Brian Krebs wins the Mary Litynski award

A little late, but I’ve been in sessions most of today. M3AAWG announced this morning that Brian Krebs won the 2014 Mary Litynski award. This award is given to people who work tirelessly to make the internet a better place.
I first had the pleasure of listening to Brian give the keynote address at a MAAWG conference many years ago. His ability to infiltrate some major spam operations and online forums for criminals is amazing. He’s also had retaliation attempts, including being SWATed and having heroin delivered to his house.
If you get a chance to hear Brian speak, I strongly encourage you to do so. His knowledge is outstanding and his speaking style is entertaining. I’ve learned a lot from Brian over the years and I’m pleased he won this award and that M3AAWG recognized his contribution to stopping abuse online.
M3AAWG press release

Related Posts

Target acquires email addresses, exposing more customers to data breaches

As most folks now know hackers broke into Target systems last December and stole financial and other data from 110 million customers. Target has been responding to this breach reasonably well. They’ve been notifying customers that were affected and they’re providing credit monitoring for affected individuals. They seem to be totally on top of protecting their customer’s data and privacy.
Mostly.
They seem to be purchasing or otherwise acquiring email addresses from at least one major retailer in order to send out notifications about the breach to customers that never gave them email addresses. Yes, even those of us who chose not to give Target email addresses are receiving email from them.
I understand Target’s drive to contact affected users. I even appreciate that. What I don’t appreciate is that Target appears to be compromising my security in order to notify me my security was compromised. The data of mine that was compromised at Target would be credit card and possibly address information. My email address was not part of the compromise. So what does Target do? They go and acquire my email address from a third party.
Their solution to the compromise is collecting more data that is vulnerable to compromise from unrelated third parties? I’m not sure this is the most consumer friendly thing Target could do. In my case, Target sent mail to an address I’ve only given to Amazon. That means I now need to worry about my Amazon account security, on top of everything else.
Ironically, the email sent by Target tells me that I can click a link and get free credit monitoring. Then the email goes on to tell me the following:

  • Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
  • Delete texts immediately from numbers or names you don’t recognize.
  • Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.

Don’t click links within emails I don’t recognize? You mean like the one you just sent me? With a link to a credit monitoring website?
I appreciate the notice. I don’t appreciate is that Target went out of their way to collect more information about me than I actually gave them. I am now worried about Amazon’s security as well. How did Target get an address only provided to Amazon? I don’t appreciate that my efforts to keep my information secure (not providing email address to Target) was undermined by Target themselves.
The full text of the email, with the relevant headers (munged slightly for privacy) is under the cut, if anyone is interested.

Read More

Questioning standards

M3AAWG publishes documents summarizing and discussing current practices for stopping and preventing abuse. Some of these documents are focused on ISPs while others are focused on marketers. While M3AAWG is not directly nor officially a standards body, most of the documents have been written by members and reflect the best current practices for that document.
Members have been asked to leave the organization and some companies are denied membership because they are not in line with the organizational values. Some of these companies are ESPs or marketers, but some of these companies have been ISPs as well.
The standards written by M3AAWG are challenging for a lot of marketers to follow. These standards are written with the input of senders, but they all comply with the M3AAWG mission of stopping messaging abuse. Many ISPs believe that unsolicited email is abuse, thus M3AAWG standards say that all mail needs to be sent to recipients who request that mail. Purchasing lists, selling lists, and appending email addresses are all unacceptable activities for M3AAWG members.
I never really had much concern about the effectiveness of the M3AAWG process. Most of the big industry players are there and many of the ISPs have an aggressive anti-abuse attitude.
But last week I saw a blog post on a fairly major industry blog that listed a bunch of (made up, tasteless and sexist) things “overheard” at the recent M3AAWG conference (it’s been removed and I wouldn’t link to it anyway). The blog post made it look like no real work gets done at M3AAWG and that the attendees don’t work at the conference. I won’t claim that it’s a staid and quiet conference, but most attendees work very hard during the day.
The next day, the author tweeted:

Read More

Can I join…

On a post from earlier this week, John asks about joining the blocklist doc I mentioned. This is actually a document coming out of M3AAWG and you must be a member of M3AAWG to participate. If you are a member, you can log into the website and join the working group.
This document will be made available to the public once the membership and the board approves it.

Read More