Understanding the role of sender reputation in abuse reporting and cleanup

F.O. Cetin; Mohammad Hanif Jhaveri; Carlos Gañán; Michel van Eeten; Tyler Moore

doi:10.1093/cybsec/tyw005

Understanding the role of sender reputation in abuse reporting and cleanup

F.O. Cetin, Mohammad Hanif Jhaveri, Carlos Gañán, Michel van Eeten, Tyler Moore

Organisation & Governance

Research output: Contribution to journal › Article › Scientific › peer-review

20 Citations (Scopus)

62 Downloads (Pure)

Abstract

Motivation: Participants on the front lines of abuse reporting have a variety of options to notify intermediaries and resource owners about abuse of their systems and services. These can include emails to personal messages to blacklists to machine-generated feeds. Recipients of these reports have to voluntarily act on this information. We know remarkably little about the factors that drive higher response rates to abuse reports. One such factor is the reputation of the sender. In this article, we present the first randomized controlled experiment into sender reputation. We used a private datafeed of Asprox-infected websites to issue notifications from three senders with different reputations: an individual, a university and an established anti-malware organization.

Results: We find that our detailed abuse reports significantly increase cleanup rates. Surprisingly, we find no evidence that sender reputation improves cleanup. We do see that the evasiveness of the attacker in hiding compromise can substantially hamper cleanup efforts. Furthermore, we find that the minority of hosting providers who viewed our cleanup advice webpage were much more likely to remediate infections than those who did not, but that website owners who viewed the advice fared no better.

Original language	English
Pages (from-to)	83-98
Number of pages	16
Journal	Journal of Cybersecurity
Volume	2
Issue number	1
DOIs	https://doi.org/10.1093/cybsec/tyw005
Publication status	Published - 2016

Keywords

abuse reporting
hosting providers
abuse handling
security economics

Access to Document

10.1093/cybsec/tyw005

tyw005Final published version, 1.08 MB

Cite this

@article{e9de0b69436441409eb453426c64f9ae,

title = "Understanding the role of sender reputation in abuse reporting and cleanup",

abstract = "Motivation: Participants on the front lines of abuse reporting have a variety of options to notify intermediaries and resource owners about abuse of their systems and services. These can include emails to personal messages to blacklists to machine-generated feeds. Recipients of these reports have to voluntarily act on this information. We know remarkably little about the factors that drive higher response rates to abuse reports. One such factor is the reputation of the sender. In this article, we present the first randomized controlled experiment into sender reputation. We used a private datafeed of Asprox-infected websites to issue notifications from three senders with different reputations: an individual, a university and an established anti-malware organization.Results: We find that our detailed abuse reports significantly increase cleanup rates. Surprisingly, we find no evidence that sender reputation improves cleanup. We do see that the evasiveness of the attacker in hiding compromise can substantially hamper cleanup efforts. Furthermore, we find that the minority of hosting providers who viewed our cleanup advice webpage were much more likely to remediate infections than those who did not, but that website owners who viewed the advice fared no better.",

keywords = "abuse reporting, hosting providers, abuse handling, security economics",

author = "F.O. Cetin and {Hanif Jhaveri}, Mohammad and Carlos Ga{\~n}{\'a}n and {van Eeten}, Michel and Tyler Moore",

year = "2016",

doi = "10.1093/cybsec/tyw005",

language = "English",

volume = "2",

pages = "83--98",

journal = "Journal of Cybersecurity",

issn = "2057-2085",

publisher = "Oxford University Press",

number = "1",

}

TY - JOUR

T1 - Understanding the role of sender reputation in abuse reporting and cleanup

AU - Cetin, F.O.

AU - Hanif Jhaveri, Mohammad

AU - Gañán, Carlos

AU - van Eeten, Michel

AU - Moore, Tyler

PY - 2016

Y1 - 2016

N2 - Motivation: Participants on the front lines of abuse reporting have a variety of options to notify intermediaries and resource owners about abuse of their systems and services. These can include emails to personal messages to blacklists to machine-generated feeds. Recipients of these reports have to voluntarily act on this information. We know remarkably little about the factors that drive higher response rates to abuse reports. One such factor is the reputation of the sender. In this article, we present the first randomized controlled experiment into sender reputation. We used a private datafeed of Asprox-infected websites to issue notifications from three senders with different reputations: an individual, a university and an established anti-malware organization.Results: We find that our detailed abuse reports significantly increase cleanup rates. Surprisingly, we find no evidence that sender reputation improves cleanup. We do see that the evasiveness of the attacker in hiding compromise can substantially hamper cleanup efforts. Furthermore, we find that the minority of hosting providers who viewed our cleanup advice webpage were much more likely to remediate infections than those who did not, but that website owners who viewed the advice fared no better.

AB - Motivation: Participants on the front lines of abuse reporting have a variety of options to notify intermediaries and resource owners about abuse of their systems and services. These can include emails to personal messages to blacklists to machine-generated feeds. Recipients of these reports have to voluntarily act on this information. We know remarkably little about the factors that drive higher response rates to abuse reports. One such factor is the reputation of the sender. In this article, we present the first randomized controlled experiment into sender reputation. We used a private datafeed of Asprox-infected websites to issue notifications from three senders with different reputations: an individual, a university and an established anti-malware organization.Results: We find that our detailed abuse reports significantly increase cleanup rates. Surprisingly, we find no evidence that sender reputation improves cleanup. We do see that the evasiveness of the attacker in hiding compromise can substantially hamper cleanup efforts. Furthermore, we find that the minority of hosting providers who viewed our cleanup advice webpage were much more likely to remediate infections than those who did not, but that website owners who viewed the advice fared no better.

KW - abuse reporting

KW - hosting providers

KW - abuse handling

KW - security economics

UR - http://resolver.tudelft.nl/uuid:e9de0b69-4364-4140-9eb4-53426c64f9ae

U2 - 10.1093/cybsec/tyw005

DO - 10.1093/cybsec/tyw005

M3 - Article

VL - 2

SP - 83

EP - 98

JO - Journal of Cybersecurity

JF - Journal of Cybersecurity

SN - 2057-2085

IS - 1

ER -

Understanding the role of sender reputation in abuse reporting and cleanup

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cybersecurity (TPM)

Cite this

Understanding the role of sender reputation in abuse reporting and cleanup

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Projects

Cybersecurity (TPM)

Cite this