Messaging

McKinleyville, CA and San Francisco, April 5, 2018 – Recognizing that calendar spam is a growing exploitation channel, CalConnect and the global anti-abuse association M3AAWG have joined forces to develop new methods to protect end-users from unsolicited and malicious event notices.  The new liaison between the scheduling developers’ organization and the Messaging, Malware and Mobile Anti-Abuse Working Group will accelerate industry efforts to develop techniques that block invites to fake events and other malicious notices on popular calendaring platforms.

Calendar spam is a new form of abuse that takes advantage of the application layer across multiple technologies, including scheduling, calendaring and messaging systems. For example, users have received fraudulent emails impersonating well-known brands that include calendar invites to special “discount” events.  As is the case with email spam, calendar spam can be used for malicious purposes such as phishing or to deliver malware payloads.

CalConnect (The Calendaring and Scheduling Consortium) also has established a new technical committee, TC CALSPAM, to better protect users from calendar system abuse. The committee aims to understand the current and potential use of calendar systems as a vector for delivering undesired information and will provide current information and guidelines on the topic to CalConnect and M3AAWG participants.

"Calendaring is an intimate part of everyone’s lives. Calendar spam is particularly unsettling because the abuse directly pops up on a person’s calendar.  It’s personally disruptive and especially disturbing," said Thomas Schäfer, 1&1’s Head of Technical Site Management who chairs TC CALSPAM.

Differs from Other Abuse Schemes

CalConnect and M3AAWG will develop the measures and best practices for developers and system operators to ensure legitimate usage of their platforms.  The collaborative effort is important because calendar spam is unique as an abuse vector in a number of ways:

• Calendar spam, unlike email, can be placed chronologically anywhere in a calendar – in the past or the future, not just the present – making it difficult to detect at the time of delivery.
• Spam meeting invitations can be automatically added to calendars without the users’ consent with notifications sent to all their devices. These invitations are not only difficult to find but, in some cases, there is no way for the user to remove these events short of deleting the entire calendar.
• Calendar events and meeting invitations do not yet carry the rich provenance, i.e., the detailed header information that is included in email, making it difficult to ascertain where and when events originated and where they were delivered.
• Calendar events often contain notifications or alarms that are propagated across a user’s many desktop and mobile calendaring clients, exacerbating the problem.

M3AAWG Executive Director Jerry Upton said, “Calendar spam has shown itself to be a new but rapidly maturing vector for spammers.  As we’ve seen in addressing other abuse issues in M3AAWG, cross-domain problems like this require input from experts in multiple disciplines and collaborating with CalConnect and their subject matter is the most direct route to combatting this evolving threat."

Call for Industry Participation

The reciprocal membership agreement between the two organizations became effective in February and allows the calendaring and scheduling developers, vendors and service providers in CalConnect and the messaging and email authentication experts in M3AAWG to share information and work.  CalConnect members participated in the M3AAWG 42nd General Meeting in San Francisco in February, kicking off the joint work on applicable anti-abuse methodologies.  The 43rd M3AAWG General Meeting will be held June 4-7 in Munich, Germany.

CalConnect President Rutger Geelen said, “We recognize that calendar spam is a real threat and a growing problem. First and foremost, we endeavor to protect users against such abuse. Since event and meeting invitations are often delivered via email, it makes sense to collaborate with the messaging identity and authentication experts at M3AAWG in our effort to return full control of collaboration and communications to the end users themselves."

Organizations interested in joining the CalConnect calendar spam committee should contact CalConnect Executive Director Dave Thewlis at dave.thewlis@calconnect.org or CalConnect Director of External Relations Ronald Tse at ronald.tse@calconnect.org. 

About The Calendaring and Scheduling Consortium (CalConnect)

CalConnect, The Calendaring and Scheduling Consortium, CalConnect, is a not-for-profit organization advancing the state of interoperable calendaring, scheduling and digital contacts. Founded in 2004 as a partnership between vendors and users of calendaring and scheduling tools and technologies, its membership includes some of the world’s largest software companies as well as small startups. Virtually every important calendaring-related standard since 2004 has been authored, edited, and/or co-edited by members of a CalConnect Technical Committee. http://www.calconnect.org.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy, and works to educate global policy makers on the technical and operational issues related to online abuse and messaging.

#  #  #

Media Contacts:

Ronald Tse, Director, External Relations, ronald.tse@calconnect.org, CalConnect (The Calendaring and Scheduling Consortium), https://www.calconnect.org

PR@m3aawg.org, M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group), https://www.m3aawg.org

San Francisco, March 28, 2018 – Dave Rand, who co-founded the industry’s first reputation-based, anti-spam company and co-founded the first ISP to ban unsolicited junk mail, was honored with the lifetime M3AAWG Mary Litynski Award at the Messaging, Malware and Mobile Anti-Abuse Working Group’s 42^nd General Meeting in San Francisco last month. Rand is one of the internet’s first anti-spammers and has been fighting online abuse for three decades.

