MAAWG

In Today’s API World, IT Needs to Assume A Breach and Marketers Need to Be Security Conscious

Stephanie Jordan — Wed, 30 Nov 2011 19:03:43 +0000

When Message Systems’ Mike Hillyer (director of solution engineering) and Dave Lewis (CMO) set out to write the recently published white paper Safeguarding Message Streams for Enterprises and Email Service Providers -Technology Principles for Architecting a Secure Messaging Environment the authors quickly realized that they could not write about inbound message streams without talking about outbound message streams, they could not write about marketing without talking about security, they could not write about Email Service Providers (ESPs) without talking about enterprises. Messaging today is now about relationships and interrelationships between messaging channels, between online marketing and security, between siloed business units and consistency, between data stewardship and trust, between stealth attacks and breaches, and on and on. It can be difficult to talk about messaging because of the “if we address this, then we should also address that” aspect that the medium has become.

The number of channels that constitutes messaging is more than making an impact; it is changing the game. As Lewis points out for enterprises many business units make their own decisions about messaging deployments. Some might have an in house arrangement, another might outsource. Even within the same business unit email might be handled one way, SMS, or IM another. In the white paper, Lewis and Hillyer talk about how this typical enterprise treatment of messaging channels operating in silos is opening up more points of vulnerability than ever before.

Others in the industry agree that companies are more at risk today due to the number of channels organizations use for messaging. “Companies are clearly at greater risk now and this will only increase as messaging moves more and more away from what we think of as conventional email to new methods and techniques,” states Michael O’Reirdan, chairman of the Messaging Anti-Abuse Working Group (MAAWG). “A few years ago when you thought of messaging, email was the first thing that came to mind - and with it the problem of spam. But now, think of messaging and a plethora of techniques come to mind that are all suddenly available to the bad guys. Email is still there, and is a very effective tool for slipping a compromised file onto an unsuspecting CFO’s desktop, but what about a Facebook message from an old friend or a link in a Tweet that looks like it might be fun to follow up? Then there is the whole issue of the mobile ecosystem and how smart phones can be used to compromise a target’s personal data.”

This interplay between messaging channels, as I noted above, and the number of ways to deploy (and protect) them has really changed messaging radically in the last few years. MAAWG, an open, global organization with high-profile members from the messaging industry, has long been on the forefront of messaging abuse since the days when spam was at its height. O’Reirdan shared with me that during MAAWG’s recent meeting the group decided to rename itself to better reflect the breath of what has become the organization’s charter.

“MAAWG is evolving from just being the “spam” organization into focusing on handling new methods of abuse in the messaging arena, including continuing to work on mobile,” explains O’Reirdan. “At the same time, the malware, once executed, that sets up botnets is still at the core of abuse and MAAWG will persist in its work to help ISPs eliminate this. Hence the new view we have of MAAWG is M3 (cubed), M3AAWG, representing the three areas of concern, Messaging, Mobile and Malware.” The official announcement of the name change is expected in the coming months.

The number of vulnerability points that Lewis notes as a growing concern for organizations is largely due to the newer threat landscape of APTs (advanced persistent threats) that are more targeted and more stealth in execution than before. In the white paper, a definition of APTs is given from the analyst group Garner: “’Advanced’ means it gets through your existing defenses. ‘Persistent’ means it succeeds in hiding from your existing level of detection. ‘Threat’ means it causes you harm.” This sophistication has led Lewis to caution organizations to think about shifting to a posture beyond frontline defense and assume that infiltration from cybercriminals has either already occurred or will occur.

“The number of breaches that we publicly read about in the press, is not representative of the number of breaches that are actually happening,” says Lewis. “This is for two reasons. One is that the breaches have not been reported because there are no reporting requirements standards – often companies may decide what constitutes a breach. For different reasons they choose not to disclose a breach, as there are consequences to doing that, so if they can avoid it, they do. It’s human nature. The other is that they might simply not recognize the breach. They might not know that it actually occurred.”

Fail-proof messaging security cannot be counted on in today’s messaging world believes Lewis. “My point about the inevitability of a breach, when you look at the issue of all the various points of vulnerability that a hacker can find to get into your system, including simply human neglect – a memory stick fallen into the wrong hands, or even more intentional than that – the point is these threats are so persistent that sooner or later, something is going to get through your defenses. So you need to be prepared for that inevitability and it is not just a matter of having an incident response plan waiting in the wings and to be ready to move on it, at that point, it is already too late. If you are calling up your clients and issue a press release and so forth – you are in damage control mode.

Instead, Lewis encourages organizations to focus on mitigation. “What we mean by mitigation is not just damage control, but an extension of your prevention processes. You need to continue to monitor for abusive activity in your mail streams both incoming and outbound as an ongoing thing and be prepared to act on it.”

On outbound messaging for example, Lewis says companies typically use complaint data, ISP block and bounce data to measure deliverability. “That is all well and good, and an appropriate use to see if a campaign is successful or not, but how about applying that data in your security program?” he asks. “If you have a huge spike in complaints or you suddenly find yourself blocked, or are getting bounces – it could mean you have done something wrong, like send content to the wrong audience, but it could also mean that your system has been compromised and you don’t know about it. The trick is to be able to capture that data and act on it in real time so that you don’t turn a data breach into a data disaster.”

Staying vigilant is a re-occurring theme when dealing with today’s messaging threats. Lewis cautions online marketer’s to think more security-minded in today’s messaging world. “Marketing people in most organizations don’t think in terms of security. It is an afterthought, if they think of it at all,” he observes. “Marketers need to recognize the criticality of security, not in some abstract way, but in terms of them achieving their own goals. Marketers are typically tasked with generating revenue and building relationships. Both of those goals could be in jeopardy if there is a loss of trust. For example, the way most marketers think about authentication is as a tactic to improve deliverability, but that is not really its intended purpose. They need to be thinking about authentication on not just their outbound, but also on their inbound. They need to take a page from the ISP carrier book and apply it to their own organizations.”

The increase of spear phishing incidents is another example of how advanced threats have become. Lewis feels that marketers should not under value their marketing data. “Companies often say, it is only an email address, or only marketing data with the notion that it does not have the same value as PII (personally identifiable information), but if you can use that data to target an individual and get them to open an email, then a phisher can do that too. We have to think in terms of how they are using the data. It is really a mistake to underestimate them.”

Phishers are really incredible marketers. Anyone can become a victim and technology is often fooled too. O’Reirdan recommends to everyone: “Think before you act, look before you leap, don’t be gullible. All obvious, I know,” he says. “But what works well in the real world, works well online too. Spear phishing almost always relies on social engineering so no amount of software will protect against a good and ingenious exploit of the ‘human in the loop’.”

