Home / News

M3AAWG Releases Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers

Jointly published by the Internet Infrastructure Coalition (i2C) and the Messaging, Malware and Mobile Anti-Abuse Working Group, the new document outlines proven activities that can help Web hosting services improve their operations and better protect end-users.

The new best practices describe how to identify customers that are spammers or criminals, policies to prevent abuse, and processes to remediate known threats for the hosting, DNS and domain registration provider communities.  These recommendations are intended to help hosting companies establish a stable operating environment and minimize additional customer support costs resulting from network operators frequently blocking the service for abusive activities, according to Michael Adkins, M3AAWG Chairman of the Board.

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


regarding outbound spam control Carl Byington  –  Mar 30, 2015 10:47 PM

Although section 5.4 “Set up internal telemetry…” might imply this as part of traffic analysis, I propose:

Track counts of tcp syn packets sent to port 25 to ip addresses outside your network, summarized by customer. Maintain appropriate per customer thresholds. If the customer exceeds their (5 minute, hourly, daily, whatever) limit, block all subsequent outbound mail from their accounts.

There are two very different methods available to spammers. One is to attempt to stay under the radar by sending spam slowly. This generally requires a lot of ip address space. The other method that I see more frequently lately is where the spammer knows their ip address space and/or domain names will be blocked soon, so they hammer out as much as they can for relatively short periods - less than two hours.

If we can see hundreds of spam attempts in an hour on a trivially small mail server, they are sending a LOT of tcp syn packets. Those bursts should be able to get them automatically firewalled by their provider within minutes.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Brand Protection

Sponsored byCSC