Hugo Bijmans (Delft University of Technology), Michel Van Eeten (Delft University of Technology), Rolf van Wegberg (Delft University of Technology)
Various governance instruments aim to fight Internet abuse -- from legislation to take down copyrighted material to blocklists to stop spam.
In turn, these instruments rely on industry standards to handle abuse: reporting abuse to the network owners requesting mitigation.
Although many hosting providers swiftly take action to keep the Internet clean, some do not.
This raises the question as to what type of abuse receives follow-up and what rationale is behind a decision to either mitigate or ignore reported abuse.
Through a unique collaboration with law enforcement in the Netherlands, we were granted access to the operational back-end of a hosting provider with a reputation for abuse.
A rare glimpse into its internal abuse handling allowed for the investigation of the mechanisms in the anti-abuse ecosystem that influence anti-abuse actions.
We find that client notification rates highly depend on the reporter and the abuse category.
CSAM and spam-related abuse reports lead to mitigating actions, whereas reports regarding copyright infringement and port scanning are often neglected.
Governance instruments, such as blocklisting, de-peering, and law enforcement inquiries, that could directly impact business continuity, affect client notifications, whereas individual abuse reporting is often easily ignored.
We hope our work can inform policymakers on aligning governance repertoire with effective abuse handling in practice.