Most hosting providers take too long to remove malware distribution sites

How long does it take web hosting providers to remove malware distribution sites parked on their network? Roman Hussy, the Swiss security activist behind abuse.ch, says that, on average, it takes them 3 days, 2 hours, and 33 minutes.

Some are much quicker than that and some much are much slower – the record is by an Australian ISP that took nearly 20 days – as there are many things that interfere with automated and manual abuse reporting.

Abuse.ch

Abuse.ch is a service that helps ISPs and network operators protect their infrastructure from malware.

It runs several malware trackers and URLhaus, a project that collects and shares URLs that are being used for distributing malware, reports them to blacklist providers and, since June 2018, sends out automated abuse reports to the respective network owners.

Since August 2018, Hussy started measuring the “take down time” – the time between when the abuse complaint was sent to the hosting provider and when the reported content went offline.

As noted before, the average take down time is 3 days, 2 hours, 33 minutes. He thinks this average can and should be lower – hours, not days – to effectively hamper malware campaigns.

The top 15 most prompt providers took down malicious sites in less than an hour and 15 minutes (on average). Currently, only 16 percent of the hosting providers URLhaus has notified in the past two months reacted, on average, within 6 hours.

“The worst hosting providers with the slowest reaction time had more than 10 days in average to react on the abuse report,” Hussy also noted.

“There are hosting providers who took more than 2 weeks to remove the malware from their hosting space. But it gets worse: there are malware distribution sites that are active for more than 3 months now.”

The problem(s) with malware distribution abuse reporting

URLhaus’s effort to get the providers notified is stymied by a number of things:

• Outdated information about abuse mailboxes or non-existent abuse mailboxes
• Abuse mailboxes that nobody checks or are behind a spam filter so spam reports are automatically classified as spam and not delivered
• Providers not accepting abuse reports from email addresses that are not in their customer database (preventing reports from people who are not customers)
• Web-based abuse reporting, which makes automated abuse reporting impossible
• Poorly educated support staff that doesn’t known how to handle abuse reports, and more.

Solving these problems requires the providers to make an effort and Hussy advises them to implement the Abuse Reporting Format (ARF) to fix some of them. Also, they should definitely make a dedicated email address for abuse reports easily discoverable, check it regularly and act on the reports.

“The question that remains is what we as an internet community should do with network operators that do not care about abuse reports. Should they still have a place in the internet community? This question that is hard to answer,” he noted.

“My personal feeling is that there should be more pressure towards network owners that do not care about abuse problems in their network, harming other internet users as well as threatening the reliability and stability of the internet. But as there is (fortunately) no governance over the internet, we must find an answer to this question as a community and not as individuals.”