Messaging

San Francisco, April 4, 2017 – Addressing current threats such as DDoS attacks and Internet of Things security, the Messaging, Malware and Mobile Anti-Abuse Working Group has released five new best practices papers and created new special interest groups to develop cybersecurity approaches that will help protect end-users. The organization also announced its 2017 leadership and committee chairs who are responsible for supporting the group’s ongoing collaborative efforts and identifying new areas of online vulnerability.

The new best practices papers outline recommended processes to help companies and service providers better safeguard their networks and are based on the experience of anti-abuse experts in computer security, business, public policy and academia.  The papers are:

• M3AAWG Initial Recommendations: Arming Businesses Against DDoS Attacks – outlines the various types of attacks and explains how to prepare for them, including the steps to take during and after an assault
• M3AAWG Multifactor Authentication Recommendations – explains why and when multifactor authentication should be used
• M3AAWG Recommendations Around Password Managers – a short overview defining when comprehensive password managers provide value
• M3AAWG Password Recommendations for Providers – guidelines on setting password requirements that balance security with complexity and cost
• M3AAWG Describes Costs Associated with Using Crypto – a brief guide to help plan for encryption deployments

M3AAWG currently has 42 papers available on its website under the For the Industry tab in its Best Practices section at /published-documents.  These best practices and tutorials address both emerging and ongoing anti-abuse challenges, such as methods to counter pervasive monitoring, abuse desk processes, anti-phishing and spam techniques, recommended senders best practices and other relevant topics.

Special Interest Groups Focus on Global Issues

M3AAWG also formed a new Internet of Things SIG to coordinate members’ efforts in resolving abuse issues from compromised IoT devices.  The new special interest group will develop reputation guidelines and processes for the supply chain while promoting consumer security awareness and working with manufacturers to build better security into devices.

The M3AAWG DDoS SIG is focused on helping ISPs, hosting companies and third-party DDoS security service providers understand existing and emerging Distributed Denial of Service attack types. It is developing additional papers that will explain prevention methods, monitoring and mitigation architectures, and business strategies.

2017 Leadership Takes the Helm

Along with finalizing the papers during the M3AAWG 39th General Meeting in San Francisco last month, Severin Walker, senior manager, Comcast Anti-Abuse Engineering, was elected the new Chairman of the M3AAWG Board. He has contributed to the organization over the past five years as a Board member and a chair of the M3AAWG Technical Committee. 

Also elected at the February 23 Board meeting were vice chairpersons Janet Jones, senior security program manager in Microsoft’s Trustworthy Computing Security organization; Len Shneyder, SendGrid, Inc. vice president of industry relations; and Matthew Stith, Rackspace anti-abuse specialist. Sam Silberman, Endurance International Group director of standards and industry relations, will serve his fourth term as treasurer and Jerry Upton continues as executive director.

Most of the work and best practices in M3AAWG are generated through dialogue among industry professionals in topical committees.  The committees meet on regularly scheduled conference calls and during the three M3AAWG working meetings each year to develop the anti-abuse recommendations and other projects.

“M3AAWG provides a critical space where hundreds of subject matter experts from across the spectrum can collaborate in a trusted and vetted environment and, because of this, our work is important for the long-term security of the internet. M3AAWG committees provide the structure – they are the super-highways – that ensure these discussions are meaningful and address the critical issues. So eventually, the volunteer M3AAWG committee chairs are the ones who keep the energy and our work flowing,” Walker said in announcing the 2017 committee chairs:

• Abuse Desk Co-Chairs Charles Helstein, PayPal; Tobias Knecht, Abusix, Inc.; and Justin Paine, Cloudfare
• Academic Committee Co-Chairs Dr. Manos Antonakakis, Georgia Tech, and Carel, Spamhaus
• Anti-Phishing SIG Co-Chairs Carlos Alvarez, ICANN, and Chelsea Maldonado, Mailchimp
• Awards Committee Co-Chairs Christine Borgia, Return Path, and Neil Schwartzman, CAUCE
• Brand SIG Co-Chairs Ryan Boyd, Groupon, and Mike Hammer, AG Interactive
• Collaboration Committee Co-Chairs Stephen Ford, Adobe Systems Inc.; Sven Krohlas, 1 & 1 Internet SE; and Mary Youngblood
• DDoS SIG Co-Chairs Mike Glenn, Cable Television Laboratories, Inc., and Glen Pirrotta, Comcast
• Hosting Committee Co-Chairs Matthew Stith, Rackspace, and Justin Lane, Endurance International Group
• Information Sharing SIG Co-Chairs Chris Boyer, AT&T, and Doug Pearson, REN-ISAC
• Internet of Things SIG Co-Chairs M3AAWG Senior Technical Advisor Michael O’Reirdan and Chris Roosenraad, NeuStar
• M3AAWG Guides Co-Chairs Alyssa Nahatis, Adobe Systems, Inc., and M3AAWG Privacy Advisor William Wilson, Breckenhill Inc.
• M3AAWG meeting Open Round Tables Co-Chairs Melinda Plemel, Proofpoint, and Vincent Schonau, Abusix
• Pervasive Monitoring SIG Co-Chairs Janet Jones, Microsoft, and Alex Brotman, Comcast
• Program Committee Co-Chairs Kurt Andersen, LinkedIn; Dennis Dayman, Return Path; and Len Shneyder, SendGrid, Inc.
• Public Policy Committee Co-Chairs Frank Ackerman, M3AAWG Public Policy Advisor; Chris Boyer, AT&T; and Chris Roosenraad, NeuStar
• Senders Committee Co-Chairs Andrew Barrett, Adobe Systems, Inc., and Tara Natanson, Endurance International Group
• Technical Committee Chair Severin Walker, Comcast.  The Technical Committee area co-chairs are:
• Messaging - Peter Goldstein, ValiMail, and James Hoddinott, Cloudmark, Inc.
• Malware - Jeremy Demar, Vigilant By Deloitte, and Loucif Kharouni, Deloitte
• Training Committee Co-Chairs Christine Borgia, Return Path; Kurt Diver, SendGrid, Inc.; Annalivia Ford, IBM; and Udeme Ukutt, Splio
• Voice and Telephony Abuse SIG Co-Chairs Alex Bobotek, AT&T, and Dr. Mustaque Ahamad, Georgia Tech
• Women in Messaging Abuse/Diversity and Inclusion Chair Janet Jones, Microsoft

Additionally, M3AAWG Senior Technical Advisor John Levine, founder of Taughannock Networks, was appointed M3AAWG liaison to ICANN.  Jesse Sowell continues as a special M3AAWG representative to LACNIC, the Latin America and Caribbean Network Information Center, and is helping to develop joint anti-abuse work with that organization.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.M3AAWG.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: Pr@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); dotmailer; Endurance International Group; Facebook; Google; LinkedIn; Mailchimp; Microsoft Corp.; Orange (NYSE and Euronext: ORA); Rackspace; Return Path; SendGrid, Inc.; Vade Secure; and Yahoo! Inc.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; Exact Target, Inc.; IBM; iContact; Intel Security; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; MAPP Digital; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Spamhaus; Sparkpost; Sprint; Symantec; and USAA.

A complete member list is available at /about/roster.

Paris, France Oct. 25, 2016 – The lead architect of both a comprehensive report that demystifies online threats for the general public and an important Canadian law that has appreciably reduced spam has received the M3AAWG 2016 JD Falk Award for his contributions to a safer online world.  André Leduc was recognized for spearheading the global Operation Safety-Net best practices report and for his role in developing the Canadian Anti-spam Legislation that requires marketers to obtain users' permission before sending commercial email.

The award was announced Oct. 25 during the four-day M3AAWG 38th General Meeting in Paris. The Messaging, Malware and Mobile Anti-Abuse Working group presents the award annually to recognize an "unsung hero" working behind the scenes to protect the internet and end-users.

