Mobile

McKinleyville, CA and San Francisco, April 5, 2018 – Recognizing that calendar spam is a growing exploitation channel, CalConnect and the global anti-abuse association M3AAWG have joined forces to develop new methods to protect end-users from unsolicited and malicious event notices.  The new liaison between the scheduling developers’ organization and the Messaging, Malware and Mobile Anti-Abuse Working Group will accelerate industry efforts to develop techniques that block invites to fake events and other malicious notices on popular calendaring platforms.

Calendar spam is a new form of abuse that takes advantage of the application layer across multiple technologies, including scheduling, calendaring and messaging systems. For example, users have received fraudulent emails impersonating well-known brands that include calendar invites to special “discount” events.  As is the case with email spam, calendar spam can be used for malicious purposes such as phishing or to deliver malware payloads.

CalConnect (The Calendaring and Scheduling Consortium) also has established a new technical committee, TC CALSPAM, to better protect users from calendar system abuse. The committee aims to understand the current and potential use of calendar systems as a vector for delivering undesired information and will provide current information and guidelines on the topic to CalConnect and M3AAWG participants.

"Calendaring is an intimate part of everyone’s lives. Calendar spam is particularly unsettling because the abuse directly pops up on a person’s calendar.  It’s personally disruptive and especially disturbing," said Thomas Schäfer, 1&1’s Head of Technical Site Management who chairs TC CALSPAM.

Differs from Other Abuse Schemes

CalConnect and M3AAWG will develop the measures and best practices for developers and system operators to ensure legitimate usage of their platforms.  The collaborative effort is important because calendar spam is unique as an abuse vector in a number of ways:

• Calendar spam, unlike email, can be placed chronologically anywhere in a calendar – in the past or the future, not just the present – making it difficult to detect at the time of delivery.
• Spam meeting invitations can be automatically added to calendars without the users’ consent with notifications sent to all their devices. These invitations are not only difficult to find but, in some cases, there is no way for the user to remove these events short of deleting the entire calendar.
• Calendar events and meeting invitations do not yet carry the rich provenance, i.e., the detailed header information that is included in email, making it difficult to ascertain where and when events originated and where they were delivered.
• Calendar events often contain notifications or alarms that are propagated across a user’s many desktop and mobile calendaring clients, exacerbating the problem.

M3AAWG Executive Director Jerry Upton said, “Calendar spam has shown itself to be a new but rapidly maturing vector for spammers.  As we’ve seen in addressing other abuse issues in M3AAWG, cross-domain problems like this require input from experts in multiple disciplines and collaborating with CalConnect and their subject matter is the most direct route to combatting this evolving threat."

Call for Industry Participation

The reciprocal membership agreement between the two organizations became effective in February and allows the calendaring and scheduling developers, vendors and service providers in CalConnect and the messaging and email authentication experts in M3AAWG to share information and work.  CalConnect members participated in the M3AAWG 42nd General Meeting in San Francisco in February, kicking off the joint work on applicable anti-abuse methodologies.  The 43rd M3AAWG General Meeting will be held June 4-7 in Munich, Germany.

CalConnect President Rutger Geelen said, “We recognize that calendar spam is a real threat and a growing problem. First and foremost, we endeavor to protect users against such abuse. Since event and meeting invitations are often delivered via email, it makes sense to collaborate with the messaging identity and authentication experts at M3AAWG in our effort to return full control of collaboration and communications to the end users themselves."

Organizations interested in joining the CalConnect calendar spam committee should contact CalConnect Executive Director Dave Thewlis at dave.thewlis@calconnect.org or CalConnect Director of External Relations Ronald Tse at ronald.tse@calconnect.org. 

About The Calendaring and Scheduling Consortium (CalConnect)

CalConnect, The Calendaring and Scheduling Consortium, CalConnect, is a not-for-profit organization advancing the state of interoperable calendaring, scheduling and digital contacts. Founded in 2004 as a partnership between vendors and users of calendaring and scheduling tools and technologies, its membership includes some of the world’s largest software companies as well as small startups. Virtually every important calendaring-related standard since 2004 has been authored, edited, and/or co-edited by members of a CalConnect Technical Committee. http://www.calconnect.org.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy, and works to educate global policy makers on the technical and operational issues related to online abuse and messaging.

