Contribution Feb 2013 Text Display Screen

The Messaging, Malware and Mobile Anti-Abuse Working Group (M³AAWG) is a global nonprofit association founded to develop effective models to combat online threats such as spam, botnets, phishing, malware and denial-of-service attacks that can cause great harm to individuals, organizations and national economies.  Representing more than one billion mailboxes, M³AAWG is the largest global organization developing cross-sector approaches to protecting users and network infrastructure. 

Our members include technical experts, researchers and policy specialists from a broad base of network operators and from key technology providers, academia, government and volume messaging sender organizations. The multidisciplinary approach at M³AAWG (www.m3aawg.org) includes the development of industry best practices, education, technical statements on public policy and legislation, and the facilitation of global collaboration.

We appreciate the opportunity to respond to the request from the ITU Council Working Group on International Internet–Related Public Policy Issues (CWG–Internet) for online consultations from all stakeholders.  We will be focusing our remarks on the first issue:

• Issue 1: Consultation on effectively countering and combatting spam
  The Council Working Group on International Internet-Related Public Policy Issues invites all stakeholders to provide input on international public policy issues related to effectively countering and combatting spam.

While this topic is somewhat broad, we welcome the invitation to share our global experience in reducing spam levels and to explain the strategies that have proven most effective in almost ten years of working together against Internet abuse. M³AAWG was formed as a working body in 2004 to fight spam and its associated problems at a time when email, one of the Internet’s two “killer apps,” was at risk of collapse.  

In tackling the issue over the years, we have realized that despite the astoundingly higher volumes of spam today, our members have been able to prevent all but a relatively small percentage of this abusive email from being delivered to users’ inboxes.  This is documented in our quarterly M³AAWG Email Metrics Reports[i] with data collected directly from global network operators aggregating the quantity of abusive mail identified and the percentage delivered to end-users.  Email continues to thrive in a managed state of health in much of the world.

What has worked?  The most powerful tools we have identified for expunging increasing volumes of spam from both established and growing networks has been 1) the widespread adoption of proven best practices based on shared industry expertise and 2) industry collaboration in an environment of mutual trust and open dialogue.

With this historical assessment, we respectfully submit to the ITU Council Working Group-Internet that there is an active and multi-stakeholder community, which has, collectively, been engaged on this issue for more than a decade. M³AAWG, especially, is widely recognized as the forum of choice for cooperation in a vendor-neutral, collegial and vetted environment on the technical issues necessary to protect service providers and end users.  

However, M³AAWG fully realizes that Internet service providers in emerging economies continue to face significant problems with Internet abuse, and so works to extend the best practices developed by its members to industry entities around the world by:

1. Making translations of many M³AAWG best practice documents available in multiple languages, including all the official languages of the United Nations
2. Organizing and participating in outreach initiatives
3. Actively engaging with other relevant stakeholders around the world, across governments, industry and civil society

M³AAWG looks forward to working closely with the ITU to promote the voluntary adoption of existing and future best practices and to encourage global cooperation on capacity building in emerging Internet economies.

To this end, M³AAWG has worked over the years to foster a respected, vetted community for dialogue and information sharing – and has created the necessary meetings and infrastructure – allowing our members to privately share their experiences with effective anti-spam strategies and then distribute this distilled knowledge to the industry as best practices. We also have successfully partnered with other inter-governmental, industry and civil society organizations to bring specialized talents and resources to more effectively address rapidly morphing threats.

For example, M³AAWG collaborated with the London Action Plan (LAP) last year in producing the “Best Practices to Address Online and Mobile Threats[ii],” a comprehensive 52-page report outlining proven tactics against abuse.  LAP is a highly respected network of organizations engaged in anti-spam and law enforcement; M³AAWG shared its technical competency, collaborative knowledge and real-world experience.  The resulting jointly authored report has been submitted to the OECD for consideration and implementation by both business and government entities.  It contains the collective knowledge of experts from around the world on how to reduce online risks, augmented with forward-thinking recommendations to tackle emerging vulnerabilities, such as mobile text spam and Web abuse.

As spammers grow more sophisticated and emboldened, it has become increasingly difficult for an isolated and politicized world to keep pace with evolving threats.  As stated in the M³AAWG/LAP report,
 “. . . Spam is not just an email phenomenon. It continues to expand into various forms of new media. For example, mobile messaging and Voice over Internet Protocol (VoIP) spam are now extremely common, as are spam comments on social media, blogs and other websites…”[iii] In confronting the complex malady of today’s spammers, the technical specialists working with these issues every day have come to depend on the vetted channels available through industry associations to share their discoveries with the world in reports such as this one.

