OVH is strengthening its fight against spam

At the start of the year OVH took responsible action to tackle spam and other types of abuse. It joined Signal Spam and M3AAWG, set up an Abuse & R&D committee to identify new intelligent ways of tackling malicious behaviour, and as a result the amount of spam sent from its infrastructures has continuously declined. Romain Beeckman, Chief Legal Officer and Stéphane Lesimple, INFOSEC Manager, explained the measures deployed by the European leader of Digital as a Service.

OVH’s main activity is supplying infrastructures, every one of which is a potential tool for spammers. For a number of years, the provider has been fighting against spam, phishing, etc., but the limitations of the methods used are starting show, as Romain Beeckman pointed out: “We initially invested in technologies that enable us to control the security of our data flows; in particular, the anti-DDoS technology that we implemented at our network’s entry point allows us to mitigate extremely large volumes of denial of service attacks and guarantee optimal protection to our customers for all their services. Spam is also on our list of priorities and, as such, we have deployed anti-spam technology to block spam being sent to or received from our network; a necessary step but nevertheless an insufficient one: today we want to integrate the ecosystem of those involved in the fight against spam and malicious practice, our aim being to work together to achieve a common goal.” Stéphane Lesimple then added, “As major player in our market we have a duty to set an example by helping to rid the web of botnets, spam, phishing, etc. We must work with all internet stakeholders and use the technologies that we have developed to improve the security of the internet as a whole.”

With its anti-DDoS technology, OVH can guarantee its customers optimal protection

At least 50% less spam with Signal Spam

The OVH group therefore joined two organisations it identified as relevant in the fight against malicious email: Signal Spam and M3AAWG(Messaging, Malware and Mobile Anti-Abuse Working Group).

The French non-profit organisation Signal Spam unites public authorities such as CNIL*, professional associations, internet users and businesses. “Moreover, some of OVH customers and partners, including in particular Mailjet and Vade Retro, are members. Our Signal Spam membership therefore makes total sense because in the fight against spam, we have become the gateway between the organisation, our customers and our customers' customers”, Romain Beeckman added.

But what are the advantages of working with Signal Spam? Until now spam and phishing reports have been sent to OVH by internet or messaging service providers, or via the Abuse platform. But one of the biggest challenges in the fight against unwanted mail is getting hold of comprehensive reports: many don't include all the information that OVH needs to retrace the email’s route and identify which customer's infrastructure it came from. This is down to several reasons: third parties don't want to disclose their customers' personal data so won't provide all useful information; reports are technically incomplete which stops us pinpointing the problematic infrastructure or aren't sent in the standard format which stops us identifying the crucial information; or the person who reports the spam pays no attention to the reporting procedure. In all of these cases, it's difficult to act quickly.

“Every one of the 350,000 internet users who are members of Signal Spam has a plug-in integrated into their email client**, so when they receive a fraudulent email, they can transfer the full email to the organisation directly via the plug-in. The organisation then analyses the data, consolidates the information and any identical reports, and makes the data available to us,” explained Stephane Lesimple. OVH therefore receives very extensive data, which helps it to act much more quickly by contacting customers whose emails crop up in a large number of reports. "We ask them to review their business model or clarify their email sending and subscription cancellation policies in particular. If nothing changes after several warnings, we won't hesitate to drop any customers who don't respect our contractual terms; the same goes for those who aren't careful enough when it comes to the security of their machines,” explained Romain Beeckman. During six months of collaboration with Signal Spam, OVH reduced the number of complaints about spam being sent from its infrastructures by 50%.

Stéphane Lesimple, Information Security Manager at OVH

Increasing momentum of the fight against spam with M3AAWG

OVH has also increased the momentum of its fight against spam on an international level by joining M3AAWG, which unites a large number of North American and European companies: “Members include Apple, Blue Ocean, Facebook, Google, Orange, Mailjet, PayPal, Rackspace, Signal Spam, Time Warner, Vade Retro and many more,” said Stéphane Lesimple. The group focuses not only on fighting spam, but also on fighting against other types of abuse, like phishing, malware, botnets, viruses and even DDoS attacks.

By joining M3AAWG, OVH has been able to develop a trusting relationship with various members like Spamhaus and as a result has reduced the time it takes to process reports and identify and deal with customers at the source of a large volume of spam complaints. Work has already paid off as OVH is no longer listed in Spamhaus's top 10 Worst Spam Support ISPs.

By creating a privileged communications channel with professionals in the digital world, OVH now receives relevant and verifiable data via their databases. The company therefore has data to compare with the data in the reports sent via its Abuse platform and can evaluate the efficacy of the measures it takes.

Improve incident identification and handling

OVH also wants to improve how it deals with reports sent to its Abuse platform. “This platform is crucial to OVH because it affects all of our products and services,” said Stéphane Lesimple. “We can't overlook it; we don't want to put our customers at risk.”

At the start of the year OVH created a new team with new tools and new technologies: the Abuse team. This team has members in both Europe and North America to cover the maximum number of hours possible. They have various skill levels: there are information security experts who analyse botnets in detail and identify behaviour patterns, particularly in the communication between affected machines and botnet control servers (C&C). They also deal with incident reports received via either the Abuse platform, external partners or internal detection systems. They identify the similarities between cases to create a typology that could help the OVH teams deal with risks more proactively. “This enables us to improve how we detect and handle incidents,” added Stéphane Lesimple. “We will no longer deal with only the cases that are reported to us, we will also detect weaknesses so we can deal with them even before a user reports them to us."

"There are two ways to deal with abuse issues," he continued. "The first way - the simplest and also the most commonly used - is to systematically handpick customers. You can do this by carrying out background checks when customers place an order, such as sending a letter to their postal address to make sure that it exists. This technique is also often paired with having a floor price, as a company that only offers relatively expensive services with high added value generally has fewer abuse issues; but this technique isn't compatible with OVH.

The core of our business is not only to be innovative, but also to offer innovative services at fair prices so that everyone can afford them. Anyone can set up an infrastructure at OVH to test an idea or a concept in just a few clicks and at any time; this includes both those with legitimate needs and those who have shady intentions, hence our need for a very efficient abuse team. And this isn't a bug; it's a feature. We want to act as the spring board that helps entrepreneurs launch their projects into orbit; we want them to add value to their projects by relying on our expertise as a provider of scalable infrastructures that are the foundation of our customers' services. The challenge for our team is identifying as quickly as possible any misuse of our products, without throwing sand into the wheels of our legitimate customers."

Research and development for a more secure internet

And OVH has other ideas for the future, such as detecting issues not only on OVH infrastructures, but also on those of other market players: “Botnets can be hosted partly with us and partly with other providers. Our abuse team might therefore have to contact similar teams at other providers to give them the results of our analyses. We want there to be no limits to the fight against everything that is spam, malware, etc.," said Stéphane Lesimple conclusively.

The new internal platform where we receive, analyse and process complaints is used by the OVH Abuse team on a daily basis and continues to be developed and improved. And once it's ready, OVH even plans to publish it as an open-source interface so that as many people as possible can benefit from the work of the OVH teams.

*CNIL is an independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data.

**This plug-in is available on Thunderbird and Outlook email clients. New plug-ins for Mail (Mac) and Chrome, Safari and Firefox web browsers, compatible with most major webmail clients, will also be available before the end of 2015.

Previous article

Non, PHP n’est pas mort !