Rely your web startup on Rackspace Cloud? Think again

I'm thinking Rackspace might well have been in the right on this one. If the customer was in fact phishing, Rackspace was well within their rights to shut down the account. It's really up to the application creator to prevent that abuse.<p>That said, it's good to have a reminder of the risks of outsourcing your hosting. I still think the tradeoff is worth it for experimental products where you don't want to invest too much upfront.

This may sound contrived and sarcastic, but I assure you it is not.<p>Try your best to get Robert Scoble's attention on this. Rackspace has tasked him with being an evangelist primarily focused on startups and bringing them into the Rackspace services. It's my understanding that things like this should be his primary concern.<p>I could be mistaken, but I'm used to that.<p><a href="http://twitter.com/malbiniak/status/22672201225" rel="nofollow">http://twitter.com/malbiniak/status/22672201225</a>

What is missing from this article (and comments so far) is a more comprehensive analysis of available options.<p>If I lease a server from linode or AWS or theplanet or serverbeach or ${your favorite hosting provider}, would the situation be any different? I understand the article's author frustration with Rackspace, but it's a single data point hence hardly enough to be a basis for an intelligent choice of hosting provider.<p>I'm not even sure if I sympathise with him. You can argue whether 1 hour notice before disabling a server is enough or not but there is an obvious conflict of interest.<p>The interest of the person hosting server, who can potentially be a phisher himself, is for the site to stay up as long as possible.<p>The interest of the public is served by terminating the server as quickly as possible.

I am really not a fan of all the defending RackSpace here. They pulled the plug unreasonably without proper notification.<p>If you're going to pull the plug or even thinking about it... email simply isn't going to cut it. You need someone to call the owner and make contact to explain what's going on or how to resolve it. I've had my servers compromised, I've had phishing content setup before, I have never had the plug pulled. I've had hosts contact me, give me appropriate amounts of time to handle it and some of them even offered to help secure my box or look into how it got compromised in the first place.

All this talk about how Rackspace should be treating startups make me think, "Why?"<p>I understand startups may not have the personel to react as fast as a larger company with dedicated personel, and I understand that there might be a very large percentage of startups on Rackspace which might account for a nice chunk of revenue.<p>But what makes startups different from my personal website or a larger corporation? If Rackspace receives a complaint about a phishing site hosted on their servers, they should do what they can to correct that, regardless of which client is using the server that has the phishing attack. The startup should get the same treatment from Rackspace as the large corporation and the guy with some simple homepage.

Welcome to the joys and sorrows of hosting user-generated content. If this makes you feel better,rackspace is just your first problem. You'll also find soon enough that abuses can get your domain blacklisted in chrome, firefox, and for opendns users.

What <i>should</i> happen here is this...<p>When a server is 'shut down' for phishing or spam, a firewall blocks all incoming/outgoing except for traffic to/from a pre-determined IP address along with the notice that the server is being quarantined.<p>Site owner/admin can then access the server, perform any investigations or deletions necessary, notify data center, then data center opens traffic again.<p>Alternatively, something like a web-based shell allowing access, but all other traffic denied, would be acceptable.<p>I've had servers shut down for 'abuse' which was one complaint from someone at 1am local time for me. I supposedly got a call from xxxxxx at 2 am, notifying me that action would be taken, and my server was taken offline at 3am. I wasn't awake until 7am, and couldn't get things resolved until about 10am. I was told I needed to 'rectify the situation', but how can I do that when access to the server is blocked? It's a ridiculous execution of policy, and only serves to heighten everyone's frustration. A private web-shell or single IP in the firewall to allow access would resolve most of the ill-feelings site owners caught in this situation have had.

We had a similar problem with another vps provider. Some php script was remotely exploited and sending spam. They disabled the VPS. Our website and email was down for 24 hours. They enabled the VPS the next day for us to look at it. What's worse I was asked to reinstall the VPS and it took me some convincing for them to enable it so I get my data from the server.<p>Lesson learned? I think you should never have any operations where you don't have full control. This still holds true but it was a bit ironic because to have full control I ran everything on the VPS, effectively transferring full control to the VPS provider! It was the single point of failure.<p>Now I will transfer each different service to a different provider. Email to rackspace, websites to a host, git services to github and so on.

Post is lacking information on whether the site was actually a phishing site and who (or which entity) submitted a complaint.<p>I think verification of the legitimacy of a complaint should be a critical step before disabling a site, otherwise you're prone to DoS.<p>It would also be good to know what steps the complainant took. Did s/he try to contact Pandaform, or immediately go to Rackspace as the owner of the IP?<p>Without knowing whether the complaint was legitimate, and what steps Rackspace took to verify this (or not) its tough to say whether their actions were appropriate.

this will happen at any responsible web host. If you are hosting phishing sites, expect to get taken down. This trickles up. if you run a hosting company, and you get enough complaints that you don't deal with, then yeah, you will get shut down or asked to leave.<p>That said, I think especially for higher-priced services, a phone call would be nice. (Note: I don't call my customers, though this is a policy I've considered implementing.) I'd be interested in what other people think about other notification systems.

Rackspace (and others) need to call their clients on the phone in these situations. They feel it is so important that it must be taken care of in one hour, yet they use email. Not exactly fair to the client....

imo the biggest mistake here was in PandaForm trusting all of its user-generated content.<p>It seems like they should have been doing some sort of verification of the UGC. Alternately, if they really wanted to go with a fully laissez-faire no-security-checks approach, they shouldn't have picked a hosting company (in this case, Rackspace) that requires customers to sign an agreement that has strict anti-phishing rules.

I second this. Not a fan of Rackspace.<p>Some may argue having your own hardware is more expensive to maintain, but there is a definite advantage to controlling your physical hardware.<p>Rackspace is helpful until you have a real problem, and you are left to fend for yourself.

How was this construed as "phishing"?<p>Did the customer simply set up a form that asks for a user's email address? because if so that describes tons of other services out there... e.g. Wufoo, Google Documents (but I guess they are not hosted on Rackspace!)

Good to know I wasn't wrong when I switched to Linode (From Rackspace). While phishing and spam is damaging, owners need more than 1-2 hours sometimes, especially when they are in a different part of the world.

Oy. This comes the day after I moved all of my sites to Rackspace Cloud.

@matrix, I think overall direction is correct, Rackspace should try their best to notify their customer if they received complaints. However the ridiculous point of this case is totally shutting down all servers of a startup in just 1 hour, which is really horrible. Instead I believe they should at least give 12 - 24 hours for a startup to react and investigate before taking down all their services?<p>Is that really on the same direction that they want to serve startups?

I wonder if this abuse monitoring service can be outsourced somehow. Pay a team of people around the world to monitor the abuse email address and hand them the kill switch for so they can respond immediately to take down one account only instead of the hosting provider taking down the whole server.

Linode isn't really any better. I sent an email campaign to an optin list from campaignmonitor - someone (1 person out of 1000) reported spam.<p>Campaignmonitor asked us what was going on - while this is debatable they may have been damaged from the complaing<p>But even linode asked us about it, just because the website where people signed up was on a linode hosting.<p>1 complain, nothing to do with hosting a part that the link is the here, and they asked us if there was something wrong.<p>I wonder if you can just blast a spam email with a competitor website (hosted on linode) inside and get him offline...

To be fair, a service the size of Rackspace Cloud is bound to screw up at least a few times.<p>Then again, no one ever got fired for switching to Linode.