“The internet was in its infancy when Dave took these stands, which were both brave and showed great foresight. At the time, different industry stakeholders fervently disagreed on whether marketers should be able to send email to users without their consent.  Each side hotly contested their view as the right one. Eventually, the volume of junk mail exploded, threatening both the email infrastructure and users’ patience, and the industry consensus shifted to the opt-in model recommended in the M3AAWG senders best practices and that Dave advocated for so many years ago,” M3AAWG Chairman of the Board Severin Walker said. 

In the early 1990s, Rand and internet pioneer Dr. Paul Vixie cofounded the first reputation-based DNS blacklist service that identifies IP addresses associated with abusive and junk messages, known as MAPS (Mail Abuse Prevention System – “spam” spelled backwards).  Its Real-time Blackhole list (RBL) is one of the best-known anti-spam services and is still widely used today by millions of people around the world.  But at the time, this innovative approach was extremely controversial and the nonprofit organization faced significant challenges from spammers and others within the industry.

In presenting the award, Dr. Vixie, Farsight Security Chairman, CEO and Cofounder; Internet Hall of Fall Inductee and M3AAWG member, said, “Dave has dedicated his life to improving how we live our lives on the internet. If there was a problem and Dave knew how to solve it in a way that was successful for the online community, even if there wasn’t any money to be made, he just did it.  Thanks to his sacrifice, expertise and hard work, we all enjoy a better world because of his contributions.”

At a time when the internet was just coming out of academia and military use to be available to the general public, Rand took a strong stand to protect end-users:

• As co-founder of AboveNet, he managed the first ISP to filter spam on its network, proving to other internet service providers the profitability and business value of fighting abusive mail
• He tirelessly ran MAPS and dedicated time to identifying abusive IP addresses, taking spammers’ complaint calls, and developing the organization’s long-term survival strategy
• His company developed the first anti-spam customer policy
• As the first anti-spam company, MAPS launched the anti-abuse industry and provided the initial training to many other pioneers who went on to develop other approaches to fighting cybercrime

In his acceptance remarks Rand said, “We had bomb threats and death threats, but we made a difference and created a line in the sand.  And it hasn’t been just about spam.  By the late 1990s, I realized this wasn’t going to be a simple ‘turn-the-handle and its done’ project.  It was something that needed to be addressed over the long-term.  Today, the topology has changed but the principle is the same and now it’s about standing up to malware in a much more complex environment.”

Rand also made great strides in other technological areas.  He co-developed the PC532, an early home computer based on a faster National Semiconductor microprocessor that was made available to hobbyists and early industry adapters. He co-developed EtherValve and MRTG, technologies to monitor and control bandwidth flow, and in 2004 he founded Bungi Communications, Inc. that provided IP transit services.

Anti-Spam MAPS Comes into the World

MAPS got its start in the early 1990s when spam began to appear regularly on the internet. Cofounder Vixie started compiling abusive IP addresses to share with other system admins that did not want junk mail on their networks. Cofounder Rand, through his ISP AboveNet, was Vixie’s first subscriber and provided regular updates to help maintain the accuracy and breadth of the spam list.

Rand and Vixie ran MAPS as part of AboveNet. “At MAPS, our employees were underpaid, over worked, and didn’t have enough equipment. They were the real heroes.  And I’m proud that many of them have gone on to develop new ways of fighting spam and to cultivate new companies,” Rand said. The MAPS work continued and was improved over the years, providing additional protection to millions of online users. 

“I remember getting seven or eight spam emails a week in 1995.  Today I see more than two million a day in my filters. The industry coming together to collaborate in fighting abuse and spam is more important than ever.  Thank you for your efforts,” Rand said at the recent M3AAWG meeting.

The 2018 M3AAWG Mary Litynski Award was presented to Rand on February 20 during the four-day M3AAWG meeting that attracted 590 attendees from 26 countries.  The next M3AAWG meeting will be June 4-7, 2018 in Munich, Germany.

The award is presented annually to recognize the life-time achievements of a person whose work has significantly contributed to the safety of the online community.  More information about the M3AAWG award program that recognizes industry achievements protecting end-users is available at /awards.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in
San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: pr@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); Endurance International Group; Facebook; Google; LinkedIn; Marketo, Inc.; Microsoft Corp.; Oath (Yahoo and AOL); Orange (NYSE and Euronext: ORA); Proofpoint; Rackspace; Return Path; SendGrid, Inc.; Vade Secure and Verisign.

M3AAWG Full Members: 1&1 Internet AG; Agora, Inc.; Akamai Technologies; Cisco Systems, Inc.; CloudFlare; Cyren; eDataSource Inc.; ExactTarget, Inc.; IBM; iContact/Vocus; Inteliquent; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; McAfee Inc.; Mimecast; Oracle Marketing Cloud; OVH; PayPal; Spamhaus; SparkPost; Splio; Symantec; USAA; and Valimail.

A complete member list is available at /about/roster.