Prohibited Actions on AlexHost Virtual Servers: Complete Policy & Technical Explanation

Understanding what is prohibited on a virtual private server is not just a matter of reading fine print — it directly determines whether your infrastructure stays online, your IP reputation remains clean, and your account avoids immediate termination. AlexHost enforces a strict acceptable use policy (AUP) on all VPS Hosting plans to protect the shared network infrastructure, maintain IP reputation across the entire subnet, and ensure compliance with international law.

This document provides a detailed breakdown of every prohibited category, the technical reasoning behind each restriction, the enforcement mechanisms in place, and the real-world consequences for violations — including scenarios that are frequently misunderstood, such as the distinction between intentional abuse and a compromised server.

Why Acceptable Use Policies Exist on Shared Infrastructure

A VPS, despite being logically isolated through hypervisor-level virtualization, still shares physical network uplinks, IP address blocks, and sometimes storage I/O with neighboring instances on the same host node. When one tenant engages in abusive behavior — whether intentional or the result of a compromise — the blast radius extends beyond their own instance.

IP reputation damage is the most immediate and technically damaging consequence. If a single IP within a /24 subnet gets listed on SpamHaus, Spamcop, or the Spamhaus Block List (SBL), deliverability for every other server in that range degrades. Reverse DNS lookups fail, outbound SMTP connections get rejected, and legitimate businesses operating on adjacent IPs suffer collateral damage they did not cause.

This is why enforcement is not optional and why the thresholds for action are deliberately low.

Prohibited Activity Categories: Technical Breakdown

Email Spam — Outbound and Inbound

Intentional email spam in any direction is strictly prohibited. This includes:

• Mass unsolicited commercial email (UCE) campaigns sent via SMTP relay
• Open relay configurations that allow third parties to route spam through your server
• Inbound spam trap seeding or deliberate acceptance of spam to poison filters
• Snowshoe spam operations distributed across multiple IPs
• Compromised mailing list scripts exploited to send bulk unsolicited mail

The compromise exception: If your server was breached and a malicious actor installed a spam script (a common post-exploitation step), AlexHost will work with you to remediate the issue rather than immediately terminating the account — provided you respond promptly and demonstrate active remediation. This exception does not apply indefinitely. Continued abuse after notification, regardless of claimed compromise status, results in service suspension.

Technical note: Modern spam detection systems like SpamAssassin, Postfix policy daemons, and outbound rate limiters can detect abnormal SMTP volume within minutes. If your server suddenly sends 10,000 messages per hour, it will trigger automated blocks at the network level before a human reviews the case.

Malware, Exploits, Botnets, and Malicious Redirects

Hosting or distributing any of the following is prohibited without exception:

• Malware payloads: Ransomware droppers, trojans, keyloggers, remote access tools (RATs)
• Exploit kits: Browser-based exploit frameworks (historically: Angler, RIG, Magnitude)
• Botnet command-and-control (C2) infrastructure: IRC-based bots, HTTP C2 panels, peer-to-peer bot coordination
• Drive-by download scripts: JavaScript injectors that silently push malware to site visitors
• Malicious redirects: .htaccess or DNS-level redirects pointing users to phishing or malware-serving domains

These activities are monitored by threat intelligence feeds including VirusTotal, abuse.ch, Emerging Threats, and commercial SIEM platforms. Once a server IP appears in these feeds, it gets blacklisted across antivirus vendor databases globally — a process that can take months to reverse even after the malicious content is removed.

The compromise exception applies here as well, with the same conditions: immediate notification, active cooperation, and demonstrable remediation steps.

Child Sexual Abuse Material (CSAM) and Age-Ambiguous Content

This category carries zero tolerance and no exceptions — including the compromise exception. Prohibited content includes:

• Child sexual abuse material (CSAM) in any format
• Incest content
• Zoophilic content
• Any content featuring individuals who appear to be under 18 years of age, regardless of claimed age verification

CSAM is not merely a terms-of-service violation. It is a criminal offense under the laws of virtually every jurisdiction, including EU Directive 2011/93/EU, the U.S. PROTECT Act, and Moldova's criminal code (AlexHost operates under Moldovan jurisdiction). Reports are made to the National Center for Missing and Exploited Children (NCMEC) CyberTipline and relevant national law enforcement agencies without delay.

Account termination is immediate and permanent. No refund is issued. Law enforcement referral is automatic.

Theft, Fraud, and Financial Crime

Prohibited activities in this category include:

• Phishing pages impersonating banks, payment processors, or government agencies
• Credential harvesting portals
• Fake invoice or wire transfer fraud infrastructure
• Social engineering campaign hosting
• Money mule recruitment sites

Security organizations including national CERTs, the Anti-Phishing Working Group (APWG), and financial institution fraud teams actively monitor for these operations and submit takedown requests directly to hosting providers. Response time is measured in hours, not days. Violators face both account termination and referral to law enforcement, with hosting logs preserved as potential evidence.