#  #  #

Media Contacts:

Ronald Tse, Director, External Relations, ronald.tse@calconnect.org, CalConnect (The Calendaring and Scheduling Consortium), https://www.calconnect.org

PR@m3aawg.org, M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group), https://www.m3aawg.org

San Francisco, April 4, 2017 – Addressing current threats such as DDoS attacks and Internet of Things security, the Messaging, Malware and Mobile Anti-Abuse Working Group has released five new best practices papers and created new special interest groups to develop cybersecurity approaches that will help protect end-users. The organization also announced its 2017 leadership and committee chairs who are responsible for supporting the group’s ongoing collaborative efforts and identifying new areas of online vulnerability.

The new best practices papers outline recommended processes to help companies and service providers better safeguard their networks and are based on the experience of anti-abuse experts in computer security, business, public policy and academia.  The papers are:

• M3AAWG Initial Recommendations: Arming Businesses Against DDoS Attacks – outlines the various types of attacks and explains how to prepare for them, including the steps to take during and after an assault
• M3AAWG Multifactor Authentication Recommendations – explains why and when multifactor authentication should be used
• M3AAWG Recommendations Around Password Managers – a short overview defining when comprehensive password managers provide value
• M3AAWG Password Recommendations for Providers – guidelines on setting password requirements that balance security with complexity and cost
• M3AAWG Describes Costs Associated with Using Crypto – a brief guide to help plan for encryption deployments

M3AAWG currently has 42 papers available on its website under the For the Industry tab in its Best Practices section at /published-documents.  These best practices and tutorials address both emerging and ongoing anti-abuse challenges, such as methods to counter pervasive monitoring, abuse desk processes, anti-phishing and spam techniques, recommended senders best practices and other relevant topics.

Special Interest Groups Focus on Global Issues

M3AAWG also formed a new Internet of Things SIG to coordinate members’ efforts in resolving abuse issues from compromised IoT devices.  The new special interest group will develop reputation guidelines and processes for the supply chain while promoting consumer security awareness and working with manufacturers to build better security into devices.

The M3AAWG DDoS SIG is focused on helping ISPs, hosting companies and third-party DDoS security service providers understand existing and emerging Distributed Denial of Service attack types. It is developing additional papers that will explain prevention methods, monitoring and mitigation architectures, and business strategies.

2017 Leadership Takes the Helm

Along with finalizing the papers during the M3AAWG 39th General Meeting in San Francisco last month, Severin Walker, senior manager, Comcast Anti-Abuse Engineering, was elected the new Chairman of the M3AAWG Board. He has contributed to the organization over the past five years as a Board member and a chair of the M3AAWG Technical Committee. 

Also elected at the February 23 Board meeting were vice chairpersons Janet Jones, senior security program manager in Microsoft’s Trustworthy Computing Security organization; Len Shneyder, SendGrid, Inc. vice president of industry relations; and Matthew Stith, Rackspace anti-abuse specialist. Sam Silberman, Endurance International Group director of standards and industry relations, will serve his fourth term as treasurer and Jerry Upton continues as executive director.

Most of the work and best practices in M3AAWG are generated through dialogue among industry professionals in topical committees.  The committees meet on regularly scheduled conference calls and during the three M3AAWG working meetings each year to develop the anti-abuse recommendations and other projects.

