The real issue to me is their apparent zero tolerance policy. Unless I'm misreading something, if there are two incidents where your site is used for phishing, you will lose your Rackspace account. I understand that Rackspace doesn't want to go chasing these things left and right, but it seems that's a little extreme, especially when they're supposed to be infrastructure providers, and should recognize that their clients have clients, and their clients shouldn't be held entirely responsible for the actions of their clients' clients.

:-/

For your argument, I just created an wufoo form which should take down immediately once discovered. http://rickmak.wufoo.com/forms/phishing/. IN that case, I am sure only my account will be taken down, not the whole wufoo.

Actually, it depends on size. If someone created a phishing site on Heroku's, Amazon probably won't shutdown all Heroku sites. But to let Heroku to investigate. For small startup like pandaform, no luck. Rackspace just regards you as one site.

Pandaform can handle things better, like banned "password" field like wufoo do.

It seems like it would be an improvement to either:

1. Keep the very short notification period but also try to reach the site owner via phone or IM

2. Lengthen the notification period if using email only

(Note that I have no problem with short notice and email only if the customer was given the option of providing an emergency contact method but chose not to, and that I otherwise generally agree with the response.)

It seems like the real flaw here is the combination of lack of communication and lack of warning.