I am particularly sensitive to malware and phish issues because too often it seems to me that large service providers are so apathetic, understaffed, or both that they end up complicit in criminal behavior. The worst example of that I’ve ever encountered is a company called iPower Web. A few years ago, I discovered that a large number of sites hosted on their servers had been compromised through a gaping hole in their homebrewed Web control panel, and were being used to spread the W32/Zlob malware. Not only did they fail to take action against hacked sites, and leave the malware droppers in place, it took about sixteen months(!) for them to fix the security vulnerability…by which point more than 200,000 sites on their servers(!!) had been hacked and recruited to spread malware.

I’m not saying that Softlayer is anywhere near as bad, of course. That’s simply an example of the sort of intractability and indifference I deal with almost every day, and I tend to be particularly upset by service providers who allow malware and phish sites to linger on their servers for extended periods of time. I don’t think that iPower was actually acting with malice, but past a certain point any sufficiently advanced incompetence is indistinguishable from malice. Either way, it still benefits organized crime to the detriment of people who use the Internet.

I’m glad to see that you’re willing to escalate problems like this, and that you seem to be proactive about dealing with this kind of abuse on your network.

It’s good to have an open dialogue about the most efficient ways to handle abuse, but it’s difficult to continue the conversation when the primary concerns seem to be based on the sweeping generalization that SoftLayer abuse is slow in general because SoftLayer abuse was slow on specific occasions. To a certain extent, that position is based on confirmation bias.

I would expect the team of representatives to be quicker about dealing with abuse complaints, particularly with regard to phish and malware dropper sites. Leaving a bank phish or a ZeroAccess dropper active for days or weeks is bad policy. I don’t know why you’re so slow–whether it’s a question of policy or procedure or simply understaffing–but when, say, a bank phish is active on your network for a week, you’re potentially exposing many people to fraud. I’m sure the criminals responsible for these kinds of abuse appreciate it.

“In what way would you suggest we monitor the activity on a site that’s hosted by a customer of a customer of one of our customers?”

Not monitoring activity on such sites is one thing. Not responding to abuse complaints in a timely fashion is another. Other large hosting providers who deal with many layers of resellers and customers don’t move so slowly, so it’s possible.

Look, I know the kinds of volumes of email that abuse addresses get. I know the numbers of sites we’re talking about. I know how hard (read: impossible) it is for end users to be educated to update their vulnerable copies of WordPress and Joomla. But if it takes weeks to respond to abuse complaints, something’s wrong.

In what way would you suggest we monitor the activity on a site that’s hosted by a customer of a customer of one of our customers? When we receive a complaint, would you suggest we shut down our customer immediately if action isn’t taken to stop the abusive behavior? If a reseller’s shared hosting server houses a single spammer, would it be fair to the hundreds of other legitimate customers for us to disconnect the server when we get an abuse complaint about that single spammer? Or would you, as a customer of a hosting reseller, hope that we work with our customers (so that our customers can work with their customers) to get the abusive content removed?

As you’ll note in several of the previous comments under this post, we’re happy to help escalate concerns you feel have not been addressed in a timely manner. Just forward those abuse complaints to twitter@softlayer.com, and we’ll look into them.

I’m talking about “best hosts” here in the context of hosts with the best response to spam and other issues, not with the best FTP. Bluehost consistently removes things like computer malware droppers and bank phish sites extremely quickly, typically within hours hours of an abuse complaint, rather than leaving them up for days or weeks.

“This is great – your site is actually being hosted with websitewelcome, too, Franklin. Talk about the whole pot/kettle thing.”

Websitewelcome is Hostgator. I use them in part because of their prompt attention to spam, malware, and phish complaints; they established an excellent track record of responding to these issues quickly before I ever started hosting with them.

Again, the issue here as I see it is that Softlayer is dismally poor at securing their network and in taking action to shut down phish and malware sites when notified of them, often leaving such sites active for days or even weeks. I find that indefensible.

As far as the other sites you discuss, it would make a world of difference if you actually said whether you’d reported them to the abuse dept. If not, then you’re talking apples and oranges. More importantly, did you contact their actual provider (websitewelcome?). That ought to be included in your first step when reporting abuse.

For example, when the Web site datzwhatzup (dot) net was compromised, it was being used to spread the W32/ZeroAccess malware. A compromise of this type, like a phish page, should be a high priority. Yet the site remained infected and continued to spread the malware for more than a week(!) after Softlayer was notified of the problem.

To me, that is unconscionable. I realize that abuse teams are always understaffed because management sees the abuse teams as employees who cost money but don’t generate revenue, but even so, to allow a serious security compromise that was actively being used to spread malware to remain on a server for a week or more is really, really bad. (By way of comparison, some of the best ISPs in the industry, such as Bluehost, will often take down phish sites and malware spreaders within an hour or two of being notified of the problem.)

It is also unfortunate that professional spam-for-hire outfits have taken up residence on Softlayer’s network. For example, pushbuttonemailer (dot) com now lives on your network. This spam-for-hire site is advertised by means of link redirectors placed on other hacked sites. It plainly advertises spamming services and is spamming itself via a network of hacked sites, but has remained on Softlayer’s network nonetheless, and in fact it seems like Softlayer is helping the spammer do listwashing.

If the abusive activity persists, please feel free to forward the abuse report you submitted to abuse@softlayer.com to our social media team (twitter@softlayer.com), and we’ll see if there’s anything we can do to help.