“M3AAWG provides a critical space where hundreds of subject matter experts from across the spectrum can collaborate in a trusted and vetted environment and, because of this, our work is important for the long-term security of the internet. M3AAWG committees provide the structure – they are the super-highways – that ensure these discussions are meaningful and address the critical issues. So eventually, the volunteer M3AAWG committee chairs are the ones who keep the energy and our work flowing,” Walker said in announcing the 2017 committee chairs:

• Abuse Desk Co-Chairs Charles Helstein, PayPal; Tobias Knecht, Abusix, Inc.; and Justin Paine, Cloudfare
• Academic Committee Co-Chairs Dr. Manos Antonakakis, Georgia Tech, and Carel, Spamhaus
• Anti-Phishing SIG Co-Chairs Carlos Alvarez, ICANN, and Chelsea Maldonado, Mailchimp
• Awards Committee Co-Chairs Christine Borgia, Return Path, and Neil Schwartzman, CAUCE
• Brand SIG Co-Chairs Ryan Boyd, Groupon, and Mike Hammer, AG Interactive
• Collaboration Committee Co-Chairs Stephen Ford, Adobe Systems Inc.; Sven Krohlas, 1 & 1 Internet SE; and Mary Youngblood
• DDoS SIG Co-Chairs Mike Glenn, Cable Television Laboratories, Inc., and Glen Pirrotta, Comcast
• Hosting Committee Co-Chairs Matthew Stith, Rackspace, and Justin Lane, Endurance International Group
• Information Sharing SIG Co-Chairs Chris Boyer, AT&T, and Doug Pearson, REN-ISAC
• Internet of Things SIG Co-Chairs M3AAWG Senior Technical Advisor Michael O’Reirdan and Chris Roosenraad, NeuStar
• M3AAWG Guides Co-Chairs Alyssa Nahatis, Adobe Systems, Inc., and M3AAWG Privacy Advisor William Wilson, Breckenhill Inc.
• M3AAWG meeting Open Round Tables Co-Chairs Melinda Plemel, Proofpoint, and Vincent Schonau, Abusix
• Pervasive Monitoring SIG Co-Chairs Janet Jones, Microsoft, and Alex Brotman, Comcast
• Program Committee Co-Chairs Kurt Andersen, LinkedIn; Dennis Dayman, Return Path; and Len Shneyder, SendGrid, Inc.
• Public Policy Committee Co-Chairs Frank Ackerman, M3AAWG Public Policy Advisor; Chris Boyer, AT&T; and Chris Roosenraad, NeuStar
• Senders Committee Co-Chairs Andrew Barrett, Adobe Systems, Inc., and Tara Natanson, Endurance International Group
• Technical Committee Chair Severin Walker, Comcast.  The Technical Committee area co-chairs are:
• Messaging - Peter Goldstein, ValiMail, and James Hoddinott, Cloudmark, Inc.
• Malware - Jeremy Demar, Vigilant By Deloitte, and Loucif Kharouni, Deloitte
• Training Committee Co-Chairs Christine Borgia, Return Path; Kurt Diver, SendGrid, Inc.; Annalivia Ford, IBM; and Udeme Ukutt, Splio
• Voice and Telephony Abuse SIG Co-Chairs Alex Bobotek, AT&T, and Dr. Mustaque Ahamad, Georgia Tech
• Women in Messaging Abuse/Diversity and Inclusion Chair Janet Jones, Microsoft

Additionally, M3AAWG Senior Technical Advisor John Levine, founder of Taughannock Networks, was appointed M3AAWG liaison to ICANN.  Jesse Sowell continues as a special M3AAWG representative to LACNIC, the Latin America and Caribbean Network Information Center, and is helping to develop joint anti-abuse work with that organization.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.M3AAWG.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: Pr@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); dotmailer; Endurance International Group; Facebook; Google; LinkedIn; Mailchimp; Microsoft Corp.; Orange (NYSE and Euronext: ORA); Rackspace; Return Path; SendGrid, Inc.; Vade Secure; and Yahoo! Inc.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; Exact Target, Inc.; IBM; iContact; Intel Security; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; MAPP Digital; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Spamhaus; Sparkpost; Sprint; Symantec; and USAA.

A complete member list is available at /about/roster.

Paris, France Oct. 25, 2016 – The lead architect of both a comprehensive report that demystifies online threats for the general public and an important Canadian law that has appreciably reduced spam has received the M3AAWG 2016 JD Falk Award for his contributions to a safer online world.  André Leduc was recognized for spearheading the global Operation Safety-Net best practices report and for his role in developing the Canadian Anti-spam Legislation that requires marketers to obtain users' permission before sending commercial email.

