Heard about M3AAWG’s Best Practices?

• M³AAWG Border Gateway Protocol (BGP) Flowspec Best Practices (17 February 2019)
  • This paper is written for network engineers responsible for Network Service Provider (NSP), hosting provider, or enterprise networks. It is for individuals wanting to learn more about Flowspec (a new type of Network Layer Reachability). It assumes the reader is familiar with BGP routing and other common networking technologies.

• M³AAWG Position on Email Appending (Updated 1 January 2019)
  •  In email marketing terms, “email appending” is the practice of taking either known or assumed demographic data on a unique individual and correlating it to an email address assumed to be owned by the individual for the purpose of sending email. Email appending is also known as “e-appending” or “e-pending.” The practice of email appending is in direct violation of core M³AAWG values.

2018:

• M³AAWG Best Current Practices for Reporting Phishing URLs (20 December 2018)
  • Phishing (ie. the luring of internet users to fraudulent websites in order to collect private identity information) continues to be a significant problem for hosting companies, mailbox providers, brand owners and, of course, for every internet user. This document is intended to inform user groups and to set out one simple recommendation that everyone should follow if they choose to report a phishing URL. It also explains the current ecosystem for tackling phishing and explains why this recommendation has been made.

• A M³AAWG Introduction to Addressing Malicious Domain Registrations (1 June 2018)
  • The vast majority of domain name registrations are made for legitimate purposes, most often to provide an online home for a lawful business or organisation. However, there are some domain names registered exclusively to cause consumer harm. This document focuses on defining malicious domain names and provides a non-exhaustive list of possible actions that can be taken to address them once they have been found.

• M³AAWG Recommendations: Methods for Sharing Dynamic IP Address Space Information with Others (Updated 1 May 2018)
  • Although M³AAWG recommends blocking outbound port 25 traffic as the best option for controlling the flow of unwanted email traffic from an ISP’s customer space, such blocks may not always be possible, either for the short or long term. This document offers some alternatives for these ISPs by describing methods they can use to share their dynamic space information with others and allow remote sites to reject inbound mail traffic from dynamic address space. This updated version includes information on IPv6.

• M³AAWG Compromised User ID Best Practices (Version 1.0.1, 1 March 2018)
  • For many years, spammers have worked with purveyors of viruses to surreptitiously infect users’ PCs with spam sending software, creating networks of computers known as “botnets.” Until recently, botnets typically sent spam directly from infected PCs on subscriber networks; however, vigilance by the anti-abuse community has made this direct form of spamming more difficult. As a result, spammers have begun to configure their botnets to send from a new source: compromised user email accounts.
  • This document addresses problems associated with compromised user accounts. It discusses mitigation techniques and methods of identifying compromised accounts, including recommendations to ensure the long-term security of accounts to prevent “re-compromise.”

• M³AAWG Help – I’m On A Blocklist (Version 1.0.1, Updated 28 February 2018)
  • At one point or another, almost every organization that sends email or provides SMTP service will be unable to deliver mail because they are on a blocklist. For an organization reliant on sending email, such as an ESP or network operator, a listing on a blocklist can be an emergency that precludes rational discussion of workable long-term solutions. This document helps an organization plan for these circumstances by describing how to detect a listing and outlines the steps for remediation.

• M³AAWG Recommendations for Preserving Investments in New Generic Top-Level Domains (gTLDs) (31 January 2018)
  • Over one thousand new generic Top-Level Domains (gTLDs) have been or are in the process of being created under ICANN’s new gTLD program, with each of these domains representing an investment of at least $185,000.
  • This document is written for current Registry operators and for companies interested in applying for new generic Top-Level Domains in the future. It outlines the risks and also makes recommendations to help correct the problems some new gTLDs are facing.

2017:

• M³AAWG Recommendations for Senders Handling of Complaints (30 December 2017)
  • Email abuse rates can significantly affect a sender’s reputation and, consequently, its ability to deliver customers’ emails to the inbox. This paper explains some of the common processes that senders can use to effectively manage and monitor email complaints and to help their customers develop healthy email practices that generate better results.

• M³AAWG Recommendation on Web Form Signup Attacks (3 November 2017)
  • Many list web forms provoke an email confirmation to the subscriber’s email address provided in the form, but malicious entities are now using this feature to do bulk form submissions with forged addresses that flood the subscriber’s inbox. M³AAWG members collaborated across the industry to propose a header as an initial step that hosting and sending companies can implement to help protect against these attacks.

• M³AAWG Best Practices for Managing SPF Records (30 August 2017)
  • This document covers best practices on how to properly construct and maintain an SPF record, common errors and some unintended consequences.  It is targeted at those with a basic understanding of the purpose and usage of SPF.

• M³AAWG Best Practices for Implementing DKIM To Avoid Key Length Vulnerability (Updated 31 July 2017)
  • M³AAWG strongly encourages organisations to review their DKIM email authentication implementation, due to potential vulnerabilities associated with the use of short DKIM keys at well-known organisations. This document sets out eight best practices on the issue.

• M³AAWG Introduction to Reflective DDoS Attacks (20 May 2017)
  • Distributed Denial of Service (DDoS) attacks are a crucial concern for many businesses today. Many thousands of individual DDoS attacks take place each day, and though most are relatively small (5-10 gigabits per second), they are still more than sufficient to take unprepared sites offline. This paper provides an overview of how this very common form of attack works and what measures can be taken to help eliminate it.

• M³AAWG Describes Costs Associated with Using Crypto (31 March 2017)
  • This document describes the budget and other costs associated with using cryptography to help make informed decisions when deploying encryption.