Fraudulent Websites and Redirect Chains

Distinct from direct phishing, this category covers:

• Fake storefronts that collect payment without delivering goods
• Counterfeit brand websites (trademark infringement)
• Redirect chains designed to obscure the final destination from users and security scanners
• Traffic monetization schemes built on deceptive redirects

These operations frequently attempt to use multiple layers of redirection — often through legitimate-looking intermediary domains — to evade detection. Network-level traffic analysis and passive DNS monitoring can identify these patterns regardless of obfuscation.

Carding and Payment Card Fraud Infrastructure

Carding refers to the use of stolen payment card data to make fraudulent purchases, and the broader ecosystem around it includes:

• Carding forums and marketplaces
• Card validation scripts (commonly called "checkers")
• Dumps and fullz databases
• Automated carding bots targeting e-commerce checkout flows
• Skimmer script hosting (Magecart-style JavaScript injectors)

This is classified as a serious financial crime under international law. Payment card networks (Visa, Mastercard) operate their own fraud intelligence units that actively identify and report hosting infrastructure. Consequences include immediate termination, IP blacklisting across financial network security systems, and criminal referral.

Attacks on Government and Critical Infrastructure

Hosting tools, services, or coordination infrastructure for attacks against government bodies, critical national infrastructure, or any third-party organization is prohibited. This includes:

• Vulnerability scanning services targeting government networks
• Exploit delivery infrastructure for APT-style campaigns
• Hacktivism coordination platforms
• Credential stuffing tools pre-loaded with government employee datasets

The compromise exception applies in the narrow case where a server was taken over and used as a pivot point without the owner's knowledge — but this requires immediate reporting and full cooperation with any subsequent investigation.

IP Blacklisting-Inducing Activities

Any action that causes an AlexHost IP address to appear on major reputation blocklists is prohibited. Relevant blocklists include:

Delisting from these services after a listing event is time-consuming and not guaranteed. Some listings, particularly on SpamHaus, require demonstrated remediation and can take weeks to resolve. The operational cost to AlexHost and neighboring tenants is significant, which is why this category is treated with the same severity as direct abuse.

DDoS Attacks — Both Inbound "Testing" and Outbound

This is one of the most technically misunderstood restrictions. Two distinct scenarios are prohibited:

1. "Test" DDoS attacks against your own server:

Generating high-volume attack traffic toward your own VPS IP — even for legitimate load testing or DDoS mitigation testing purposes — creates real congestion on the shared uplink. The network infrastructure cannot distinguish between "test" traffic and a real attack. The result is packet loss, latency spikes, and degraded performance for every other customer on the same network segment.

2. Outbound DDoS attacks against third parties:

Using a leased server to participate in or orchestrate distributed denial-of-service attacks against any target is a criminal offense in most jurisdictions (Computer Fraud and Abuse Act in the US, Computer Misuse Act in the UK, similar statutes across the EU). This includes:

• Stresser/booter service backends
• Amplification attack reflectors (DNS, NTP, memcached)
• Voluntary botnet participation
• Low-and-slow application-layer attack tools (Slowloris, RUDY)

Resource abuse beyond DDoS: Even non-attack traffic patterns that saturate the shared channel or cause excessive disk I/O — such as misconfigured cryptocurrency mining operations, poorly written crawlers, or runaway backup jobs — fall under this enforcement category.

Enforcement Mechanisms and Escalation Path

AlexHost's enforcement follows a tiered model, though the tier applied depends entirely on the severity of the violation:

Tier 1 — Warning and remediation window:

Applied to first-time, lower-severity violations where the account holder appears cooperative. A notification is sent with a specific remediation deadline.

Tier 2 — Traffic throttling or port-level blocking:

Applied when a VPS is generating problematic traffic volumes that affect neighboring instances. Outbound SMTP port 25 blocking is a common example. Service continues but with restrictions.

Tier 3 — Immediate suspension:

Applied to serious violations (CSAM, active DDoS, active carding infrastructure) with no prior warning. The instance is suspended, data is preserved pending investigation, and no refund is issued.

Tier 4 — Permanent termination and law enforcement referral:

Applied to criminal-category violations. Account is permanently closed, relevant logs are preserved, and the case is referred to appropriate authorities.

Important: If your VPS is generating problems for other users — whether through DDoS attack traffic, excessive channel saturation, or abnormal disk subsystem load — AlexHost reserves the right to throttle resources or terminate service immediately and without prior notice. In such cases, migration to a Dedicated Server may be offered as an alternative, isolating your workload from shared infrastructure entirely.

The Compromise Exception: What It Covers and What It Does Not

Several prohibited categories include a "unless your server has been hacked" qualifier. This is not a blanket immunity clause. It is a recognition that legitimate server operators can become unwitting participants in abuse through no fault of their own — and that punishing them identically to intentional abusers is counterproductive.

