top | item 1651655

(no title)

rickmak | 15 years ago

Everyone hate spam. I don't object Rackspace to shut down an account that is obviously phishing/spam, but not take down as soon as they think there is an abuse. Grace period must be given, so the the site holder can respond.

I don't think it is possible for few-man startup can responds in 1 hours for 24x7. I would choose to use an alternative hosting that give a longer gracing period.

discuss

thaumaturgy|15 years ago

> Grace period must be given, so the the site holder can respond.

Unfortunately, during that grace period, numerous people may be receiving spam emails directing them to the site, and some of those people may be naively entering their information ...

I really dislike the way most service providers and the like handle spam, but unfortunately, I too must side with Rackspace on this one. They simply can not afford to "wait and see" until the site owner responds, or provide a grace period while the site owner tries to figure things out.

Phishing attempts must be handled by site owners as though their server has just been compromised and someone is currently downloading the entire password database: the server must be shut down immediately, the problem fixed offline, and the server only brought back online once the issue is fixed.

Sorry. :-/

sprout|15 years ago

The real issue to me is their apparent zero tolerance policy. Unless I'm misreading something, if there are two incidents where your site is used for phishing, you will lose your Rackspace account. I understand that Rackspace doesn't want to go chasing these things left and right, but it seems that's a little extreme, especially when they're supposed to be infrastructure providers, and should recognize that their clients have clients, and their clients shouldn't be held entirely responsible for the actions of their clients' clients.

rickmak|15 years ago

:-/

For your argument, I just created an wufoo form which should take down immediately once discovered. http://rickmak.wufoo.com/forms/phishing/. IN that case, I am sure only my account will be taken down, not the whole wufoo.

Actually, it depends on size. If someone created a phishing site on Heroku's, Amazon probably won't shutdown all Heroku sites. But to let Heroku to investigate. For small startup like pandaform, no luck. Rackspace just regards you as one site.

Pandaform can handle things better, like banned "password" field like wufoo do.

bazbamduck|15 years ago

It seems like it would be an improvement to either:

1. Keep the very short notification period but also try to reach the site owner via phone or IM

2. Lengthen the notification period if using email only

(Note that I have no problem with short notice and email only if the customer was given the option of providing an emergency contact method but chose not to, and that I otherwise generally agree with the response.)

It seems like the real flaw here is the combination of lack of communication and lack of warning.

NyxWulf|15 years ago

The reality is that each minute the phishing site remains up, another account may get its information stolen. Imagine if you are the person that had your bank account information stolen and drained during the "grace period" for the company to respond to the takedown notice.

This is the kind of thing where a customer who gets their information stolen while Rackspace is waiting for the grace period to expire might have a legal cause of action against Rackspace.

Ultimately, I think Rackspace did exactly the right thing here. If you are operating a service that would potentially allow fishing, then you are bearing the risk of policing your users. Asking Rackspace and affected users to give you a grace period is asking them to bear the risk instead. I 100% agree with the decision to immediately shut the site down.

royuen|15 years ago

Do you think that it is reasonable if someone creates a phishing website on heroku, and all servers on heroku got shut down by amazon in an hour?