M3AAWG, Messaging Malware Mobile Anti-Abuse Messaging Group
April 15, 2019

Heard about M3AAWG’s Best Practices?

If you are a telco, email services provider (ESP) or Internet Services Provider (ISP), who has never heard about M3AAWG best practices, you might be missing out…


What is M3AAWG?

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is a technology-neutral, non-political, working body that was founded in 2004. Based in the United States, but with members from all around the globe, M3AAWG is a highly respected industry group that develops cooperative approaches for fighting online abuse. Their members include telecom companies, email service providers (ESPs), Internet Service Providers (ISPs), social networking companies, security researchers, leading hardware and software vendors, major brands, major antivirus vendors and numerous security vendors. Their members come together to focus on operational issues of internet abuse (including technology, industry collaboration and public policy) and to work against botnets, malware, spam, viruses, DoS attacks and other online exploitation.


M3AAWG logo




M3AAWG General Meetings

M3AAWG are perhaps best known for their major gatherings. Each year, they typically host two general meetings in the North America and one in Europe. The first event for 2019 kicked off last month in San Francisco. The next will be in Budapest, Hungary, this June. Then Montreal, Canada, this October. However, unlike most other conferences, strict rules of confidentiality are followed: “What happens in M3AAWG stays in M3AAWG,” so that it can provide a trusted forum and a framework for open discussion among the professional online community, about abuse issues in an atmosphere of confidentiality and cooperation.


M3AAWG Best Practices

In addition to their major gatherings, M3AAWG, by way of member contributions, develops and publishes Best Practices papers, position statements, training and educational videos, as well as other materials to help the online community fight abuse with a focus on operational practices.

They have published nearly 40 best practices and white papers (some of which are also available in Arabic, Chinese, French, Italian, Japanese, Korean, Russian and/or Spanish) and they take credit as the first to publish a best practices document on how ISPs can work with consumers to detect and remove bots – a document which became the basis for the IETF’s RFC 6561.

They also claim to have published the first senders’ best practices that was developed cooperatively with volume emailers and network operators, and they regularly submit comments on government and public policy proposals, including responses to ICANN and other internet governing bodies, and to North American and European public policy agencies.

You can find all of M3AAWG’s Best Practices papers here, or jump to their translated Best Practices here. While new documents are being added regularly and others may become obsolete, below is a handy list of M3AAWG’s Best Practices papers to date, which might be of value to you if you’re a telco, email services provider (ESP) or Internet Services Provider (ISP), that is regularly fighting messaging, malware and mobile abuse.


  • M3AAWG Border Gateway Protocol (BGP) Flowspec Best Practices (17 February 2019)
    • This paper is written for network engineers responsible for Network Service Provider (NSP), hosting provider, or enterprise networks. It is for individuals wanting to learn more about Flowspec (a new type of Network Layer Reachability). It assumes the reader is familiar with BGP routing and other common networking technologies.
  • M3AAWG Position on Email Appending (Updated 1 January 2019)
    •  In email marketing terms, “email appending” is the practice of taking either known or assumed demographic data on a unique individual and correlating it to an email address assumed to be owned by the individual for the purpose of sending email. Email appending is also known as “e-appending” or “e-pending.” The practice of email appending is in direct violation of core M3AAWG values.


  • M3AAWG Best Current Practices for Reporting Phishing URLs (20 December 2018)
    • Phishing (ie. the luring of internet users to fraudulent websites in order to collect private identity information) continues to be a significant problem for hosting companies, mailbox providers, brand owners and, of course, for every internet user. This document is intended to inform user groups and to set out one simple recommendation that everyone should follow if they choose to report a phishing URL. It also explains the current ecosystem for tackling phishing and explains why this recommendation has been made.
  • A M3AAWG Introduction to Addressing Malicious Domain Registrations (1 June 2018)
    • The vast majority of domain name registrations are made for legitimate purposes, most often to provide an online home for a lawful business or organisation. However, there are some domain names registered exclusively to cause consumer harm. This document focuses on defining malicious domain names and provides a non-exhaustive list of possible actions that can be taken to address them once they have been found.
  • M3AAWG Recommendations: Methods for Sharing Dynamic IP Address Space Information with Others (Updated 1 May 2018)
    • Although M3AAWG recommends blocking outbound port 25 traffic as the best option for controlling the flow of unwanted email traffic from an ISP’s customer space, such blocks may not always be possible, either for the short or long term. This document offers some alternatives for these ISPs by describing methods they can use to share their dynamic space information with others and allow remote sites to reject inbound mail traffic from dynamic address space. This updated version includes information on IPv6.
  • M3AAWG Compromised User ID Best Practices (Version 1.0.1, 1 March 2018)
    • For many years, spammers have worked with purveyors of viruses to surreptitiously infect users’ PCs with spam sending software, creating networks of computers known as “botnets.” Until recently, botnets typically sent spam directly from infected PCs on subscriber networks; however, vigilance by the anti-abuse community has made this direct form of spamming more difficult. As a result, spammers have begun to configure their botnets to send from a new source: compromised user email accounts.
    • This document addresses problems associated with compromised user accounts. It discusses mitigation techniques and methods of identifying compromised accounts, including recommendations to ensure the long-term security of accounts to prevent “re-compromise.”
  • M3AAWG Help – I’m On A Blocklist (Version 1.0.1, Updated 28 February 2018)
    • At one point or another, almost every organization that sends email or provides SMTP service will be unable to deliver mail because they are on a blocklist. For an organization reliant on sending email, such as an ESP or network operator, a listing on a blocklist can be an emergency that precludes rational discussion of workable long-term solutions. This document helps an organization plan for these circumstances by describing how to detect a listing and outlines the steps for remediation.
  • M3AAWG Recommendations for Preserving Investments in New Generic Top-Level Domains (gTLDs) (31 January 2018)
    • Over one thousand new generic Top-Level Domains (gTLDs) have been or are in the process of being created under ICANN’s new gTLD program, with each of these domains representing an investment of at least $185,000.
    • This document is written for current Registry operators and for companies interested in applying for new generic Top-Level Domains in the future. It outlines the risks and also makes recommendations to help correct the problems some new gTLDs are facing.


  • M3AAWG Recommendations for Senders Handling of Complaints (30 December 2017)
    • Email abuse rates can significantly affect a sender’s reputation and, consequently, its ability to deliver customers’ emails to the inbox. This paper explains some of the common processes that senders can use to effectively manage and monitor email complaints and to help their customers develop healthy email practices that generate better results.
  • M3AAWG Recommendation on Web Form Signup Attacks (3 November 2017)
    • Many list web forms provoke an email confirmation to the subscriber’s email address provided in the form, but malicious entities are now using this feature to do bulk form submissions with forged addresses that flood the subscriber’s inbox. M3AAWG members collaborated across the industry to propose a header as an initial step that hosting and sending companies can implement to help protect against these attacks.
  • M3AAWG Best Practices for Managing SPF Records (30 August 2017)
    • This document covers best practices on how to properly construct and maintain an SPF record, common errors and some unintended consequences.  It is targeted at those with a basic understanding of the purpose and usage of SPF.
  • M3AAWG Introduction to Reflective DDoS Attacks (20 May 2017)
    • Distributed Denial of Service (DDoS) attacks are a crucial concern for many businesses today. Many thousands of individual DDoS attacks take place each day, and though most are relatively small (5-10 gigabits per second), they are still more than sufficient to take unprepared sites offline. This paper provides an overview of how this very common form of attack works and what measures can be taken to help eliminate it.
  • M3AAWG Password Managers Usage Recommendations (31 March 2017)
    • Most users struggle to manage a large number of usernames and passwords.  While password managers have both proponents and detractors, these recommendations reflect the general consensus of the industry.
  • M3AAWG Initial Recommendations: Arming Businesses Against DDoS Attacks (15 March 2017)
    • Disruptions caused by Distributed Denial of Service (DDoS) attacks range from loss of revenue and higher costs to dramatic brand damage. This guide provides concepts and ideas to help businesses prepare for DDoS attacks. As a side benefit, some of these same techniques can also help businesses who suddenly see a large increase in legitimate customer traffic to their websites.
  • M3AAWG Password Recommendations for Account Providers (28 February 2017)
    • This document summarises M3AAWG recommendations for ISPs and other providers who continue to rely on passwords. It briefly describes the risk model arising from the use of passwords to provide authorised or secure access to resources. It is intended to improve end-user security by encouraging strong passwords.
  • M3AAWG Multi-factor Authentication (MFA) Recommendations (20 February 2017)
    • While passwords are the default solution for securing users’ accounts today, they have many shortcomings and most can be easily cracked. M3AAWG believes the time has come for providers to require multi-factor authentication. It urges providers not to wait for the rest of the industry to deploy multi-factor authentication before doing so themselves.


  • M3AAWG Best Current Practices For Building and Operating a Spamtrap (Updated 12 August 2016)
    • Computer security researchers have long made use of “honeypots,” servers and/or networks designed as traps to detect, deflect, or in some way counter and research the abusive use of information systems. In the email abuse field, such honeypots are usually called “spamtraps” and they are servers that receive spam and other types of email abuse.
    • This document attempts to lay out the best M3AAWG Best Current Practices for Building and Operating a Spamtrap.
  • M3AAWG Introduction to Traffic Analysis (15 June 2016)
    • Most users have limited awareness of traffic analysis as a risk. This paper outlines the key characteristics of traffic analysis attacks, discusses potential ways to avoid them, and considers the advantages and disadvantages of deploying preventative measures.
  • M3AAWG Best Practices for Unicode Abuse Prevention (7 February 2016)
    • This document outlines M3AAWG best practices to curtail Unicode abuse. The intended audiences for these practices are: email service providers, Internet service providers, and the operators of Software as a Service or others in relations to other Internet-connected applications.
  • M3AAWG Unicode Abuse Overview and Tutorial (7 February 2016)
    • This document examines the background of Unicode characters in the abuse context and provides a tutorial on the options that are emerging to curtail that abuse.
  • M3AAWG Initial Recommendations for Using Forward Secrecy to Secure Data (31 January 2016)
    • Deploying opportunistic encryption is an excellent way to start protecting email traffic between messaging providers. However, implementers of TLS may not realise that it is not sufficiently secure unless forward secrecy is also employed for the connection. If an adversary captures and retains encrypted traffic, and is then able to acquire the private keys used to encrypt it, all retained traffic can be read as plaintext.
    • Forward secrecy is a set of cryptographic protocols that address this vulnerability. Enabling forward secrecy in conjunction with TLS assists in protecting captured traffic against any possibility of eventual decryption.
    • This document is intended to demonstrate how forward secrecy and ephemeral keys can protect data transmitted during these sessions, and more importantly, how they can protect against future decryption if an untrustworthy party who has access to the data also acquires the keys.
  • M3AAWG Protecting Parked Domains Best Common Practices (Updated 21 January 2016)
    • Many organisations and individuals register domains without an immediate intent to use these domains or to use them in a limited context. These domains (or subdomains) are not meant to either send or receive email traffic. They are “parked.”
    • This document describes what identifiers can be used to indicate a domain or subdomain that is not meant to send or receive emails.



Want more information about M3AAWG?

To find out more about the Messaging, Malware and Mobile Anti-Abuse Working Group, attend their events and/or contribute to their credible policy work, please click here.


Want more information about atmail?

With 20 years of experience in the messaging industry, we are trusted by some of the world’s most well-known telco and service provider brands. We power 170 million mailboxes and specialise in secure, reliable, GDPR-compliant, white label, hosted email. (On-premises options also available.) For more information, please contact us here.



Share This Post