Most users expect their ISP to help them in defending themselves from abuses coming from the Internet, and this is where many ISPs focus their efforts. However, a fraction of the customers of any ISP will be abusive on its own; spammers and fraudsters often rely on free or inexpensive hosting and email services to run their illegitimate businesses.
You should thus devote some effort to monitor your own users, detect abusive behaviour and stop it as soon as possible; you should have appropriate wording in your contracts that allows you to suspend or terminate services when abuses and breaches of netiquette are detected.
At the same time, you have to realize that often it is not your legitimate customer that is running the abuse, but someone who has infected his computer or intruded into his website; so you should try to cooperate with your customer in fixing the issue, rather than just shutting down the service – and usually he will be very grateful to you for that. However, the accounts of unresponsive or uncooperative customers – or that clearly look fraudulent – should be terminated without mercy.
A first and useful step to detect abuses coming from your users is to monitor usage patterns. All outgoing messages on your email server should go through the anti-abuse filter as well; the filter should trigger an alarm, and possibly some email throttling, if the outgoing email traffic from a given user is too high or too spammy. To be able to track abuses, you should disable unauthenticated email submissions to your email server, and require SMTP authentication even for connections coming from inside your own network.
Especially if you provide hosting services, the same applies in terms of network traffic. Detecting unusual traffic patterns coming from your users, or from websites hosted on your network, may allow you to detect a spammer, a botnet-infected computer or a cracked website; you could then put the source temporarily offline, curtailing the troubles, and contact the user to verify his good faith. This can also be done by adopting an anti-malware filter on recursive name servers, to detect users whose computers try to connect to malware-related websites.
Also, you should encourage community feedback and respond quickly to it. You should publish email contacts for abuse – typically abuse@yourdomain – and ensure that your customer care deals with those messages immediately, at least to rank the importance of the event. You should subscribe to blacklist monitoring services and feedback loops, and check your mail server logs for other ISPs that reject your messages – this usually happens when you have been marked as a spam-friendly provider.
You will find further details in the M3AAWG’s best practices for hosters.
