Web hosting providers take three days, on average, to respond to abuse reports

Some hosting providers take over two weeks to respond, with the worst taking over 19 days.

Web hosting providers take 3 days, 2 hours, and 33 minutes on average to respond to abuse complaints and remove malware hosted on their servers, according to a report published today.

Abuse reports are commonly filed by security researchers, manually or using automated tools, and sent to web hosting providers at an email address specified on their sites.

Researchers scour the internet and keep an eye out for malicious links in email spam or other places, collect the URLs, determine the web host, and send out an email to the hosting provider, asking it to take down the link before users get a chance to click on it. There are thousands if not tens of thousands of such abuse reports being sent each day.

Previous studies have shown that the first few hours after a malware distribution are the most critical, as that's when spam filters and antivirus engines are most likely to be caught with their pants down and when the vast majority of users get infected.

This is why web hosting providers need to cooperate and respond to abuse complaints with urgency, to keep users safe and stop malware campaigns.

But a study of over 38,924 automated abuse reports sent out via the URLhaus project at Abuse.ch has shown that very few web hosting providers are helping out.

"Among the 600+ hosting providers that URLhaus has notified in the past two months, only 104 (or 16%) reacted within 6 hours in average," the Abuse.ch team said. "If we take a look at the number of hosting providers that reacted within the hour when they received the abuse report from URLhaus, we are down to 13 (or 2%)."

The fastest of all providers was UK-based Clouvider, with a record 19 minutes response time, while at the very bottom of the list Abuse.ch placed Australian provider HNPL-AS-AP Hosted Network Pty. Ltd., with a whopping 19 days, 20 hours, and 42 minutes response time.

web-hosts-taking-the-most-time-to-respond.png
Image: Abuse.ch

But if that's not bad enough, the Abuse.ch team said that some web hosting providers fail at responding to all abuse reports, and some malware files remain online for months.

The web host that failed to respond to the most abuse complaints was Go Daddy, which still hosted 402 malware campaigns according to Abuse.ch, followed at a big distance by Digital Ocean with 295.

web-hosts-still-hosting-malware.png
Image: Abuse.ch

The countries where the Abuse.ch team found the sloppiest/ignorant hosting providers was Ukraine, Japan, and Zimbabwe. Seeing Ukraine on the list is no surprise as it's been known for a while that the country's ongoing war with pro-Russian separatists has created geographical areas where hosting providers operate with impunity from Ukrainian laws, brazenly hosting botnets, malware command and control servers, and all sorts of nasty stuff.

But besides factors out of one's control, there are other issues with the abuse reporting process. The Abuse.ch team points out that their project alone detects thousands of malware links per day, but only a small portion of them get reported.

web-host-difference.png
Image: Abuse.ch

There are various reasons for this, experts explained. The list is long, but the most common scenarios that prevent their automated system from submitting a report are:

  • The quota of the abuse email inbox has been exceeded, meaning nobody is either reading or deleting incoming emails.
  • Web hosts put abuse email addresses behind spam filters. Since the reported links are "links to malware" some spam filters block many abuse reports.
  • Web hosts utilize an "email confirmation" process that requires the automated abuse reporting system to click on a link.
  • Web hosts don't respond to abuse reports unless the reporter is a customer.
  • Web hosts redirect reports to a web-based form.
  • Web host help desks are staffed with non-technical employees who fail to understand the urgency of the reported issue.
  • Web hosts repond to reports, but they rewrite the subject or don't include the original message. For automated abuse report systems, this effectively breaks the report chain, and the reporter won't be able to track down the original malware URL.
The question that remains is what we as an internet community should do with network operators that do not care about abuse reports. Should they still have a place in the internet community? This question that is hard to answer. My personal feeling is that there should be more pressure towards network owners that do not care about abuse problems in their network, harming other internet users as well as threatening the reliability and stability of the internet.

More stats and a deeper discussion on the abuse report scene can be found in Abuse.ch's report, here.

RELATED COVERAGE: