just so they can prevent themselves from being sued whenever they get hacked.
LET is and always will be a point for less welcome "customers" to converge. Spammers love this type of site and it's providers. Many new and inexperienced providers are so desperate that they will take anyone long enough for the damage to be done.
Most spammers are already wise to what maxmind looks for and fraudrecord is really easy to get around, the ones that constantly get caught are automated.
The only sure way to stop what you are getting is to stop promoting on LET otherwise use a combination of what has already been suggested to at least improve the situation.
If you don't need to be here and are not reliant on the LET user base then stop chasing it.
Better ask the customer to hide those info such as CVV just ask them to provide the basic information needed to verify, this process is followed by most of the company's/
And it's better to not store any cc information in your servers soon after verification or store them at a secure place.
I would suggest you block port 25 by default, and open it on request (via ticket). And when opened, rate-limit the sending capacity, i.e., X mails per hour. And allow users to request the limit be raised in their second month of service.
Any sort of verification by mobile or scanned credit card raises issues IMO. Fraudsters can fake it, and legitimate users may not have it (a mobile phone) or be understandably reluctant to scan and send it (a credit card).
ID is an issue, I mean I would never, ever give any provider on here my ID, however there has never been a need to. I provided it twice in the past, understandably because of the order size, but they were significant organizations.
Having said that though on a personal front the only ever block I have encountered was with BuyVM who said it was because my 15 year old personal mail domain had a private whois, but they unblocked the order after a ticket.
Point is I having nothing to hide, but then I would have even less to hide if my ID was out in the wild somewhere.
This will most likely be my best option. Thanks for your input. Any suggestions on what a fair rate limit would be for personal use? My personal shared hosting accounts are limited at 100/hour while my business shared plans are 500/hour. I'd prefer to keep it near this range if people think it's fair.
And understandably so.
250/hr seems a reasonable amount, but it depends on the use. Someone who has a large user base may need more as a result of a forum email list or something but if you can make exceptions based on evidence to confirm then people should not have an issue with that.
Scale it even, allow nothing on a VPS under 256mb and increase as the resource and price does. The usual spammy users tend to go as cheap as they can with very minimal resource.
I would never send my ID to anyone. I hate artificial restrictions and sometimes send more than 250 mails in an hour or 500 mails in a day for perfectly legitimate reasons.
Of course I do not represent all customers on this planet.
Closed smtp port, that will be opened - without restrictions - once requested, is fine.
Verified PayPal is fine.
Maxmind is fine, but I would hate to have my order rejected just because I am temporarily overseas.
Fraudrecord should be illegal, because providers can claim anything about an inconvenient customer. Providers do not even mention it in their ToS and I bet they could get sued for a lot of money because of that.
OVH called me to verify that I am real. Fine with me.
If you're going to implement mail rate limiting, you could take a look at VPSDime for reference in how many mails to allow: