On Abuse Mitigation
Over the past several years I had the pleasure of mitigating abuse for a small community forum as well as large hosting provider. I hadn’t intended on dealing with service abuse in my technology career, but it had just happened to fall into place. Before I go further into this post I should take some time to explain what I mean by “abuse”. Abuse is any action that is explicitly prohibited by a site’s or service’s Acceptable Use Policy (AUP). In this post I won’t cover fraudulent activities, which some organizations consider to be one and the same as far as abusive activity goes, rather I will focus on how service providers can help identify and mitigate abuse on their own service.
Written by lawyers, AUPs are intentionally vague policies which encompass things like prohibition of illegal, undesirable, or unwanted activity on a given service. This can be things like DoS, spamming, web crawling, hosting of potentially unwanted programs, or running other troublesome services. Services like IRC servers, Tor exit nodes, and BitTorrent are generally called out by name due to the headache and liability that they are to service providers. AUPs are generally used as the guiding rulebook for what constitutes abuse on a given service provider.
Without a dedicated team to mitigate abuse on your service, it can be a taxing task to continually adapt to new abuse threats. These threats, which are constantly evolving, can be as complicated as running your own core business so it is important for you to understand what makes them tick. As you approach your own battles with abuse, I think it is wise to think about the following approaches to mitigating abuse: know thy customers, profile the abusers, and understand their business models.
As an average citizen of the Internet, you have a moderate amount of anonymity and you can (generally) move relatively unencumbered throughout the Internet. For example, anybody can sign-up for an email account, your customers can sign-up for your service from any geolocation, and use any user agent to accomplish this. This freedom is what allows any arbitrary citizen of the Internet the ability to sign-up for your service. However as a service provider, this is the bane of your existence when it comes to mitigating abuse. Therefor you need to enact certain controls which allow you to positively identify your customer through a variety of means. The simplest of which is a simple pair of identifying credentials which usually take the form of an email/password pair. Though you shouldn’t stop there as this is only the beginning when it comes to knowing your customer. The true challenge is to discover whether or not the customer who just signed-up for your service is indeed a real human. Providers can implement a variety of controls like email verification, risk based profiling, blacklisting of abusive IP addresses, and more. This helps increase the confidence level that a given user is indeed a real human being and not a bot that was designed to take advantage of your service. A Voight-Kampff test for bots is an art that requires constant refinement based on your service’s use case and its threats. For example, how likely is it for a customer to click on the email verification link from a different user agent than the one they used to sign up for the service? What are the amount of minutes from completing the sign-up process to the first API call? Being able to answer questions like these will help you better know what constitutes a real human customer, which will of course help you answer who is unlikely to be a real human.
The United States Secret Service (USSS), whose responsibilities include the prevention and investigation of counterfeit US currency, had a problem in their anti-counterfeit training. They needed to identify counterfeit bills which were circulating throughout the economy. They found that there are nearly endless ways that US currency could be counterfeited and new techniques continue to crop up each day. So after years of trial and error in their training process, the USSS instead focused their training on what a real US currency looked like or what its attributes are. Specifically what a real bill feels like, what countermeasures exists on real bills, its dimensions, its weight, and a variety of other telltale signs of a real bill. Once you know what the expected normal US bill would look like, it is relatively simple to detect counterfeit techniques.
Much like counterfeit bills once you know what a genuine customers look like, we can now focus on what an abusive customer looks like. Abusive customers are generally trying to take advantage of your service to accomplish a particular goal. This can be either for spamming purposes, DoS, or other common abuse patterns mentioned above. The type of abuse you will see will undoubtedly change as the return on investment from their abusive activities shift. It is important that you understand how they are making money from their actions as this will help you identify ways to reduce their revenue. Once you understand their revenue source, you can focus your efforts on lowering the overall utility that your service provides to their goals. For example, an email spammer may only get paid if they are able to send a high amount of email for their spam campaign. By not allowing new customers to send a high rate of emails or capping the total number of email recipients to a moderate amount, this will lower the usefulness a given account will have to a would be email spammer.
From a personal experience in running a small forum for a number of years, I
found that one constant angle that spammers would like to take advantage of is
Blackhat SEO spamming. Specifically these spammers tried to inject links to
their client’s website onto your site in the hopes that search engines would
rank their own websites higher because of page rank association. To help lower
the utility of a link inserted into my site, I added rel=“nofollow”
attribute on all links submitted by users and disallowed the insertion of links
for new users. This greatly reduced this type of spam overnight. The spammers
identified my site was of no use to them and moved on to their next victim
website. There is simply no substitute for hitting the abusers in their
pocketbooks.
Mitigation of abuse is a constantly evolving issue that service providers will need to cope with. Much like fraud, it is a battle that is never ever truly won as new abuse techniques emerge. In fact when you become complacent in mitigating abuse, you will likely find a new wave of abuse will come to take advantage of your service.