This article is intended to help you understand what to do when you receive an email abuse report forwarded to you from Steadfast.

If you have recently received an abuse report regarding an Open SNMP, NTP, DNS, LDAP, or memcached server used for an attack, please see below for further information on dealing with these problems.

Controlling Who Receives Abuse Reports

Abuse reports will always be forwarded to the primary contact on your account, unless you have set a contact's title to include the word "Abuse."  Only one contact will be used for abuse report forwarding for technical reasons.  You should create a distribution list if you require multiple users to be able to view the reports.  Please disable auto-responding for abuse contact email addresses for the source address "abuse@steadfast.net" to prevent ticket system responder loops.  You should also ensure that the receiving mailbox has spam and content filtering disabled.  Much of what we forward will be spam or links to malware, and if you use a filtering system, you may never see our reports.  If the reports are ignored, you might risk having your services suspended without ever realizing we are trying to contact you.  We recommend, but do not require, that you ensure your abuse contact is an email address hosted outside our network, in case the abuse issue or a related suspension takes your email service offline.

Basic Handling Guidelines

When you receive an abuse report that's been forwarded to you, it indicates that someone believes that your service is doing something unwanted, malicious, or dangerous, or that your service is at risk of doing so in the near future.  You should carefully review the message to determine the proper course of action.  There are a number of common types of abuse reports which may need to be handled differently.

In any case, you can always reply directly to the forwarded email for advice and help.  To ensure your reply is properly matched to the original report, please be sure to keep the subject line intact.  It's okay if you don't understand what a report means.  Our support team can explain the report and suggest ways to try to resolve it.  If you have managed services with Steadfast, we can often provide assistance in identifying the problem and fixing it for you.

If you choose to disregard abuse reports we forward to you, you may put your server at risk of suspension.  We review all reports a second time and will check to verify that the problem is resolved.  If you have not responded and we find the problem still exists, or if we continue to receive additional abuse reports, we will give you an additional warning and a deadline to resolve it.  If the problem is not dealt with by the deadline, we will take whatever action is necessary to stop the abusive behavior until it can be properly addressed.

In rare situations where the abuse activity is harming our network or placing other customers or users in danger, we may need to suspend your server right away.  You will still receive a notification and we will work with you to resolve the problem to allow you to bring the server back online in a clean state as soon as possible.

Handling Specific Reports

Spam and Unsolicited Email

When you receive a report of spam or unsolicited email, this doesn't mean that your email was actually spam.  It means that someone felt that the email they received was not something they wanted.  In some cases, if you're running a simple newsletter for your site, marketing to a list you collected on your own site or emailing transactional emails to your own customers, the best course of action is to contact the user or unsubscribe them from the email messages or close the account.  If you are a bulk emailer, email service provider, you have purchased a mailing list, or you are mailing people you have no direct relationship with, you may be in violation of our terms of service unless you require subscribers to confirm their opt-in status before being subscribed.  You should hold your own customers to the same high standards whenever possible, if they send email.

If you have received a spam report for email that you don't think should have originated from your server, it is possible that your server may have been compromised in some way.  Inspecting the headers of the email message may identify the script(s) or users that were used to send the message, which could help to determine if a web site or the full server has been compromised.  Please see the section below regarding compromised web sites.

SpamCop Reports

SpamCop has a strict policy regarding how reports can be used, including a requirement that they may not be directly forwarded to customers.  This restriction is in place to prevent possible spam operations from identifying and unsubscribing users as a way to reduce complaint volume.

We are unable to provide the full text or headers of the message to you, so you should probably use this report for collecting abuse volume statistics for the noted IP address.  If your abuse report volume for an IP address is high, you should plan to evaluate the mailing practices of the server or user to better prevent abuse.

If this report is regarding a "spamvertized" URL, the URL has been truncated to the domain name only.  In that case, if the URL appears not to contain any uniquely identifiable information, we will be happy to pass the full URL on to you if you reply requesting that information.

