As you may know, I run my own web hosting business called Akmai.net Web Hosting (soon to be CORBAWeb) and I host about 45 active domains for a small but dedicated base of 15-20 clients. Running a web hosting business is not particularly difficult, especially with software like CPanel (to give the customer easy access to common domain related functions like email, subdomains, etc), WHM (to allow the administrator to control nearly all aspects of running a web server, including DNS, shell access, etc) and WHM.AutoPilot (to assist with billing, invoicing and automatic account creation).
You might be thinking, "if running a web hosting business was so easy why wouldn't everyone be doing it?". Everyone is doing it and that is the reason 90% of the email on the Internet is spam! There are so many inexperienced web host administrators who don't understand the technology behind the software they're using because wonderful applications like CPanel and WHM remove that requirement (don't get me wrong, I love CPanel and WHM). All the people who jump at the chance to run their own web hosting business need to understand there is more to it than just creating accounts and watching your Paypal balance increase -- there is great responsibility that comes with running a web hosting business and there is no room for incompetence.
Let me give you an example. Late this morning my Blackberry beeped to indicate an incoming email. No big deal -- I hear that beep dozens of times throughout the day. But the beeping didn't stop -- it kept beeping as if it was an alarm. Sure enough, I had 12 "Mail Delivery Failed" messages. Then 13. Then 14. After about 40 seconds it was up to over 100 messages. I instantly knew what this meant. Someone, or some thing, was sending a huge number of emails from my web server and the vast majority of those were bouncing back because the recipient email address was invalid. A quick check of the server showed over 20,000 emails had already been sent.
With the help of an on-site engineer, at the data center where my server is located, I was able to track down the origin of the email spamming. It was coming from a mail form installed on one of the domain on my server. The form wasn't anything harmful, and neither was the domain (nor the person who owned the domain), but the mail form wasn't secure. It didn't have any type of captcha installed to prevent a spam bot from submitting endless requests to the script. A spam bot crawling the web for insecure forms found the script hosted on my server and started using it to send a 'Paypal Account Notice' email designed to phish account details from the recipient. I quickly deleted the script from my server and had any remaining messages purged from the mail queue.
This is a perfect example of how incompetent web host server administrators are to blame for all the Internet's spam. If I didn't allow myself to be bothered on my Blackberry with all the "Mail Delivery Failed" messages for my server (including legitimate ones), I wouldn't have discovered this was happening as quickly as I did. Most people simply let those emails drop into an Inbox somewhere and forget about them. If 20,000+ messages were sent out in the 5 minutes it took me to discover and fix the problem, how many messages would have been sent out if I didn't discover the problem for a few hours? Or a few days?
You cannot blame the creator of the mail script, because while the programmer might understand that his script needs additional security before being used in the real world, a web designer will simply upload the script to a web server and expect it to work. This means that there will always be instances where a faulty script is utilized in a malicious way by someone with bad intentions. So who is responsible? The system administrator is responsible. It's his job to make sure everything runs smoothly and there is no room for incompetence. How many web host administrators regularly read their logs for suspicious activity or broken software? I read akmai.net's logs on a daily basis.
Web hosting is not for everyone because many people lack the technical understanding, the competence, and the time required to properly manage a web server. If you're running your own personal web server at home, fine. If you're running your own mail server, I hope you know what you're doing. If you're running a web server that's located in a data center with lots of bandwidth and you're hosting domains, email, and DNS for people you don't know very well, then you'd damn well better know what you're doing and understand the nasty things that exist out there on the Internet. You will be attacked. Be prepared.