The award was announced Oct. 25 during the four-day M3AAWG 38th General Meeting in Paris. The Messaging, Malware and Mobile Anti-Abuse Working group presents the award annually to recognize an "unsung hero" working behind the scenes to protect the internet and end-users.

"Both of these accomplishments have been widely embraced by the anti-abuse community as valuable tools in fighting spam and other cybercrime. Operation Safety-Net makes cybersecurity accessible to mainstream, non-technical users by cutting through the complicated techno-jargon about keeping our devices safe, and the anti-spam law known as CASL has dramatically reduced junk mail in Canada and beyond. Neither of these projects would have come to fruition without Andre's meticulous attention to detail, his dedicated effort that went well beyond expectations, and his persistent leadership," said Michael Adkins, M3AAWG Chairman of the Board. 

Leduc is the acting director of business, intelligence and analysis, and digital security policy, at the Canadian Department of Innovation, Science and Economic Development. He also served as a voluntary secretariat co-lead for the London Action Plan/Unsolicited Communications Enforcement Network and facilitated the cooperative work between M3AAWG and LAP/UCENet that resulted in the jointly published report. A video with Leduc explaining the motivation behind these two projects is available on the M3AAWG YouTube channel at www.youtube.com/maawg.

Operation Safety Net for Business, Government and End-Users

Operation Safety Net – Best Practices to Address Online, Mobile, and Telephony Threats is a 76-page report written by security experts from around the world that describes current cyber issues facing business, government and end-users with the proven techniques to protect against them. Leduc spearheaded the project, which was originally requested by the Organisation for Economic Co-operation and Development, and compiled the submitted material into a coherent report.

Leduc said, "Translating our technical and engineering way of talking into plain language was probably the most important part of this work. We wanted to create a report that a security officer or an engineer could give to colleagues and management to help them understand cyber attacks and why their organizations might be targeted. We also wanted to make it easy for government policy makers in both the developed and developing countries, where they may not have much technical experience, to take action."

The original report was published in 2012 then updated in 2015. The latest version covers malware and botnets; phishing and social engineering; internet protocol and domain name system (DNS) exploits; and mobile, voice over IP (VOIP) and telephony threats.  Originally published in English, it has been translated into French and Spanish, reaching much of the world's population. The report is available in these languages at www.m3aawg.org under Best Practices.

CASL Effective Beyond Canada

Leduc also was the lead architect developing the policy and legal frameworks for the Canadian Anti-spam Legislation that set a new standard for sending marketing messages when it went into effect in 2014.  The law applies to commercial or promotional information sent through email, SMS, instant messaging or social media. It also covers software installations and mobile apps. 

CASL requires marketers to obtain a user's permission to receive a commercial message before it is sent, a process known as "opt-in" that is more effective in fighting abuse and spam. For example, under the law, users need to voluntarily sign up for a mailing list or have an existing business relationship with an organization before marketers can send them related emails. Since CASL applies to all messages sent to users in Canada, including those originating from other countries, it has encouraged the voluntary adoption of opt-in practices internationally.

"The volume of spam on Canadian networks has decreased by more than a third since CASL went into effect. We have also seen a high level of compliance from senders in the countries to our south, throughout Europe, and even in Asia. Many international senders are now getting consent prior to sending commercial electronic messages to our users," Leduc said.

Leduc began work on establishing the concepts and language for CASL in 2009.  He has specialized in cybersecurity since 2004 when he led OECD ecommerce business working groups and then became part of an expert subgroup on high-tech crimes in 2004. He has represented Industry Canada (now Innovation Science and Economic Development Canada) at the OECD, the G7 and G8 summits, and the Wassenaar Arrangement.