• M³AAWG Password Managers Usage Recommendations (31 March 2017)
  • Most users struggle to manage a large number of usernames and passwords.  While password managers have both proponents and detractors, these recommendations reflect the general consensus of the industry.

• M³AAWG Initial Recommendations: Arming Businesses Against DDoS Attacks (15 March 2017)
  • Disruptions caused by Distributed Denial of Service (DDoS) attacks range from loss of revenue and higher costs to dramatic brand damage. This guide provides concepts and ideas to help businesses prepare for DDoS attacks. As a side benefit, some of these same techniques can also help businesses who suddenly see a large increase in legitimate customer traffic to their websites.

• M³AAWG Password Recommendations for Account Providers (28 February 2017)
  • This document summarises M³AAWG recommendations for ISPs and other providers who continue to rely on passwords. It briefly describes the risk model arising from the use of passwords to provide authorised or secure access to resources. It is intended to improve end-user security by encouraging strong passwords.

• M³AAWG Multi-factor Authentication (MFA) Recommendations (20 February 2017)
  • While passwords are the default solution for securing users’ accounts today, they have many shortcomings and most can be easily cracked. M³AAWG believes the time has come for providers to require multi-factor authentication. It urges providers not to wait for the rest of the industry to deploy multi-factor authentication before doing so themselves.

2016:

• M³AAWG Best Current Practices For Building and Operating a Spamtrap (Updated 12 August 2016)
  • Computer security researchers have long made use of “honeypots,” servers and/or networks designed as traps to detect, deflect, or in some way counter and research the abusive use of information systems. In the email abuse field, such honeypots are usually called “spamtraps” and they are servers that receive spam and other types of email abuse.
  • This document attempts to lay out the best M³AAWG Best Current Practices for Building and Operating a Spamtrap.

• Using Generic Top Level Domain Registration Information (WHOIS Data) in Anti-Abuse Operations (14 July 2016)
  • WHOIS information plays a key role in determining where to report instances of abuse involving domain names. This paper explains some of the important WHOIS elements used to fight spam, phishing, malware distribution and other threats.

• M³AAWG Introduction to Traffic Analysis (15 June 2016)
  • Most users have limited awareness of traffic analysis as a risk. This paper outlines the key characteristics of traffic analysis attacks, discusses potential ways to avoid them, and considers the advantages and disadvantages of deploying preventative measures.

• M³AAWG Best Practices for Unicode Abuse Prevention (7 February 2016)
  • This document outlines M³AAWG best practices to curtail Unicode abuse. The intended audiences for these practices are: email service providers, Internet service providers, and the operators of Software as a Service or others in relations to other Internet-connected applications.

• M³AAWG Unicode Abuse Overview and Tutorial (7 February 2016)
  • This document examines the background of Unicode characters in the abuse context and provides a tutorial on the options that are emerging to curtail that abuse.

• M³AAWG Initial Recommendations for Using Forward Secrecy to Secure Data (31 January 2016)
  • Deploying opportunistic encryption is an excellent way to start protecting email traffic between messaging providers. However, implementers of TLS may not realise that it is not sufficiently secure unless forward secrecy is also employed for the connection. If an adversary captures and retains encrypted traffic, and is then able to acquire the private keys used to encrypt it, all retained traffic can be read as plaintext.
  • Forward secrecy is a set of cryptographic protocols that address this vulnerability. Enabling forward secrecy in conjunction with TLS assists in protecting captured traffic against any possibility of eventual decryption.
  • This document is intended to demonstrate how forward secrecy and ephemeral keys can protect data transmitted during these sessions, and more importantly, how they can protect against future decryption if an untrustworthy party who has access to the data also acquires the keys.

• M³AAWG Protecting Parked Domains Best Common Practices (Updated 21 January 2016)
  • Many organisations and individuals register domains without an immediate intent to use these domains or to use them in a limited context. These domains (or subdomains) are not meant to either send or receive email traffic. They are “parked.”
  • This document describes what identifiers can be used to indicate a domain or subdomain that is not meant to send or receive emails.

Pre-2016:

• M³AAWG Initial Recommendations for Addressing a Potential Man-in-the-Middle Threat  (8 July 2015)

• Anti-Phishing Best Practices for ISPs and Mailbox Providers (Version 2.01, Updated 30 June 2015)

• Operation Safety-Net: Best Practices to Address Online, Mobile, and Telephony Threats (8 June 2015)

• M³AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers (16 March 2015)

• M³AAWG Best Common Practices for the Use of a Walled Garden (Version 2.0, 13 March 2015)

• M³AAWG Sender Best Common Practices (Version 3.0, 17 February 2015)

• TLS for Mail: M³AAWG Initial Recommendations (1 December 2014)

• M³AAWG Network Address Translation Best Practices: The Implications of Large Scale NAT for Security Logging (23 August 2012)

• M³AAWG Vetting Best Common Practices (15 November 2011)

• MAAWG Best Common Practices for Mitigating Abuse of Web Messaging Systems (30 August 2010)

• MAAWG Overview of DNS Security – Port 53 Protection (8 June 2010)

• M³AAWG Common Best Practices for Mitigating Large Scale Bot Infections in Residential Networks (1 July 2009)

• Configuring Human Readable Delivery Status Notifications (DSN) (1 April 2009)

• Managing Port 25 for Residential or Dynamic IP Space Benefits of Adoption and Risks of Inaction (1 December 2005)

• MAAWG Code of Conduct for Messaging System Operators (2 January 2005)