Messaging security is never done, according to Lewis. “I think the biggest mistake companies can make at this juncture is to make a few tweaks in their technology, to make a few practice changes and call it done. The most dangerous thing organizations can do is to underestimate spear phishers. They may not have any scruples, but they understand the value of data. I see this as a significant threat to the ecosystem. This isn’t a short-term thing. We need to figure out how to maintain a safe and secure environment because this is crucial to our ability to obtain data and use data for messaging. This is the way it will be from here on in.”

The Online Trust Alliance, as part of its Security by Design campaign, created a very useful self-survey (in the form of 20 questions) for organizations to use to help become better prepared to respond to and avoid security incidents. Questions like: Is your definition of personal information current and in line with both applicable industry regulation and customer’s expectations? Have you conducted a comprehensive audit of your data flows across the enterprise and vendors including a privacy and security review of all data collection and management activities? Are employees equipped to notify management of security incidents, including intrusion, breach, data misuse or data loss? What processes do you have in place for data minimization, secure archiving and data destruction? Take a look at all Top 20 Questions as steps toward what Lewis terms “proactive mitigation”.

Above all else, stay vigilant and ready, especially toward social engineering tactics. As O’Reirdan states, “Social engineering remains a major threat and a route by which many APTs begin to weave their insidious webs within organizations. In many cases, APTs are long term operations that get embedded within the enterprise so that when exfiltration of data commences, they are so below the radar that detection is very hard.”

What's the Harm If I Get What I Pay For? End-to-End Analysis of the Spam Value Chain

Stephanie Jordan — Thu, 16 Jun 2011 12:41:28 +0000

Have you ever wondered what would happen if you actually responded to an online offer for an herbal supplement or an enhancement drug? As any active emailer knows, there is a relentless tide of spam out there, and while filters and other techniques keep an amazing amount of spam out of users’ inboxes, spam still manages to seep in, and those dietary supplements, herbal remedies, enhancement drugs and even watch offers show no signs of stopping.

Christian Kreibich from the Berkeley-based International Computer Science Institute and team wondered about those spam offers too; so they researched the complete lifecycle of a spam offer, from receiving the offer, to ordering, to payment, all the way through to product receipt. It is an interesting analysis to be sure. Kreibich presented the findings of the analysis at the Messaging Anti-Abuse Working Group’s (MAAWG) 22nd General Meeting in San Francisco last week.

The spam trail encountered by Kreibich proved to be 95% pharmaceutical, so much of his talk centered around the tracking and ordering of supplements, enhancers, prescription and over-the-counter drugs. During the analysis period, the group attempted 120 purchases, of which 76 authorized and 56 settled resulting in 49 deliveries. The reason the deliveries and the purchase attempts are not closer in number is that some of the programs stopped taking orders from the researchers, even though they would change where deliveries were to be shipped, and used different names.

“It got progressively harder to make purchases,” admits Kreibich. “Generally, you do get deliveries because the merchant needs to maintain a good relationship with the banks.”

Where Is the Harm?

So, does this mean that it’s okay for you to order that herbal supplement offer you keep receiving, but were afraid to because you might not get what you paid for?

“The analogy I would use for spammers actually fulfilling orders is a bit like a window company throwing a coupon wrapped around a brick through a prospective customer’s window,” responds Michael Osterman, analyst and president of Osterman Research, Inc. “Even if the glass company actually shows up on time to replace the glass and their quality is good, the method of marketing their services is still a problem. In the same way, spammers eat up bandwidth and storage on prospective customers’ servers, desktops, etc. in exchange for potentially offering a decent product. Fulfilling an order is good, but the method of gaining the customer in the first place is not.”

Kreibich agrees, saying, “There is tremendous technical collateral damage in this business. Beyond this, I’d add first that the advertising model of spam is completely illegal virtually any where due to the way it’s realized because it’s facilitated by relying on infected machines. Secondly, a substantial part of the products one can order are illegal in the country you order from. For example, many of these shops will sell you prescription drugs, right up to cancer medications, without the need for a prescription.”

Having your computer become part of a botnet that aids in the spewing of spam is a definite danger of doing business with spammers. Spammers are not reputable in the business world, although they are successful, otherwise they would not continue. So what about the money trail?

Payment Infrastructure

In the sleuthing, a key insight comes from this money trail research: just three merchant banks account for 95% of the processing of payments related to spam. The banks were: Azerigazbank in Azerbaijan (Eurasia), St Kitts-Nevis-Anguilla National Bank Limited in the Caribbean, and DnB NORD in the Baltic States. Indeed some feel that this bottleneck might be a place of vulnerability in the spam trail. Would it be possible to halt the payment processing in a kind of financial blacklist?

Perhaps believes Kreibich, but it would have to be through the Western bank. “If the issuing bank refused to settle certain transactions it could have a significant impact.” Kreibich points to online gambling as a possible precedent for such action.

Asked if the product delivered was indeed the product ordered, Kreibich replies, “In general, you do get a delivery. We have done ‘some’ component analysis via mass spectrometry that confirmed the right active ingredients and composition for some ‘herbal supplements.’ But we are in no way saying that people generally get the real drug or right combination of ingredients.”

Still wondering about responding to a spam offer? Spam experts advise against it: “Very often, those who order by spam don’t always get what they order,” warns MAAWG Chairman and Comcast Distinguished Engineer Michael O’Reirdan. “The problem also is that once they have ordered via spam, they also set themselves up as targets for other spam, which might be a vector for malware.”

Learn more about the research by reading Kreibich et al.’s paper: Click Trajectories: End-to-End Analysis of the Spam Value Chain

National Internet Safety (and Security?) Month, MAAWG, and Passwords

Stephanie Jordan — Thu, 09 Jun 2011 18:29:50 +0000

The United States Senate passed a resolution in 2006 stating that June is National Internet Safety Month, the idea is to prompt Internet safety discussions between parents and kids—but why not expand to include IT, users and security? Things like identity-theft protections, not sharing too much personal information, being phishing aware and Internet defense are all topics to be encouraged this month.

In the wake of all the breaches we have encountered of late, it is worth calling user’s attention to the fact that information sharing is often optional, it just doesn’t always appear to be optional. By default companies today ask a lot of questions about you and that information gets stored somewhere and—as we have recently seen—it is not always stored very securely. So encourage users to think before giving away names, addresses, birthdates and other such information.

This week I had the honor of being invited to a few sessions during the Messaging Anti-Abuse Working Group’s (MAAWG) 22nd General Meeting. Held in San Francisco, the group’s focus was on the future of online messaging with multi-track sessions on a variety of anti-abuse topics. The meetings are held three times a year, are open to members only and much of what is covered is confidential (read no press allowed). The group does valuable work and is a great resource.

The keynote by Dr. Markus Jakobsson, principal scientist, consumer security with PayPal and active MAAWG member, offered suggestions on how to improve the user authentication experience. Also in attendance at MAAWG this week was Osterman Research, Inc. Analyst and President Michael Osterman. So as not to duplicate efforts, please read Osterman’s highlights of Dr. Jakobsson’s talk in his write-up entitled: Making Passwords Easier to Remember and More Secure. I recommend you take the time to review Dr. Jakobsson’s advice on passwords, which Osterman shares, it is interesting reading and research.

A key point Dr. Jakobsson makes is that users should make passwords from what he calls “fastwords” that boil down a story into three words. These words on the surface seem very random, but to the user these select words are meaningful because they tell a tale, which aids in password recall success.

Another password memory recommendation, similar to Dr. Jakobsson’s advice of telling a story, is to come up with a password with which you can make clear associations or phrases. Traditionally, a strong password is one that contains both uppercase and lowercase letters, numbers and symbols. So the example would be if you have this password: Hmkw?Aba4g! A user could remember it by: How many kids won? A boy and 4 girls! These kinds of tricks make remembering passwords much easier, as Dr. Jakobsson points out people hate passwords, mostly because good passwords are hard to remember.

So while it is National Internet Safety Month, June might be a good time to share with your users the concept of Dr. Jakobsson’s “fastwords” to help with password recall or perhaps remind users to think before sharing too much personal (or company) information on blogs or social networks. Or maybe remind people to go home and tell the kids what phishing means or that it is easy to hide true identity online.

Dr. Jakobsson believes that to really reach users we must first get their attention and motivate them, and then give meaningful advice that is actionable. “To be boring is not good,” says Dr. Jakobsson. “Be attractive to users and do not ask them to do anything that is too hard or complicated because they will not comply.”

Malware, crimeware and other Internet hooligans are so creative and often appear very attractive to users. Internet safety and security today is something we all need to be aware of because buttoning down a network so that it is impervious to attack is increasing difficult, some might say impossible. Even companies like RSA Security and Lockheed Martin, which put a premium on security, can be victims. Perhaps National Internet Safety Month is the time to get creative on sharing online dangers and risks to get your users interested in security and online safety.

China-U.S. Effort to Fight Spam Previewed at MAAWG General Meeting

Stephanie Jordan — Thu, 10 Mar 2011 02:50:55 +0000

There are a handful of groups that I always follow closely and one of them is MAAWG (Messaging Anti-Abuse Working Group). The organization held its 21st General Meeting Feb. 22–23 in Orlando, FL. At the meeting the EastWest Institute (EWI), a New York-based international think tank, announced an ongoing bilateral effort to reduce spam between China and the United States.

Karl Frederick Rauscher, chief technology officer for EWI, previewed a joint China-U.S. report on cybersecurity: Fighting Spam to Build Trust, which will be the first product of talks between Chinese and U.S. experts convened by EWI. The report’s focus is on voluntary best practices for reducing spam.

China is not one of the top 10 spam emitters (the U.S. holds that distinction), according to Cisco Senior Security Researcher Henry Stern; however, China became the most spammed country in February with a spam rate of 86.2 percent (says Symantec February 2011 MessageLabs Intelligence Report.)

MAAWG Chairman and Distinguished Engineer at Comcast Michael O’Reirdan, believes this effort is noteworthy, “This dialogue with China is a most welcomed breakthrough—a real step forward. It comes at an opportune time and can build on the work that has been going on at MAAWG for several years.”

MAAWG works against spam and online exploitation, representing over one billion mailboxes worldwide. “Back in 2004 the ISP industry began its cooperative efforts to deal with spam, and now in 2011 we are working together on a wide range of abuse issues which encompass spam, bots, mobile threats, law enforcement issues and public policy,” says O’Reirdan. “Spam is a great starting point in working with China and it is still a major issue that needs resolution.”

According to Rauscher, the EastWest Institute is a trusted convener of parties that have difficulty talking to each other. “The cybersecurity arena is one where there is tremendous distrust between China and the U.S.—the two biggest cyber super powers in the world,” he explains. “This first step of cooperating to fight spam is attractive because it is an area where both sides have very common interests. Not only is about 90 percent of all email messages spam, but spam is also the carrier of malicious code such as viruses and it is often used as a vehicle for fraud. Given the profound economic interdependencies that China and the U.S. have, opening some dialogue in cybersecurity is an important step.”

Does China stand to gain more than the U.S. with this effort? With the rapid growth of Internet users in China, O’Reirdan notes that, “the possibility exists that there would be much more spam emanating from China over time. As such, this cooperative work is in the interests of both China and the U.S., as well as the rest of the Internet.”

The report will have recommendations for combating spam and will include processes for creating international protocols aimed to differentiate legitimate messages from spam; a call for educating consumers about the risk of botnets; and measures for discouraging spam, such as encouraging ISPs in both countries to use feedback loops. “The guidance from the joint report will mostly be in the form of voluntary best practices,” says Rauscher. “These are applicable for network operators and ISPs from both China and the U.S., as well as for other countries.”

EWI President and Founder John E. Mroz adds: “The United States and China face large moral and political dilemmas in cooperating on cybersecurity. Do we continue to see each other as enemies or rivals, or do we edge slowly forward trying to find common ground? We know that the economic and personal security of our citizens depends on a quantum leap in cooperation and an end to the rapidly escalating cyber mistrust.”

Fighting Spam to Build Trust is expected to be published this month.

Eye on Messaging is written by Stephanie Jordan, editor in chief of Messaging News. If you have story ideas or news to share, email her: sjordan [at] messagingnews [dot] com

We're All Sheriffs in the Land of the Walking Dead: The Botnet Fight

Stephanie Jordan — Mon, 22 Nov 2010 18:36:26 +0000

“Wake up!” Or so one might want to shout at those enterprise network operators and IT managers who consistently act as if their operations were islands unto themselves. These are the mavericks that ignore industry best practices and go their own way, believing their networks immune to zombies or bot infections, and who disregard the lessons learned by their peers.

The sad reality is that we all suffer once zombies or bots find their way onto these susceptible networks or Web sites. The bot-delivered malware that ends up surreptitiously installed on users’ computers is a finely tuned parasite, capable of stealing valuable informational assets such as personal identity records or credit card numbers. The bot then turns the computer into an efficient spam machine, sending abusive email just under the network operator’s radar and often launching highly-targeted phishing expeditions—all without the computer owner’s permission or knowledge. Enterprises and their banking operations are being precisely targeted by malware such as Zeus and SpyEye, which is designed and, is very successful, in compromising banking credentials, thereby gaining access to corporate bank accounts and stealing millions of dollars.

Spam from bot-infected computers clogs the Internet and is often loaded with malicious code aimed at other unsuspecting users. According to metrics aggregated by the Messaging Anti-Abuse Working Group (MAAWG), almost 90 percent of all email traffic on the Internet is abusive. Together with social engineering and compromised Web sites, spam is one of the most important ways to get end-user machines compromised with malware.

Beyond the personal and business setbacks it spawns, abusive messaging also has become a huge budgetary drain. Ferris Research, Inc. estimated that spam cost the U.S. $42 billion in 2009. This is just slightly less than the $40 billion that globalissues.org calculates it would cost to provide universal access to basic social services in all developing countries. Ferris puts the worldwide outlay for spam last year at more than three times this amount, around $130 billion globally.

Given the scope of the problem, no one entity alone can stop bots or the resulting spam they generate. Creating a safe online environment is the responsibility of all of us who have an interest in the free exchange of information. This includes network operators and email providers, industry vendors, corporate networks, small business users, and yes, even end-users. We all have a role to play in protecting the Internet.

Taking a Stand

The first priority for end-users is to learn good computing habits and to understand the dangers inherent in spam. Half of the email users in North America and Western Europe opened or accessed spam last year, according to the 2010 MAAWG Email Security Awareness and Usage Survey. Tens of millions clicked on links or opened attachments that could leave their computers vulnerable to a bot. As long as users continue to interact with spam, and as long as spam remains a profitable commerce model, the cybercriminals will be open for business.

In some respects, battling spam and cybercrime is a never-ending arms race. As soon as the industry identifies a bot or a cleverly devised phishing scheme, the cybercriminals quickly morph the code or change their mode of operation, making the malware more difficult to detect. We have to remember that in the time of open source and Internet standards, the tools available to the good guys are just as easily used by the bad guys too.

Yet, there are definite remedies in sight. From the industry’s perspective, one of the best weapons in this battle is the development of generally accepted procedures and tactics. Industry best practices tackle the thorny issues that require a broad, consensus approach to problem solving. They incorporate the industry’s collective wisdom on avoiding common mistakes and how to provide a better online experience for users. Best practices are guidelines freely offered by the industry to be voluntarily applied within a relevant organization’s strategic and technical framework.

The question any enterprise or business should be asking is not if it should implement anti-abuse best practices. Given the enormous cost and risk associated with spam and bots, the question is why would an organization not make adopting best practices a priority? Many of these practices cost next to nothing to implement, in many cases just requiring simple configuration changes or minor modifications to working practices.

Best Practices Illuminate Industry’s Shared Knowledge

Industry associations like MAAWG bring together representatives from all perspectives to work out solutions to common problems. As a result, the best practices developed through MAAWG tend to be more balanced rather than advancing a specific company’s or business sector’s interests. For example, many of the bulk senders in MAAWG worked closely with our network operator members to understand all sides of the issues when developing the MAAWG best practices for email marketers. Likewise, ISPs talked with abuse desk professionals in developing the best practices for notifying users when they have a bot on their computer and in addressing other issues related to remediation of infected machines, which often are placed in walled gardens.

Best practices also help to clarify the processes and technological strategies proven to be most effective in combating abuse. They often spell out common steps abuse and IT managers can take to better serve end users. MAAWG recently issued the first best practices aimed at providers of Web messaging systems. Among the recommendations were several well-known tactics that might otherwise be undervalued by Web messaging developers, such as auditing user account metrics and requiring registration before users can post or send messages.

The outcome of the effort within organizations like MAAWG to develop best practices is that smaller enterprises or regional operators have access to the broader and more varied experience of larger companies. These larger operations, with access to more resources and higher R&D budgets to invest in anti-abuse strategies, willingly share their knowledge and expertise to help advance the industry.

The only way to take down zombies, bots and spam is through this type of socially responsible action. By working together to protect the Internet and users’ online experience, we all profit. To that end, we have all been deputized in the Internet posse.

—

About Michael O’Reirdan

Michael O’Reirdan is serving his third term as chairman of the Messaging Anti-Abuse Working Group (MAAWG), the industry’s largest global trade association that works against messaging spam, viruses, denial-of-service attacks and other online exploitation. Professionally, O’Reirdan is a Distinguished Engineer at a major ISP in North America with over 18 years of experience in the ISP field and with public facing messaging platforms. He has served on executive advisory boards for several major computer vendors and academic institutions and is active in other industry organizations.

What Can Users Do to Protect Themselves from Bots?

Stephanie Jordan — Fri, 18 Dec 2009 00:07:34 +0000

Every day there are news stories about bots and all the harm they cause. Bots are pieces of software, often called malware, which criminals surreptitiously install on computers to inflict harm, such as sending spam, stealing financial information or conducting DDOS attacks against other computers. Corporate PCs are tempting targets as they often have access to confidential company information. Recent cases of infected corporate PCs have been in the news with tales of large sums of money stolen from corporate bank accounts.

Your first line of defense against bots is having a basic foundation in place by making sure your operating system is current and secure. Known as patching the operating system, both Microsoft and Apple offer the capability to set your system options to automatically update the operating system to protect against recently discovered security issues. If the operating system is not updated with the latest patches, it will be susceptible to well publicized vulnerabilities.

Having patched the operating system, the next thing is to make sure that up-to-date anti-virus, anti-spyware and firewall packages are installed on the computer. This is more relevant to Windows-based machines, although the incidence of bots on Apple machines is slowly increasing as the market share increases. Bots are created with ROI in mind, and until recently, the best ROI has been to target the largest installed base of machines, which are those running Windows.

The anti-virus package also should be set to update itself regularly. The criminals who create bots habitually update their malware to evade anti-virus software, so in turn, the anti-virus package needs to be regularly updated with the newest defenses. In larger corporate environments, there may be a firewall or Web gateway as a first line of defense against malware, but this does not obviate the need for defending individual machines.

More insidious is the stealthy attack mounted against a company using social engineering techniques. Someone pretending to be an employee might ring a call center and ask for a password to be reset so they can access the corporate system. Alternatively, someone might leave a couple of USB keys lying around that have files with interesting names like “Q4 pay raises” on them. Once opened, these files will install malware on the machine and perhaps allow access to a company’s internal network. A brilliant yet simple social engineering campaign involved flyers with a URL referenced on them that were posted on the windshields of parked cars. Once accessed, the Web site infected vulnerable unpatched machines, allowing the attackers access.

Finally, do not overlook remote workers. They often use their own machines which may not be up to corporate security standards. Between 10 percent and 25 percent of all machines on broadband residential networks are infected with bots. If a remote machine is going to access the corporate network, either strictly limit access or ensure the machine is protected properly, as described above. Many remote workers also use wireless networks at home and these should be protected using encryption techniques such as WPA2.

—

Michael O’Reirdan is serving his second term as Chairman of the Messaging Anti-Abuse Working Group (MAAWG), the industry’s largest global trade association that works against messaging spam, viruses, denial-of-service attacks and other online exploitation. He also leads the organization’s Internet Service Providers Closed Colloquium, a MAAWG committee of international network operators. Professionally, Mr. O’Reirdan is a Distinguished Engineer at a major ISP in North America with over 18 years of experience in the ISP field and with public facing messaging platforms. He has served on executive advisory boards for several major computer vendors and is active in other industry organizations.

Messaging Industry Comes Together Against Common Foes

Stephanie Jordan — Mon, 26 Oct 2009 07:00:00 +0000

This week Philadelphia hosts two important groups in the messaging industry as the Messaging Anti-Abuse Working Group (MAAWG) and the Online Trust Alliance (OTA) both hold meetings there.

MAAWG’s 17th General Meeting began today, October 26 and goes to Wednesday, October 28. The meeting is to focus on critical technical and public policy issues, including bot mitigation, Web messaging abuse, and mobile spam among other topics. The keynote is U.S. Air Force Brig. Gen. David B. Warner, who will outline the government’s new military cyber security defense initiative.

Also of interest on the mobile messaging front, is an overview of the proposed mobile spam act S.788. MAAWG endeavors to bring organizations together, and this meeting includes participation from the Anti-Phishing Working Group (APWG), the Anti-Spyware Coalition (ASC), Internet Engineering Task Force (IETF), U.S. Federal Bureau of Investigation (FBI), Kids Come First (FIRST Online), National Center for Missing & Exploited Children (NCMEC), the ShawdowServer Foundation, an organization that gathers cybercrime intelligence, as well as other researchers and experts from academic institutions.

Messaging News will offer more from MAAWG in the coming weeks, so stay tuned.

While MAAWG offers professional development training courses on October 29, OTA will hold its 2009 Online Trust & Brand Protection Summit. Event speakers, including the Better Business Bureau, Federal Trade Commission, Publishers Clearing House, Interactive Advertising Bureau, Microsoft and others, will share recommendations to help organizations protect not only their customers, but also their digital brands and stockholders.

Earlier this month, OTA published its Online Principles, a set of global guidelines for preserving and enhancing consumer trust and confidence, in an effort to avert what they see as a coming crisis in customer confidence. OTA is calling on organizations to make good data stewardship a corporate imperative. OTA first released a draft of its Online Principles for comment in April, gathered feedback from across the industry, and revised the Principles in a collective effort that included representatives from a number of leading brands, such as Publishers Clearing House, Microsoft, Visa, PayPal, American Greetings, Bank of America and others.

“The promise of the Internet is achieved when consumer privacy and expectations are inline with business practices,” says Fran Maier, CEO of TRUSTe. “OTA’s Online Principles is a significant step to increasing accountability, while giving consumers confidence that abuse of their data and identity is thwarted. As stewards of consumer data, businesses maximize their online brand value and deepen customer relationships by building trust.”

OTA has published its 2009 Online Trust Principles & Business Practices on its Web site.

Eye on Messaging is written by Stephanie Jordan, editor in chief of Messaging News. If you have story ideas or news to share, email her: sjordan [at] messagingnews [dot] com

MAAWG Offers Botnet Guidelines

Stephanie Jordan — Thu, 20 Aug 2009 22:40:39 +0000

This month our friends at Messaging Anti-Abuse Working Group (MAAWG) published new best practices to help ISPs deal with bot infections on customer computers. While these guidelines are targeted at the consumer level, it is heartening to see the messaging community cooperate and come together to develop the suggestions.

In an interview from last fall Michael O’Reirdan, chairperson of MAAWG, acknowledged that botnets were not just a consumer problem. “Botnets exist on corporate networks just as they exist on the residential networks run by the ISPs. They are quite discriminating. A bot sitting on a corporate network is going to be worth more than sitting on a residential network, and one sitting on a military network is worth even more.”

O’Reirdan went on to talk about the business of botnets. “There is a whole underground economy out there that goes from the people that write the code (sort of like the gun makers) all the way through to the people that deploy the code, people that rent time on botnets, people involved in the laundry of cash that is generated and finally the delivery of goods. The whole thing is a business. A lot of the bots come with technical support, customer service, even refunds if you do not get the value for your money. It is a parallel economy and it is turning over an enormous amount of money.”

The newly released guideline, MAAWG Common Best Practices for Mitigating Large Scale Bot Infections in Residential Networks (Version 1.0), is meant to try to stem the tide of bot infestations that are contributing to spam and online fraud. According to MAAWG, bots — malware running on users’ computers without their knowledge — are responsible for generating up to 90 percent of spam and can also be used to steal personal information or take part in DDOS (distributed denial of service) attacks. While the best practices outline strategies used by some of the largest ISPs worldwide, they were also developed to be scalable for smaller network operators and to consider legal and process differences among countries.

“Bots are a global affliction and these best practices are an important step in educating the industry on the appropriate processes to help protect consumers,” believes O’Reirdan.

The best practices outline various options for alerting customers when their computers are infected and offers suggestions for helping end-users clean their systems. The paper discusses bot detection methods, customer notification, and the use of walled gardens to limit infected machines’ exposure to the Internet.

Among the recommendations:

• While protecting users’ privacy, network operators can use various tools to detect infected end-user computers, including DNS, scanning the IP space to identify vulnerable computers, and collecting IP traffic information for known command and control addresses.

• Email, phone calls to customers, postal mail and walled gardens are common notification tools, each with their own considerations. In-browser messages are considered to be among the most effective methods to alert customers but also can be technically challenging to implement.

• ISPs need to maintain a well-publicized security portal that includes directions for end-user bot removal.

The paper also includes sample end-user messages and a list of malware detection and removal tools. MAAWG says that the best practices will continue to be revised to reflect new procedures and the evolution of new bots threats.

A survey MAAWG released in July found that about 80 percent of consumers are aware of bots, but only 20 percent believe they will ever be infected. The new bot mitigation best practices are part of the ongoing work at MAAWG to confront messaging abuse. Previously, MAAWG has published best practices for managing port 25, using walled gardens, sharing dynamic IP address space, email forwarding practices, and senders best communications practices, among other topics.

The MAAWG Common Best Practices for Mitigating Large Scale Bot Infections in Residential Networks is available for download on the MAAWG site.

Eye on Messaging is written by Stephanie Jordan, editor in chief of Messaging News. If you have story ideas or news to share, email her: sjordan [at] messagingnews [dot] com

Malware Outlook: Stormy

Stephanie Jordan — Wed, 01 Apr 2009 05:00:00 +0000

Last fall saw the takedown of Atrivo/Intercage and McColo Hosting Solutions, two known hosts of botnets. Botnets are the most pervasive method being used today for sending spam campaigns. According to the whitepaper FireEye: Taking the Botnet Threat Seriously, “A botnet is comprised of a collection of machines that have been inﬁltrated by functionality that can be automated and controlled remotely by an attacker.

The attack traces its roots to automated Internet Relay Chat (IRC) agents known as bots (short for robots), easily available and easily deployed, and originally intended to extend and automate the management of IRC networks. The remote control capabilities of bots enable them to be leveraged in a coordinated manner to unleash attacks against networks, as well as targeted, stealthy attacks on specific servers via agents managed remotely from a command-and-control (C&C) center operated by one or more attackers (hence botnet).” Because a typical spam campaign includes millions of email messages, botnets are employed instead of conventional email servers. According to FireEye, 11 percent of the world’s computers are enmeshed in at least one botnet.

When McColo Hosting Solutions was disconnected in November, spam levels dropped significantly. Spamcop.net, a spam watch-dog group, noted a decline from about 40 spam emails per second to around 10 per second. Trend Micro speculated that McColo was accountable for anywhere from 50 to 75 percent of all spam activity “on the planet”. As predicted by industry experts, however, it has been a short-lived victory; spam has resumed to pre-take down levels. “STORM is definitely still out there,” says Jamz Yaneza, threat research manager at Trend Micro, Inc. “It has been broken down in chunks. The disbandment wasn’t in my opinion the result of pressure on it but mainly because it is an old botnet. Now we are seeing the rise of a new type of botnet.” Yaneza comments that the techniques used in STORM (for example Fast-Flux and Double-Flux) have not gone away. “They have been borrowed by different kinds of botnets and the backend networks have been sold in the underground piece by piece,” he explains. “There is a whole criminal underground here. The bad guys even have incorporated tech support in terms of their botnets, and their phish kits. That surprised me and it’s also really scary. They have a whole software lifecycle.”

While McColo was located in San Jose, Calif. and offered “IT services for any customer, starting from individuals to large companies and corporations” and boasted of using “only certified equipment providers, such as Cisco, IBM, Intel, and Supermicro” the company did not have a good reputation. “Webmasters have been complaining of abuse from McColo sites for years,” says Phillip Lin, director of marketing for FireEye, Inc. “McColo-hosted sites were caught harvesting email addresses from Web sites (to use in spam campaigns). McColo has been linked to Digital Infinity out of Russia.” Unfortunately, persistence and innovation are hallmarks of these messaging ne’er-do-wells. “Reports are that McColo recently changed business names again to ‘World of Hi-Tech Investments LLC’ out of Delaware,” reports Lin.

According to a Messaging Anti-Abuse Working Group (MAAWG) report issued last month, “The percentage of email identified as abusive has oscillated over the last year between 89 percent and 92 percent.” If spam volumes have rebounded, can the McColo take down be considered a success? “I assume that some in U.S. law enforcement were a bit unhappy with the fact that the Washington Post broke the story, because they had wanted to take a slower watch and learn approach,” says Greg Shapiro, VP and chief technology officer for Sendmail, Inc. “Now others know that this is a possibility, and as a result will now spread out, and try to hide more. Former McColo clients are already taking steps to prevent themselves from being detected and centralized in a single IP like that again. So it was good, but in the long-term it may hurt us. We just have to wait and see.”

Lin believes that removing McColo from the Internet should be seen in perspective as the first of many milestones to come that will be necessary to protect the Internet and its users. “Cutting McColo off has shown the world that it is possible (and productive) to fight back against Internet ‘bad actors’, those egregious entities that exist on the Internet only to facilitate cyber crime,” says Lin. “Also, FireEye’s subsequent take down of the massive Srizbi botnet proved that disabling botnets is possible given the right technology and coordination among the Internet’s governing and operating bodies.”

Conficker

But even as the above take downs were initiated, another worm was spreading through the Internet. The latest variant of this worm, Conficker C, was noticed early last month, and was the subject of much speculation and sensational headlines. The widespread infection of the worm, which targets Microsoft Windows system through thumb drives, network shares, or directly across the network, caused a media frenzy with the announced discovery of a possible April 1 payload. With many headlines referencing April Fool’s Day and world-coming-to-an-end prophesizing, newspapers across the globe prepared PC users for the worst. With the date come and gone, does it mean that we are in the clear? “It’s just as likely that Conficker will receive instructions to do something on April 2nd, or April 14th as it will on April 1st,” wrote Graham Cluley, senior technology consultant for Sophos, Inc. in March. “The emphasis by some media outlets on April 1st is really unfortunate. In fact, in my own experience, it has been some of the newspapers and media organizations who have been guilty of dreaming up apocalyptic headlines and the security vendors who have been pouring the cold water.”

Because conficker exploits several weaknesses in Microsoft’s Windows operating system, Microsoft has offered a $250,000 USD reward for information leading to the arrest of those responsible. The actual number of infected systems seems to be in debate as published numbers range from at least 3 million to up to 12 million or more. The number is hard to determine, partly because many machines have been disinfected. Many messaging security vendors offered free tools to verify the presence of a Conficker infection and its removal. Lin acknowledges that part of the success in the managing of Conficker is due to the industries earlier efforts, “FireEye’s success in taking down McColo and Srizbi (coupled with the subsequent media coverage) jumpstarted a movement among Internet groups to put processes in place to quickly deal with massive cyber crime and malware outbreaks,” he says. “The recent anti-Conficker actions taken by gTLD and ccTLD registrars is one of the great outcomes from the McColo and Srizbi botnet takedown.”

Botnets Profitable

The real driver behind botnets and malware is profit. “Most of the malware being released these days are to help spammers get their products sold,” observes Shapiro. “The model in the spamming world is either through selling your own wares or through a partnership where you get some type of royalty or fixed percentage of the sales through another seller.” Shapiro goes on to talk of a paper titled Spamalytics: An Empirical Analysis of Spam Marketing Conversion by Enright, Kanich, Kreibich, Levchenko, Paxson, Savage and Voelker that explored the “conversion rate” of spam—the probability that an unsolicited email will ultimately elicit a “sale”. Writes the authors, “This underlies the entire spam value proposition. In this paper we present a methodology for measuring the conversion rate of spam. Using a parasitic infiltration of an existing botnet’s infrastructure, we analyze two spam campaigns: one designed to propagate a malware Trojan, the other marketing online pharmaceuticals. For nearly a half billion spam emails we identify the number that are successfully delivered, the number that pass through popular anti-spam filters, the number that elicit user visits to the advertised sites, and the number of ‘sales’ and ‘infections’ produced.” Says Shapiro, “They took over one of the command and control nodes and actually replaced the messages that went out in spam and placed a URL in them so they would point to their own servers for a customer to purchase, and judge the response. This way they knew how many messages got sent and how many came back to the Web site.” He goes on to say how the authors went as far as to clone the Web site so they could get right down to the store to see how many people clicked the buy button. (The authors note that they did not collect any credit card information.) “The results were quite astounding,” continues Shapiro. “For a 26-day period they got 28 purchasers. The average purchase price was $100 ($2,731.88 in total) (USD). While this doesn’t sound profitable since product and spamming costs need to be accounted for, their study only measured 1.5 percent of the worker bots used by STORM. An estimate of the daily sales would likely be closer to $7000 (USD) or higher as new bots were created by the ‘postcard’ infections. Extrapolated out, that would be about $3.5 million (USD) per year in sales, of which the affiliate could make 10 percent or more. This proves out that spam continues to increase because it is a financially beneficial operation. With numbers like that, why would spammers ever stop?”

This explains why most malware is about trying to get control of computers. “We are only in the early stages of uncovering the true extent of cyber crime and stealth malware infiltrations,” believes Lin. “The botnet problem is really one manifestation of the ‘stealth malware’ pandemic. Most malware typically features two-way communications that are used to build botnets.” Lin says that today’s stealth malware is so sophisticated that it can:

bypass traditional security like anti-virus and anti-spam
download subsequent malware payloads after the initial infection
remain invisible in the file system and hide from task manager process list
reinstall itself if components are removed
disable security updates and cripple endpoint security
apply the latest security patches to prevent other malware from infecting the PC

“Progress has certainly been made in detecting stealth malware and shutting down botnets, but on the horizon looms an escalation of cyber crime tactics as more sophisticated stealth malware is created and schemes executed to maintain the profits that cyber criminals enjoy today,” he says. “Take the recent example of McColo and Srizbi. From the ashes of the Srizbi botnet has come Xarvester, Rustock, Grum, Cimbot, and numerous other botnets picking up where Srizbi left off, at least in terms of spam distribution.”

Is It Dangerous?

With all the excitement that Conficker conjecture generated, were we actually in danger? Is spam dangerous or just highly annoying and expensive to combat? “It is more than an annoyance, but I would not call it a danger,” responds Shapiro. “No one is losing their lives from spam. No CEO is being called in front of congress and getting their name on the front page because of spam. Usually that is another problem, like data leakage or other exposure. Spam is more than an annoyance, but only so far as taking up people’s time and taking up budgets for handling the spam problem. There is some financial loss for people who may fall prey to a phishing scam. Worst case in spam someone buys a $100 (USD) product and it doesn’t do what it is supposed to do.”

What does an organization that is constantly battling spam think? Jonathan McCormack, chief operating officer of Intermedia.NET, a provider of enterprise-strength hosted Microsoft Exchange to small and mid-sized businesses (SMBs), rates spam in the annoyance category. “Most spam is a solicitation, not an active attack, and thus causes more damage in lost productivity than anything else.” However, he does add that this does not mean that there is nothing to really worry about. “I have a healthy paranoia. These people are extremely intelligent, well-organized, and very motivated.“ He does classify phishing as a danger. “This tactic is very effective in getting users to release sensitive corporate data.”

There is another clear danger: ransomware. “Ransomware is one of several techniques used by cyber criminals to monetize infected PC’s. It can be quite successful, and is typically used in the last stages of the malware infection lifecycle,” discloses Lin. “Cyber criminals initially focus their monetizing efforts on under-the-radar data thefts (as in customer/patient identity theft, compromising credentials for deeper network access, credit cards, etc.) Their goal is to get in and get out data unnoticed. As the monetization continues, cyber criminals begin to use the malware infections in more conspicuous ways, such as forming a botnet to deliver spam and perpetrate DDoS (distributed denial of service) attacks. For consumers infected with malware, one late stage activity is to encrypt and lock users out of their own files, and forcing them to pay ransom to get access back into their files. This is one of the last schemes used by cyber criminals since the user now knows something is wrong with the PC and will try to remove the malware infection.”

Some industry insiders are not too concerned about ransomware. “Ransomware is a blip on the radar, and it is not as successful at monetizing endpoints as other malware classes,” states Adam O’Donnell, director of emerging technologies at Cloudmark. “Attackers try it from time to time to see if they will be successful, but frankly, if it were successful, we would be hearing far more anecdotes on ransomware events from our friends and family than we do.”

Others like Lin are taking a more cautious approach, “A current example is the Vundo FileFix Pro ransomware. The FireEye research team recently uncovered a scheme by the Vundo (Trojan malware) where it morphed its scareware tactics to include ransomware. Beyond tricking users into downloading a fake anti-virus program, Vundo now encrypts victim’s files essentially denying access to the files unless the victim pays a fee for a program called FileFix Professional, which decrypts the files.” Lin explains that Vundo’s new ransomware functionality locks the user out of every important file in their “My Documents” folder ranging from Microsoft Office to Adobe PDF files until the victim agrees to pay a $60 (USD) ransom demand.

Social Networks

Another malware trend that warrents monitoring is social networks. Yaneza is concerned with the threats he is seeing. “There have been lots of articles about how good social networking can be as a collaborative tool, which is great. But social networks also give users a false sense of trust. Simply because you know the profile you see online, does not actually translate to that being the actual person you are talking to in the real world. For all you know you could be talking to your dog.”

Profiles are easily forged. For instance on MySpace fake profiles consist of a spammer-created account that contains links to spam or malware inside the ‘bio/about me’ section of the profile. “The spammer then sends a large number of friend requests to people who in turn look at the profile to see if they should accept the friend request,” explains O’Donnell. “It is at this point that users are exposed to spam.” Cloudmark recently announced that it is working with MySpace to protect users against spam, malware, viruses and phishing attacks. The company says it is the only commercially available solution to combat all categories of social networking abuse, noting that MySpace has implemented several solutions, including Cloudmark Authority, to protect it’s 130 million active users. According to Cloudmark, MySpace has seen an overall 73 percent reduction in spam, including:

82 percent reduction in bulletin spam, spread on bulletin board posts
99.5 percent reduction in comment spam, spread in the comment section of another user’s profile
85 percent reduction in mail spam, spread via private buddy-to-buddy messages
49 percent reduction in profile spam, spread by creating fake profiles to support fraudulent activities

O’Donnell is not surprised by the attention that social network sites have received from spammers. “Social engineering-driven malware has been a part of the email security threat space for years,” he notes. “Anti-spam and anti-virus filters have pushed down so hard on the problem on the email side that the bad guys are using social networks as the latest channel to push their malware.” O’Donnell also points out how the youngest generation of computer users use social networks as an integrated messaging platform, essentially replacing their need for email. “It only makes sense that the malware writers will target this demographic by pushing their content over social networks.” When asked if over time he anticipates MySpace abusers to change their tactic, O’Donnell says, “I fully expect us to engage in a cat and mouse game with the social networking spammers, with one caveat: if the profit margins for the spammers are small enough, we may be able to wipe them off of MySpace completely with the exception of newcomers experimenting with new spam venues.”

Protection Policies

Of all the threats, McCormack feels that phishing is the hardest to defend. “There is no substitute for end-user training. If you do not know who a message is from, do not open it. It is important that organizations have an acceptable use policy and conduct end-user training.” He also adds that this is not just a consumer issue. Business email and personal email get intermixed as people commonly use their business email for personal use.

Shapiro agrees, but has seen an increase in the number of organizations that forbid the use of business email for personal use. “The problem is now people often maintain a separate personal email address, especially with the free providers. The danger is that a lot of people during the course of their work will say, ‘I have to work on this project tonight’ and will send a document to their Yahoo! account to get it home. This means it does not have to go through VPN or any other solution, therefore exposing all the company confidential information to an outside service, probably traveling in the clear. There are a lot of exposures that way. Dual identities are important, and corporations are cracking down on what is happening on their network. Some are banning the use of Facebook during the day, so people are separating out their lives and I am a big proponent of that, but corporations do have to worry about what leaks through personal accounts.”

For Yaneza it comes down to policies. “There has been a lot of talk that says ‘user education is a lost cause, let’s put everything on technology.’ But, we have seen people try to put technology in everything, but it is not working. Social engineering is not solvable by technology alone, it has to come through educating users of the risks of particular online actions. So aside from creating policies for your enterprise, SMB and companies in general, what is required is for everyone to be on the same page.”

It takes a multi-layered approach to stay protected, from the gateway all the way to the desktop. “Besides our protection,” says McCormack, “we tell all companies to run locally on their desktop some sort of anti-virus software protection so that if something does get through, hopefully it can get isolated right away by an end-user. It’s the age-old security in depth. Anything you put in place, they will find a way to get through that hole, but if you put multiple things in place, you put up more blocks.”

While Conficker was a Windows-only concern, Yaneza warns that there has been an increase in attacks directed at Apple Mac and Linux systems. “The bad guys have not lost a beat,” he cautions. “We have seen versions of Windows-specific malware coming into versions of the Mac. Users of all platforms need to be aware. That smugness they had, it is not true anymore and hasn’t been true for the last year.”

With botnet creators wanting to evade further detection of their networks by going even deeper underground, it will take increasing efforts to be rid of them. “Beyond the technological sophistication, effectively taking down massive botnets will require the worldwide cooperation of Internet organizations (like those gTLD and ccTLD registrars), law enforcement, and other public/private entities that form/support the Internet,” concedes Lin. “As far as what lies on the horizon, the more the Internet community looks into botnets and its uses, the more that is uncovered about the extent and variety of cyber criminal activities ranging from spam/DDoS to scareware/ransomware to cyber terrorism/cyber warfare. Cyber criminals will get more aggressive despite the law enforcement and security community response primarily because there are now billions of dollars at stake. Monetizing stealth malware pays. It is easy to do and relatively under-policed.”

Indeed it does not look like those spam clouds are going away anytime soon. “As long as email is as easy and convenient to use as it is today, I do not think spammers will change their ways,” says Shapiro. “If we get to the point where email changes dramatically—like e-postage, which I do not see happening, or some other mechanism that it costs them something more than the pennies they pay today—they will not change their ways as far as messaging goes. They will continue, as well as take advantage of new messaging avenues, like social networking, SMS or IM.”

Messaging Anti-Abuse Working Group General Meeting in January

Ben Gross — Mon, 08 Jan 2007 06:27:51 +0000

The 9th General Meeting of the Messaging Anti-Abuse Working Group (MAAWG) will be held in San Francisco, California from January 29 through January 31, 2007. January 29 sessions are reserved for MAAWG members. Meeting registration will close on January 25, 2007, at 5:00 PM PST.

Sessions and panels include:

Keynote by Howard A. Schmidt
Increases in Spam: What’s Really Going On? Real World Metrics and Latest Trends
Law Enforcement Collaboration and Training
Believe in the User: Your Users Can Help Catch Spam
Reputation is Everything; Everything is Reputation: Making Identity Validation Useful
Think Globally, Act Collaboratively: Important Anti-Abuse Organizations

“The Messaging Anti-Abuse Working Group is a global organization focusing on preserving electronic messaging from online exploits and abuse with the goal of enhancing user trust and confidence, while ensuring the deliverability of legitimate messages. With a broad base of Internet Service Providers (ISPs) and network operators representing over 600 million mailboxes, key technology providers and senders, MAAWG works to address messaging abuse by focusing on technology, industry collaboration and public policy initiatives”

“The purpose of MAAWG is to bring the messaging industry together to work collaboratively and successfully address forms of messaging abuse such as messaging spam, virus attacks, denial-of-service attacks, and other forms of abuse. To accomplish this, MAAWG is developing initiatives in the three areas needed to resolve the messaging abuse problem: Collaboration, Technology, and Public Policy.”