Benchmark and feeds

The code of conduct for combating abuse is supported by making available information about abuse and vulnerabilities in the networks of providers who subscribe to the code of conduct on Providers can use this information to supplement sources that they already consult to inform themselves about problems in their network. The information on this platform originates from various notifiers and Internet abuse researchers.


Researchers from TU Delft itemised how much abuse and vulnerabilities providers with a login on the platform have in their networks. This data has been collected over a longer period. Based on these figures and after normalisation for the size of the network, a ranking has been made for some of the providers. Some logged in providers can view their ranking compared to other providers. The provider receives information about the quality of the abuse combating: “Good”, “Average” or “Bad”. The ranking is periodically adjusted based on the available data in the feeds so that the ranking and rating improve over the course of time if the provider takes action. The abuse and vulnerabilities data that underlie this ranking is partially available on the platform. Eventually, the ranking will be based solely on data available on the platform.

Providers should note that in the longer term this ranking might be made more widely available. That is because, although the feed data is not entirely public, it is widely shared by the notifiers. Furthermore, the method developed by TU Delft will be published and so others will be able to replicate the ranking, given time and effort.

The researchers from TU Delft describe here how their model that underlies the benchmark works.


The data provided on this platform originates from ShadowServer and the Facebook Threat Exchange. Both of these notifiers base their notifications on their own research, Internet scans and data provided by third parties. The ShadowServer notifications are transmitted with a high degree of certainty, and so this feed contains few to no false positives. The Facebook feed contains data that is supplied by a large number of parties. In some cases, the notifications contain information about the probability of the notification being correct but in other cases, this information is missing. Over the course of time, the administrators of will further tweak the Facebook feed, which increases the probability of the notifications being correct.

The available information will, of course, be limited to notifications about the network of the logged in provider. The information is therefore not publicly available, and it is not possible to see notifications about the networks of other providers.

Feeds are made available on the web application of AbuseIO and manuals are available for the configuration of the provider accounts and use of the feeds.