A network-based content management system can store a vast quantity of data (content items) for many thousands of users. Typically, a network content management system allows users to upload, store and retrieve content items to and from the network servers managed by the content management system. Additionally, the content management system can provide functionality that allows one user to share content items managed by the content management system with other users of the service. This content sharing feature can allow a malicious user to share or distribute malicious content to other users of the content management system. Moreover, to avoid detection, a malicious user can create multiple accounts from which to spread malicious content.
To combat the spread of malicious content, a content management system could run a virus scan on each content item uploaded, stored or shared from the storage servers of the service. However, with terabytes, petabytes and even exabytes of data stored, it is not practical for the content management system to run a virus scan on each content item stored at the content management system. Thus, a mechanism is needed by which the content management system can prevent the spread of malicious content (e.g., malware, viruses) and close down malicious user accounts, while not being burdened with scanning every content item stored by the content management system.