The M3AAWG 38th General Meeting is the organization's annual European meeting and has brought together more than 350 security experts from 30 countries.  The working meeting features more than 50 sessions with network operators, social networking companies, hosting and cloud services providers, email service providers, academic researchers and public policy advisors sharing information on the latest cyber threats. The next meeting will be February 20-23, 2017 in San Francisco.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.M3AAWG.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: Pr@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); Facebook; Google; LinkedIn; Message Systems; Mailchimp; Microsoft Corp.; Orange (NYSE and Euronext: ORA); Return Path; SendGrid, Inc.; Charter Communications; Vade Secure; and Yahoo! Inc.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; Exact Target, Inc.; IBM, iContact; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; MAPP; McAfee Inc.; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Rackspace; Spamhaus; Sprint; and Symantec.

A complete member list is available at /about/roster.

San Francisco, May 4, 2016 – Global Cyber Alliance – an organization founded by the New York County District Attorney's Office, the City of London Police and the Center for Internet Security – will be collaborating with M3AAWG to push the security community to more quickly adopt concrete, quantifiable practices that can reduce online threats. The non-profit GCA has joined the Messaging, Malware and Mobile Anti-Abuse Working Group, which develops anti-abuse best practices based on the proven experience of its members, and M3AAWG has become a GCA partner for the technology sector.

“Global Cyber Alliance is pleased to partner with M3AAWG, an organization that has worked for many years on operational issues of Internet abuse.  Both of us want to make a measurable difference in minimizing cyber risk, and we are confident that we can do so,” said Philip Reitinger, GCA President and CEO.

Launched in September 2015, Global Cyber Alliance's mission is to confront, address and prevent malicious cyber activity and improve the security of the connected world. It identifies and prioritizes areas of systemic cyber risk concentrating on measurable achievements, and has established Cyber Security Strategic Action Centres (CSAC) in New York and London.

In a recent announcement, GCA revealed that its first strategic area of concentration will be phishing with a focus on two solutions shown to be effective at combatting it: implementation of DMARC to limit spoofing of email and secure DNS practices to minimize the effect of phishing and other attacks.

M3AAWG has actively supported DMARC since its inception. It has also developed materials to help the industry fight phishing, including a video on using DNS "response policy zones” to protect against illegitimate websites, anti-phishing best practices for mailbox providers, and best practices to avoid potential problems for "parked" domains where email is not enabled. 

GCA will also participate in ongoing M3AAWG work and the two M3AAWG North American general meetings and its annual European meeting. The M3AAWG 37th General Meeting will be June 13-16 in Philadelphia, Pa., U.S.A., with over 50 sessions including the co-located i2Coalition annual meeting.

M3AAWG Chairman of the Board Michael Adkins said, "The most effective best practices won't amount to much if the industry neglects them. At M3AAWG, we're able to tap into our members' experience to identify what processes are working against cyber threats around the world. Even so, it can be challenging to achieve the widespread implementation of these practices to protect the ecosystem. GCA's focus on cross-sector implementation and measurement will address some of the confusion and apathy in the industry, and will help mitigate cyber risks."

About Global Cyber Alliance

Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to confronting cyber risk and improving our connected world. It is a catalyst to bring communities of interest and affiliations together in an environment that sparks innovation with concrete, measureable achievements. While most efforts at addressing cyber risk have been industry, sector, or geographically specific, GCA partners across borders and sectors. GCA’s motto “Do Something. Measure It.” is a direct reflection of its mission to eradicate systemic cyber risks.

GCA, a 501(c)3, was founded in September 2015 by the New York County District Attorney's Office, the City of London Police and the Center for Internet Security. Learn more at www.globalcyberalliance.org.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: Pr@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); Cox Communications; Facebook; Google; LinkedIn (NYSE: LNKD); Mailchimp; Message Systems; Orange (NYSE: ORAN) and (Euronext: ORA); Rackspace; Return Path; SendGrid; Time Warner Cable; Vade Retro - OpenIO; Verizon Communications; and Yahoo Inc.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Bluehost-Endurance; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Constant Contact (NASDAQ: CTCT); dotmailer; Dyn; ExactTarget, Inc.; IBM; iContact; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; McAfee Inc.; Microsoft Corp.; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Spamhaus; and Symantec.

A complete member list is available at /about/roster.