Stopping abuse of subdomains

[cmslauncher]

I want to offer subdomains for my services similar to what blogspot or WordPress does with their blogging platform. For eg. subdomain.mydomain.com.

 

However I am getting users who are registering and abusing my service for phishing attacks. Browsers vendors like Google chrome and Firefox are marking the whole domain as "deceptive". This is harming all my customer and not just the offending subdomain.

 

I am using cPanel + WHMCS to offer this service with the hosting package.

 

How can I stop Google to mark the whole *.mydomain.com as deceptive.

[brian!]

How can I stop Google to mark the whole *.mydomain.com as deceptive.

but it IS deceptive if they're being used for phishing attacks... if you offer a 7 day free trial with free subdomain, what did you expect to happen??

[cmslauncher]

Even wordpress.com and ************* like service offer free blogging services, how do they manage it?

[Daniel]

I'd guess as it's a very limited environment with only a Wordpress install and no FTP access it's quite hard for anyone to abuse it and upload phishing sites.

[cmslauncher]

You may be right. But what about this service hosts.cx, they don't have any control on the website they are proxying.

[yggdrasil]

What exactly do you expect to happen?

 

If you offer a free trial or free hosting, you will absolutely attract malicious users. Actually most of them will be doing nasty things in your server.

 

Now, if you are offering them on a subdomain, yes, Google and browsers will correctly mark the whole domain as malware. This is why you want users to use their own domain.

 

In regards to how WordPress and other services are doing it?

 

The question to that is that they have very advanced systems to avoid malicious users from registering, they do all types of pre screening and filtering, then they have probably systems that detect malware or any other suspicious activity on files or things someone may be doing and finally they have an abuse team that constantly tracks and takes down malicious blogs.

 

Google will only mark the domain as malware if you are not acting promptly and removing the abusers. I suspect WordPress and free hosting services remove the malicious users in hours, not days. So Google and others services don't have a chance to mark them as malware.

 

And finally, like someone else said, they limit the environment heavily. You can't just upload PHP files and expect it to work. They don't give PHP, or database, or shell access and probably not even FTP. They only let you upload static files (and they filter or * them) and they mostly don't allow emails out, or any type of external data connection from the accounts. As last resort if someone does host something malicious, they take it down and quickly.

 

This is not a problem with WHMCS, its how you do business. If you are planning to give un-trusted, un-vetted and anonymous people access to your services, you can expect them to do very nasty things, including hacking your servers and all sites. Sadly this is the risk of doing business online. Giving someone access to any computer system always involves some type of risk.

 

The only part where WHMCS can help you is trying to do some checks on the sign up, for example, enable MaxMind or another fraud service, that should catch some users, or maybe you can enable phone or SMS verification, most malicious users don't want to have any type of verification, so that should kill a bunch of them. You will still have nasty users, even if they didn't do it on purpose. Giving free hosting always tend to people not caring about the servers because they are not paying for them, so they don't care if their logins are stolen. This is why some free hosting services remove or terminate the account if the user did't logged in a specific time period, because most people abandon their account. You don't want abandoned accounts either. Unless you plan to baby sit every single account and file you are asking for a nightmare here. This is why free hosting is so horrible in the first place. Someone not willing to pay you 1$ to host something, probably is just hosting garbage and does not care about your services or his hosting account either.

 

If you charge cheap you are going to attract the worse of the Internet, if you charge nothing, you are going to be the guy that is hosting all the malware and malicious sites online and a person that actually wants to pay you is going to stay far away from your services for that reason. You are going to damage your brand and reputation to oblivion and this is why no serious website or company tends to upgrade from a free hosting to a paid account.

 

Yes, there are services that are doing it but like I said, they are spending a lot of time and resources on providing those services. If you thought free services are free in cost you are wrong. They are not free for you at least, they will still you cost money and time. Companies that offer free services actually account the costs for each free account and they can only keep giving them as long as they are making profit from other customers upgrading which is also unfair as the ones that pay are subsidizing the free riders.