Any headers we supply to you will have message IDs and uniquely identifiable headers and content stripped, so please note that you will not be able to gather this information for this report, even if you follow up.

Violation of SpamCop policies would jeopardize our continued access to these reports for statistical reasons and we are not able to make exceptions.

Phishing Scams and Malware

Reports of malware and phishing usually indicate that a server has been compromised in some way.  If the link you have been sent is not a normal page from the web site it references or a domain that is unfamiliar, you should find the content on your server, back it up and remove it.  If the content has been added to an existing file on the site, you should remove the added content or restore the page from a clean backup.

After resolving the immediate problem, you must also deal with the compromise.  Please see the section below for details on solving this problem.

Network Security, Denial of Service, Botnets

Network security and denial of service issues are usually the result of compromised sites, as above.  You should terminate any programs that are performing abusive behavior, but you should also note which user account they belong to.  If the user account is root or Administrator, your server may be fully compromised and should probably be re-installed.  Please see the section below for information on dealing with compromised systems.

Open DNS, NTP, SNMP, LDAP, or Memcached Servers Used for Attacks

Services of these types (UDP protocols) can allow someone to trick your server into sending unwanted traffic to the wrong IP address which can be part of a distributed attack.  If you received a report regarding an open DNS, NTP, SNMP, LDAP, Memcached server being used for an attack on an IP assigned to you, please see one of the following articles for details on how to resolve the problem:

• DNS
• NTP
• SNMP
• LDAP
• Memcached

Digital Millenium Copyright Act (DMCA)

A DMCA takedown notice is a special case.  You must review it carefully to determine which content is identified in the notice and then disable access to that content, regardless of whether there is indeed infringement of a copyright.  If you feel infringement is not occurring, you may submit a DMCA counter-notification back to Steadfast, which allows you to restore the content after 10 days.

Compliance with the DMCA is required by US law.  Even if you do not live or operate your business in the US, you must comply if you host content on a server that operates within the US, as in this case.  To comply with this notification you must do the following:

• Immediately disable access to the content indicated in the notification.
• Review the content to determine if it is infringing.
• If you believe the content is not infringing or this notice is not valid, you may file a counter-notification in reply to our message.
• If you file the counter-notification, you must wait 10 days before restoring the content.
• If the content has been uploaded by an offending account that has received multiple complaints, you should suspend the user account.

If we determine that the content has not been removed and that no counter-notification has been received within 5 business days of this message, Steadfast will be required to take corrective action directly, which may involve disabling the IP address that is hosting the content.

You should weigh the risks before deciding whether to send a counter-notification.  You may be liable for any related damages.

Remember, if you do not respond and take no action, Steadfast will be compelled by law to disable access to the referenced content regardless of the apparent validity of the claim.

If you have any technical or procedural concerns, please let us know and we will be happy to help explain your options or provide further details.  Steadfast is not qualified to provide legal advice and recommends you contact an attorney if you are considering actions other than immediate removal of content.

Handling a Compromised Account or Server

If your site or server has been exploited, you must evaluate the method that allowed the malicious activity to be put in place.  In many cases a PHP web site exploit or FTP password exposure may have been used to allow a malicious user to modify the site.  It's recommended that after an exploit all site passwords be changed, and any site administrators scan their personal computers for malware.  Any applications used on the site should be upgraded to the latest versions.  If an exploit occurs again, you should consider re-installing the entire site and restoring content from backups to hopefully close any backdoor code that may have gone unnoticed.

If you have found malicious processes running as root or Administrator on your server, it is fully compromised and you should not try to clean the exploit.  Instead, you should contact our support team for assistance with re-installing your system and restoring content from backups.  It is not recommended to try to operate a server on which any malicious person has had administrative access and the opportunity to hide backdoors and additional exploits.

You can reply to the abuse report we have forwarded you at any time for assistance in identifying the cause and possible solutions to a compromise.