The compromise exception applies when:

• You proactively notify AlexHost upon discovering the breach
• You take immediate steps to contain the compromise (taking the instance offline, revoking credentials, isolating the affected service)
• You cooperate fully with any investigation
• The abuse stops within a reasonable remediation window

The compromise exception does NOT apply when:

• You were notified of abuse and failed to act
• The "compromise" is used as a recurring excuse for repeated incidents
• The violation falls into the zero-tolerance categories (CSAM, in particular)
• You attempt to continue operating the compromised service while claiming remediation

Practical security recommendations to avoid compromise:

• Disable password authentication on SSH; use Ed25519 or RSA-4096 keys only
• Run fail2ban or sshguard to block brute-force attempts
• Keep all software — OS packages, web applications, CMS plugins — patched and current
• Use a Web Application Firewall (WAF) in front of any public-facing web application
• Monitor outbound connections with tools like netstat, ss, or auditd for anomalous behavior
• Configure outbound firewall rules (iptables or nftables) to restrict unexpected egress traffic

If you are running a mail server, consider pairing your VPS Hosting with properly configured Email Hosting infrastructure that includes built-in spam filtering and DKIM/DMARC/SPF enforcement, reducing the risk of your mail infrastructure being exploited for spam relay.

Comparison: Intentional Abuse vs. Compromised Server — Policy Treatment

Refund Policy on Violations

This point requires unambiguous clarity: no refund is issued for accounts terminated due to AUP violations, regardless of the remaining service period. This applies whether the termination results from intentional abuse or from a compromise that was not remediated in time.

This policy exists because the costs incurred by AUP violations — IP reputation remediation, network engineering time, potential legal exposure, and harm to neighboring customers — frequently exceed the value of the subscription being terminated.

Choosing the Right Infrastructure for High-Resource or Sensitive Workloads

If your legitimate use case involves high outbound traffic volumes, intensive network activity, or workloads that could be misidentified as abusive by automated systems, a Dedicated Server provides complete physical isolation from other tenants. There is no shared uplink contention, no neighboring tenant impact, and greater flexibility in configuring network-level security controls.

For workloads requiring GPU compute — including machine learning inference, rendering, or scientific computation — GPU Hosting provides the appropriate resource profile without the risk of triggering abuse detection systems designed for general-purpose VPS instances.

For standard web projects where resource demands are predictable and modest, Shared Web Hosting provides a cost-effective environment with platform-level abuse controls already in place, reducing the administrative burden on the account holder.

Technical Key-Takeaway Checklist

Before deploying any workload on an AlexHost VPS, verify the following:

• SSH hardened: Password authentication disabled, key-based auth only, non-default port considered
• Firewall configured: Both inbound (INPUT) and outbound (OUTPUT) chains defined in iptables/nftables
• Mail server (if applicable): SPF, DKIM, and DMARC records published; outbound rate limiting enabled; open relay test passed
• Software patched: OS-level packages, web frameworks, CMS plugins all current
• Monitoring active: Outbound connection monitoring, failed login alerting, disk I/O anomaly detection
• Backups isolated: Backup jobs scheduled during off-peak hours with rate limiting to avoid I/O saturation
• Content reviewed: All hosted content verified against AUP categories before going live
• Incident response plan: Know how to take your instance offline quickly if a compromise is detected
• Abuse contact saved: AlexHost support contact stored and accessible independently of the server itself

Frequently Asked Questions

What happens if my VPS gets hacked and starts sending spam before I notice?

AlexHost distinguishes between intentional abuse and server compromise. If you are notified of spam originating from your instance, respond immediately, take the affected service offline, and open a support ticket with details of your remediation steps. A reasonable remediation window will be provided. Failure to respond or repeated incidents will result in suspension regardless of claimed compromise status.

Can I run a penetration testing lab or security research environment on a VPS?

Security research is permitted provided all testing is confined to infrastructure you own or have explicit written authorization to test. Scanning, probing, or attacking any third-party IP — even as part of a "controlled" exercise — violates the AUP. For high-volume testing environments, a Dedicated Server is strongly recommended to avoid any impact on shared network infrastructure.

Will I receive a warning before my account is suspended for a violation?

It depends on the violation category. Lower-severity first-time incidents typically receive a warning with a remediation deadline. Serious violations — active DDoS participation, CSAM, carding infrastructure — result in immediate suspension with no prior warning. The severity of the violation, not the account history, determines the response tier.

Why is "testing" a DDoS attack against my own server prohibited?

Because the physical network infrastructure is shared. High-volume traffic directed at your VPS IP traverses the same uplinks used by other customers on the same host node and network segment. The network cannot distinguish test traffic from a real attack. The congestion, packet loss, and latency caused by your "test" are real and affect real customers.

What is the fastest way to get my IP removed from a blacklist after a compromise?

First, eliminate the source of abuse entirely — remove malicious scripts, rotate all credentials, patch the exploited vulnerability, and verify with outbound traffic monitoring that the abuse has stopped. Then submit delisting requests directly to each blocklist (SpamHaus, SpamCop, AbuseIPDB each have web-based delisting portals). Simultaneously, notify AlexHost support with evidence of remediation. Some blocklists auto-delist after a quiet period; others require manual review. SpamHaus SBL listings in particular require demonstrated remediation and can take several days to resolve.