"Both of these accomplishments have been widely embraced by the anti-abuse community as valuable tools in fighting spam and other cybercrime. Operation Safety-Net makes cybersecurity accessible to mainstream, non-technical users by cutting through the complicated techno-jargon about keeping our devices safe, and the anti-spam law known as CASL has dramatically reduced junk mail in Canada and beyond. Neither of these projects would have come to fruition without Andre's meticulous attention to detail, his dedicated effort that went well beyond expectations, and his persistent leadership," said Michael Adkins, M3AAWG Chairman of the Board. 

Leduc is the acting director of business, intelligence and analysis, and digital security policy, at the Canadian Department of Innovation, Science and Economic Development. He also served as a voluntary secretariat co-lead for the London Action Plan/Unsolicited Communications Enforcement Network and facilitated the cooperative work between M3AAWG and LAP/UCENet that resulted in the jointly published report. A video with Leduc explaining the motivation behind these two projects is available on the M3AAWG YouTube channel at www.youtube.com/maawg.

Operation Safety Net for Business, Government and End-Users

Operation Safety Net – Best Practices to Address Online, Mobile, and Telephony Threats is a 76-page report written by security experts from around the world that describes current cyber issues facing business, government and end-users with the proven techniques to protect against them. Leduc spearheaded the project, which was originally requested by the Organisation for Economic Co-operation and Development, and compiled the submitted material into a coherent report.

Leduc said, "Translating our technical and engineering way of talking into plain language was probably the most important part of this work. We wanted to create a report that a security officer or an engineer could give to colleagues and management to help them understand cyber attacks and why their organizations might be targeted. We also wanted to make it easy for government policy makers in both the developed and developing countries, where they may not have much technical experience, to take action."

The original report was published in 2012 then updated in 2015. The latest version covers malware and botnets; phishing and social engineering; internet protocol and domain name system (DNS) exploits; and mobile, voice over IP (VOIP) and telephony threats.  Originally published in English, it has been translated into French and Spanish, reaching much of the world's population. The report is available in these languages at www.m3aawg.org under Best Practices.

CASL Effective Beyond Canada

Leduc also was the lead architect developing the policy and legal frameworks for the Canadian Anti-spam Legislation that set a new standard for sending marketing messages when it went into effect in 2014.  The law applies to commercial or promotional information sent through email, SMS, instant messaging or social media. It also covers software installations and mobile apps. 

CASL requires marketers to obtain a user's permission to receive a commercial message before it is sent, a process known as "opt-in" that is more effective in fighting abuse and spam. For example, under the law, users need to voluntarily sign up for a mailing list or have an existing business relationship with an organization before marketers can send them related emails. Since CASL applies to all messages sent to users in Canada, including those originating from other countries, it has encouraged the voluntary adoption of opt-in practices internationally.

"The volume of spam on Canadian networks has decreased by more than a third since CASL went into effect. We have also seen a high level of compliance from senders in the countries to our south, throughout Europe, and even in Asia. Many international senders are now getting consent prior to sending commercial electronic messages to our users," Leduc said.

Leduc began work on establishing the concepts and language for CASL in 2009.  He has specialized in cybersecurity since 2004 when he led OECD ecommerce business working groups and then became part of an expert subgroup on high-tech crimes in 2004. He has represented Industry Canada (now Innovation Science and Economic Development Canada) at the OECD, the G7 and G8 summits, and the Wassenaar Arrangement.

The M3AAWG 38th General Meeting is the organization's annual European meeting and has brought together more than 350 security experts from 30 countries.  The working meeting features more than 50 sessions with network operators, social networking companies, hosting and cloud services providers, email service providers, academic researchers and public policy advisors sharing information on the latest cyber threats. The next meeting will be February 20-23, 2017 in San Francisco.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.M3AAWG.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: Pr@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); Facebook; Google; LinkedIn; Message Systems; Mailchimp; Microsoft Corp.; Orange (NYSE and Euronext: ORA); Return Path; SendGrid, Inc.; Charter Communications; Vade Secure; and Yahoo! Inc.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; Exact Target, Inc.; IBM, iContact; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; MAPP; McAfee Inc.; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Rackspace; Spamhaus; Sprint; and Symantec.

A complete member list is available at /about/roster.