This approach is adaptable to the needs of both specific countries and network environments.  Industry best practices and information sharing programs support anti-abuse efforts in both large and small companies, and in countries with both established and developing Internet infrastructure. M³AAWG, like other industry associations, has engaged in numerous outreach programs that have also contributed to curtailing spam, including:

·         Our port 25 management best practices have been widely adopted as an effective anti-spam strategy. M³AAWG also issued the first best practices to help ISPs work with customers to mitigate bots and malware, which became the basis of the IETF’s RFC 6561.

·         Among the 25 best practices we have issued, M³AAWG published the first senders best practices developed through the cooperative efforts of network operators and volume email senders, and the M³AAWG position against email appending has received wide industry support.

·         We have responded to 27 requests for comments outlining how the technical aspects of public policy would affect the industry’s ability to identify and curtail spam, including responses to ICANN and other Internet governing bodies, and to both North American and European public policy agencies.

·         We continue to partner with other organizations, including working with the OECD to produce its initial anti-spam tool kit. While serving as M³AAWG co-chairman, Michael O’Reirdan chaired the U.S. FCC CSRIC committee that produced the first voluntary code outlining how network operators can work against bots and malware, the Anti-Bot Code of Conduct for ISPs[iv] (ABCs for ISPs). The CSRIC committee also involved other M³AAWG members.

International cooperation is essential to stopping abusive messaging.  Industry associations like M³AAWG provide a proven and vetted environment for the necessarily sensitive dialogue among global competitors and law enforcement.

·         In India, M³AAWG offered an anti-spam workshop at the request of the EastWest Institute (EWI) attended by influential industry representatives and we continue to host two additional meetings a year to facilitate Indian industry cooperation against spam. Information and related documents for the India Anti-Abuse Working Group are available at www.m3aawg.org/india.

·         The East West Institute selected M³AAWG to announce the first collaborative anti-spam effort between industry stakeholders in China and the United States, and M³AAWG has taken on the task of continuing that work.

·         We often host other organizations such as the LAP and the GSMA Security Group at our meetings.  M³AAWG meetings bring together 300 to 400 leading security professionals for confidential dialogue three times a year, including an annual European meeting.  The meetings offer more than 30 training, educational and dialogue sessions and keynotes have included FTC Bureau of Consumer Protection Director David Vladeck, INTERPOL’s Assistant Director Michael Moran, U.S. ITU Ambassador Phil Verveer, European Commission Justice Freedom and Security DG Radomir Jansky, DNS creator Paul Mockapetris, and officials from ICANN, IETF and Industry Canada, among others.

·         We have produced pertinent training videos with recognized experts detailing malware
mitigation techniques, anti-spam protocols and other anti-abuse tactics that are available to the general industry.

·         We issue the only email metrics reports generated with anonymized and aggregated data
sourced directly from network operators and are currently developing the first operators’ bot metrics report.

·         Many concerned government entities are members and participant in M³AAWG dialogues, including the U.S. Senate’s IT department, and other organizations such as CAUCE; eco, an association of German ISPs; ISC (Internet Systems Consortium); International Computer Science Institute (ICSI); .SE, the Internet Infrastructure Foundation; the Internet Society (ISOC); NCTA (National Cable & Telecommunications Association); Spamhaus; Shadowserver; and SURBL.

These and other efforts by various industry associations are considered by many security experts, public policy advisors and government entities to be among the most efficient programs for confronting spam and abuse.

We encourage the CWG-Internet to focus on promoting the voluntary adoption of existing best practices developed by impartial industry associations that represent the best thinking of experienced technical experts. Promoting and supporting industry best practices developed by experts is the best use of resources versus working to create new procedures and incurring the time delays associated with replicating existing work. 

Speaking for M³AAWG, you can find all our best practices, training videos and other materials on our website at www.m3aawg.org.  I will be glad to respond to any questions or provide more information.  You can also address any inquiries about our work at M³AAWG to me, M³AAWG Executive Director Jerry Upton at jerry.upton@m3aawg.org.

Sincerely,

Jerry Upton, M³AAWG Executive Director

Jerry.Upton@m3aawg.org