[rickmak]

Everyone hate spam. I don't object Rackspace to shut down an account that is obviously phishing/spam, but not take down as soon as they think there is an abuse. Grace period must be given, so the the site holder can respond.

I don't think it is possible for few-man startup can responds in 1 hours for 24x7. I would choose to use an alternative hosting that give a longer gracing period.

[thaumaturgy]

> Grace period must be given, so the the site holder can respond.

Unfortunately, during that grace period, numerous people may be receiving spam emails directing them to the site, and some of those people may be naively entering their information ...

I really dislike the way most service providers and the like handle spam, but unfortunately, I too must side with Rackspace on this one. They simply can not afford to "wait and see" until the site owner responds, or provide a grace period while the site owner tries to figure things out.

Phishing attempts must be handled by site owners as though their server has just been compromised and someone is currently downloading the entire password database: the server must be shut down immediately, the problem fixed offline, and the server only brought back online once the issue is fixed.

Sorry. :-/

[sprout]

The real issue to me is their apparent zero tolerance policy. Unless I'm misreading something, if there are two incidents where your site is used for phishing, you will lose your Rackspace account. I understand that Rackspace doesn't want to go chasing these things left and right, but it seems that's a little extreme, especially when they're supposed to be infrastructure providers, and should recognize that their clients have clients, and their clients shouldn't be held entirely responsible for the actions of their clients' clients.

[rickmak]

:-/

For your argument, I just created an wufoo form which should take down immediately once discovered. http://rickmak.wufoo.com/forms/phishing/. IN that case, I am sure only my account will be taken down, not the whole wufoo.

Actually, it depends on size. If someone created a phishing site on Heroku's, Amazon probably won't shutdown all Heroku sites. But to let Heroku to investigate. For small startup like pandaform, no luck. Rackspace just regards you as one site.

Pandaform can handle things better, like banned "password" field like wufoo do.

[bazbamduck]

It seems like it would be an improvement to either:

1. Keep the very short notification period but also try to reach the site owner via phone or IM

2. Lengthen the notification period if using email only

(Note that I have no problem with short notice and email only if the customer was given the option of providing an emergency contact method but chose not to, and that I otherwise generally agree with the response.)

It seems like the real flaw here is the combination of lack of communication and lack of warning.

[NyxWulf]

The reality is that each minute the phishing site remains up, another account may get its information stolen. Imagine if you are the person that had your bank account information stolen and drained during the "grace period" for the company to respond to the takedown notice.

This is the kind of thing where a customer who gets their information stolen while Rackspace is waiting for the grace period to expire might have a legal cause of action against Rackspace.

Ultimately, I think Rackspace did exactly the right thing here. If you are operating a service that would potentially allow fishing, then you are bearing the risk of policing your users. Asking Rackspace and affected users to give you a grace period is asking them to bear the risk instead. I 100% agree with the decision to immediately shut the site down.

[royuen]

Do you think that it is reasonable if someone creates a phishing website on heroku, and all servers on heroku got shut down by amazon in an hour?

[nl]

No, and that's a strawman argument. That's like asking if it were reasonable for Level 3 to pull the plug on Rackspace if Level 3 got a phishing complaint.

If Amazon got complains about Heroku then I'd certainly expect them to be investigated, and in Heroku's case I'd expect Heroku would take over and shutdown the phishing site.

[royuen]

exactly, same in this case. I expect Rackspace should ask pandaform to investigate the case and shutdown the phishing site. I won't expect the whole pandaform would be taken down.

Also pandaform doesn't allow use to put any script or password field in the form, which the quality of the "phishing" form is not as serious as what we thought as a normal phishing site do.

[notahacker]

In the case of Heroku, I'd expect them to be able to shut the phishing site down within the 40 minute period Rackspace apparently gave Pandaforms before shutting the whole service down themselves.

I'm sure if Pandaforms had done this (which is difficult when you're a much smaller startup than Heroku) then their server would have been left untouched.

You can argue that Heroku would have most likely got a phone call and that Pandaforms deserve the same treatment, but I don't think that they'd have been allowed to leave phishing sites up for any period of time without their servers being placed in jeopardy either.

[edwincheese]

I think everyone agreed on that the service provide have to investigate and take action on any abuse claim. But what is questioning now is that is it reasonable to shutdown a suspect case of abuse without giving time for the service provider to investigate and respond to this case?

[mtigas]

According to http://archive.nyu.edu/bitstream/2451/15020/2/Infosec+BOOK_T... “experimental studies have shown that the bulk of victim credentials are collected within 24 hours of mailing the bait messages.”

Once a phishing form is “in the wild,” every minute counts.

The burden is on the service (your site) to prevent or quickly act to rectify a situation, but if your provider determines that it must intervene, then it is well within it's right to.

[nl]

is it reasonable to shutdown a suspect case of abuse without giving time for the service provider to investigate and respond to this case?

Yes, if there are enough complaints and harm that may come from it is serious enough.

[chopsueyar]

So, the writer of the article had one complaint. The forms cannot take passwords.

A second complaint, without any investigation, would result in the termination of his account and destruction of data.

That is not reasonable.

[lsc]

If heroku got enough complaints (relative to it's size) they would get shut down or asked to leave. Now, heroku has a lot more than two servers, so it's going to take more than one or two complaints to take them out, and they are probably going to get more than an hour of notice, but if you provide a hosting service, you need to make sure that your users and customers are not using your service to host phishing sites.