Messaging

San Francisco, February 20, 2018 – Providing increased protection for people who use email and websites to communicate with the U.S. government, most federal civilian agencies have begun to adopt additional anti-abuse technologies outlined in a recent U.S. Department of Homeland Security directive. The DHS will be recognized for this progress when its chief cybersecurity official presents the keynote address at the M3AAWG 42nd General Meeting in San Francisco tomorrow.

“Over two-thirds of agencies have taken critical steps in enhancing email security and protecting users against email spoofing, up from less than 20 percent on the day the directive was issued,” said Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications, DHS.  “It is crucial for U.S. citizens to trust that an email from a government agency is legitimate.” 

M3AAWG Chairman of the Board Severin Walker said, “We estimate that only about 35 percent of Fortune 500 companies are using DMARC today so this high adoption rate is a significant accomplishment, along with implementing the other security measures in the directive. Several of the major data breaches we've seen recently have started from phishing emails, which can be hard to identify, but these steps can help prevent these fake messages from getting to users and are important in protecting American citizens.”  

DHS issued the directive in October 2017 calling for civilian agencies within the federal government to adopt proven industry standards over the course of a year that can help safeguard the confidentiality of internet-delivered data, minimize spam and protect against phishing.  Binding Operational Directive 18-01 requires agencies to:

• Enable STARTTLS for better email security.  This “opportunistic TLS” protocol supports encrypted email as it moves across the internet and helps protect against man-in-the-middle attacks where criminals eavesdrop on email communications without the users’ knowledge. (See TLS for Mail: M3AAWG Initial Recommendations for background information.)
• Improve email authentication by using SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance), making spam and phishing emails easier to identify and block. 
• Improve web security with HTTP Strict Transport Security (HSTS) so that users’ browsers select the more secure HTTPS address option when navigating to a government agency’s website.

All of the cited technologies were developed or actively championed by M3AAWG over the last several years and are often referenced in the best practices documents it publishes to help the industry fight online abuse and crime.  This includes Operation Safety-Net, Best Practices to Address Online, Mobile and Telephony Threats, which M3AAWG co-published with UCENet (Unsolicited Communications Enforcement Network, formerly the London Action Plan), describing exploitations aimed at businesses and governments with expert advice on how to protect against them, according to Walker.

A M3AAWG certificate of merit will be presented to the DHS on February 21 during the keynote for the work by the National Protection and Programs Directorate’s CS&C Office in implementing these standards across its civilian agencies. The M3AAWG 42nd General Meeting is expected to attract over 500 security experts, public policy advisors, law enforcement personnel and researchers during the February 19-22 event.  It will offer over 50 sessions with authorities sharing information on email and text messaging, mobile and telephony threats, malware, Internet of Things security, hosting and cloud services, and DNS abuse. 

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: pr@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); dotmailer; Endurance International Group; Facebook; Google; LinkedIn; Microsoft Corp.; Oath (Yahoo and AOL); Orange (NYSE and Euronext: ORA); Proofpoint; Rackspace; Return Path; SendGrid, Inc.; Vade Secure and Verisign.

M3AAWG Full Members: 1&1 Internet AG; Agora, Inc.; Akamai Technologies; Cisco Systems, Inc.; CloudFlare; Cyren; ExactTarget, Inc.; IBM; iContact/Vocus; Inteliquent; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; McAfee Inc.; Mimecast; Oracle Marketing Cloud; OVH; PayPal; Rackspace; Spamhaus; SparkPost; Splio; Symantec; USAA; and Valimail

A complete member list is available at /about/roster.

San Francisco, November 29, 2017 –  Noticing an increase in “list bomb” activity, the Messaging, Malware and Mobile Anti-Abuse Working Group is recommending all blogs and websites with a newsletter or sign-up form add a new header to their verification emails that will help identify and disrupt these attacks. The assault tactic is often used to hide security alerts of illicit activities or to prevent someone, such as a journalist, from receiving vital information. 

In the assaults, also called a web-form sign-up attack, criminals use bots to subscribe their targeted victims to thousands of newsletters or other services that automatically send verification emails.  The resulting surge of confirmation emails, in effect, creates a DDoS (Distributed Denial of Service) attack against the users’ inboxes. Very often, buried within the unmanageable mountain of verification messages is a notice from a credit card company or other financial institution outlining a forged transaction or an account password reset alert that the victim will never see.

“A few years ago, a torrent of useless verification messages bombarding a user’s inbox was an isolated event and was probably the result of a grudge against someone. But today criminals have started using these attacks to subvert the security notifications that many banks, services and e-tailers are now sending.  Their aim is to submerge the specific alert email with details of their fraudulent activities under a sea of meaningless messages or to deny a journalist or activist access to their email altogether,” said Severin Walker, M3AAWG Chairman of the Board.

Industry Collaboration Leads to IETF Internet Draft Header Specification

The new ID message header specification has been submitted to the IETF (Internet Engineering Task Force) at https://datatracker.ietf.org/doc/draft-levine-mailbomb-header/ and is explained in a short paper, M3AAWG Recommendation on Web Form Signup Attacks (www.m3aawg.org/WebFormAttacks), available in the Best Practices section of the M3AAWG website. The new header specifically identifies messages that originate as verification emails from a web-form, such as a subscription confirmation email, so that ISPs and email providers can take action to protect a user’s inbox when an extraordinarily high volume of these messages come across their networks.

M3AAWG also recommends that all public subscription and web forms install one of the various types of CAPTCHA image or text challenges used to tell humans from automated sign-ups that are readily available.  This will help protect against bots misusing the site’s verification emails in an attack. 

The header concept came out of discussions at the M3AAWG meeting in June among members who noted a significant increase in these attacks.  An ad hoc technical session at the meeting with members from different segments of the messaging industry resulted in M3AAWG Senior Technical Advisor John Levine drafting the specification.  At the following meeting in October, the first members to implement the new specification shared their experiences and reported the process was sustainable.

Levine said, “Criminals routinely use bots to crawl the global web looking for the millions of blogs and newsletter sign-up forms that don’t have CAPTCHA then use these sites, with their weaker security, to sign-up victims as part of an attack.  The new header is another level of protection that can have a significant impact on preventing list bombing and we are encouraging email service providers to implement it as soon as possible.”

Web form attacks will continue to be monitored at the next M3AAWG meeting to be held February 19-22, 2018 in San Francisco.  The multiple-track event is expected to attract more than 500 participants with sessions addressing diverse topics such as bot mitigation practices, social networking abuse, mobile abuse and pending legislation worldwide.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Also see the ProPublica article Hackers Shut Down ProPublica’s Email For a Day.

Media Contact: Linda Marcus, APR, +1-714-974-6356 (U.S. Pacific), LMarcus@astra.cc, Astra Communications

M3AAWG Board of Directors: AT&T (NYSE: T); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); dotmailer; Endurance International Group; Facebook; Google; LinkedIn; Mailchimp; Microsoft Corp.; Oath (Yahoo and AOL); Orange (NYSE and Euronext: ORA); Rackspace; Return Path; SendGrid, Inc.; Vade Secure.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Exact Target, Inc.; IBM; iContact; Inteliquent; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; McAfee; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Spamhaus; Sparkpost; Splio; Sprint; Symantec; and USAA.

A complete member list is available at /about/roster.