For any given spammer / criminal operation, there are at least four vectors - usually companies - that could prevent abuse before it happens.

 - Domain registration agent and registrar

 - DNS name server service

 - IP space provider

 - Other service hosts (www, mx, hired outbound mail service, etc)

In a perfect world, each registrar would be blackhat or whitehat - 100% criminal customer base or 100% non-criminal customer base. Each name server host would serve 100% lawful domains or 100% unlawful domains.

As we know, this is not the case. Vetting processes sometimes fail to discern some of the rotten apples from the sweet ones, AUPs are violated, and sometimes the offending customer's service is cut-off, with apologies to the affected community.

Let's take name server hosts as an example. I have high confidence that some name server hosts have an excellent vetting process, such as NS1.BARCLAYS.CO.UK. I'm putting that name server on my name server whitelist.

The following are characteristics a tightly controlled, well-run, high security name server host might have.

Vetting Effectiveness Profile Initial screening: High barriers to anonymous users, forged identities very likely to be noticed. Only vetted employees of the company operating the name server host can add domains. AUP: Meets or exceeds recommended standards. Time between accurate report of AUP violation and termination of service: 60 minutes or less. Self-monitoring methods to detect abuse: Rate limiting, outbound scanning, feedback loops Legal system judgments against entity directly related to abuse issues: Zero Screening failure count: Zero Effective action taken to reduce screening failures: Yes

The Vetting Effectiveness Profile looks quite different for companies who do little self-monitoring, depend on others to hammer their way through a difficult abuse reporting process, then have a lengthy wait time before an AUP violating customer is terminated, and make no effective changes to their initial screening or self-monitoring processes to reduce the number of screening failures.

Vetting Effectiveness Profile Initial screening: If you have a name and a credit card number, you've got a domain and hosting. Minimal barriers to anonymity or forgery of contact info. AUP: Meets or exceeds recommended standards. Time between accurate report of AUP violation and termination of service: 2 weeks. Self-monitoring methods to detect abuse: Unknown Legal system judgments against entity directly related to abuse issues: Zero Screening failure count: Terminations due to policy violations: 2005: Aug 1823, Sep 390, Oct 1700, Nov 8942, Dec 1400. 2006: Jan 2388. Effective action taken to reduce screening failures: No. (Rate of "oops how'd they fool us again" is not decreasing)

One of the measures of interest is the size of the "free license to abuse" window. Is the window between detectable illicit action and termination long enough to get off a profitable phishing or spamming run? Is the initial screening process left so open that numerous such incidents are going to keep occurring? OK, so noted in the service provider's Vetting Effectiveness Profile.

While I would "encourage" the service provider with that kind of profile to improve - it's not the end of the world if that doesn't happen. It's not the end of my ability to discern ham from spam. I simply require additional data points for mail from domains served by that [ name server host, registrar / agent, cc/gtld, IP space, HSP ].

If the domain is new
AND the IP space they are sending from has no history as a mail server
AND name server host is new
AND the www is zombie hosted
AND Vetting Effectiveness Profile says they'll get 14 days free to operate

 - I'm going to ask them to send through an established smarthost with a decent reputation initially, or get accredited by an Accreditor before I will deliver their mail to the inbox by default.

We could give many more examples - however, the point is that if the path onto the Internet for this sender is one where vetting is minimal and the "free window to abuse" is wide - I will simply require that they meet some minimal standards of my own.

Conversely, if the domain has been around X time, acting in a stable manner - not on a reputable blacklist, and there is any kind of affirmed or reasonably inferred relationship between the envelope-from domain and sending server IP space - their name server host and IP space can have a poor / mixed Vetting Effectiveness Profiles and I'll still deliver that mail to the inbox. Any domain or IP with a greyhat service provider can provide enough positive data points to pass.

New domains with a lot of strikes against them in terms of their choice of service providers may need to seek the services of an Accreditor, or initially send through a smarthost with a decent reputation.

Accreditors tend to have high quality vetting processes, well thought out, carefully enforced and reliably executed. Examples of accreditors include (alphabetically) Bonded Sender, Goodmail, Habeas, et al. Domain specific SSL certificate issuers are also a type of accreditor - depending on the vetting level - they ascertain that a domain is owned by an entity and that entity has a physical address and usually governmental registration. Not guaranteed - but you could probably find the certificate holder if you need to sue them for spamming or criminal activity.

Perhaps the registrar agents, name server hosts, and IP space providers will start offering their new customers the option to purchase accreditation if they are lacking in clear and verifiable identity.

In addition to vetting senders, I think services which vet Internet service providers will achieve popularity. For example, "best practice" recommendations (authored by Internet grey-beards and law enforcement organizations) can be used by services who help ISPs, registrar agents, and DNS providers to implement the recommendations and stay "certified" through monitoring and mentoring.

When that day comes, the legitimate business contemplating where to host, where to buy their domain, and what DNS vendor to use will have a clearer view of the reputation they are associating themselves with when they choose a service provider.