2018 JD Falk Award … a mailing list

It’s M3AAWG time. Even though we’re not there, I’m getting regular updates from friends and colleagues who are there. Yesterday, was the presentation of the 2018 JD Falk award. The award recognises “a particularly meritorious project undertaken by a dedicated individual or group reflecting the spirit of volunteerism and community building.” In this case, the award went to a group of people on the “BEC mailing list.”

BEC stands for Business Email Compromise (I had to look it up, now you don’t have to). According to  M3AAWG:

The Business Email Compromise List deals with a broad assortment of criminal activity and deceptive emails, often described as “Nigerian” schemes, that use phishing and fake social media activities to attract victims. By sharing information and expertise, they have blocked spoofed emails and malware; tracked real estate, romance, IRS, W2 and lottery schemes; and identified the money “mules” used to transfer illicit funds. BEC fraud accounts for more than $12 billion in losses globally and threatens users in 150 countries, according to the FBI’s IC3 (Internet Crime Complaint Center).

Congratulations to all the participants who work tirelessly to make the internet safer for businesses and consumers.

The group does have a video describing some of what they do.

I’m sure almost every field has these types of small, private, invite only lists that allow diverse groups of experts to collaborate and share information in a (mostly) secure environment. In many cases, this is good. Groups of smart, concerned people step up and collaborate to catch criminals and prevent bad behaviour. They do so because it’s the right thing to do. They’re not looking for praise or public adulation. Participation is often simply because this thing is a problem and they have the knowledge and ability to help solve the problem.

Related Posts

October 2016: The Month in Email

We’ve returned from London, where I spoke at the Email Innovations Summit and enjoyed a bit of vacation. My wrap-up post also mentions an article I wrote for the Only Influencers site, which looks at questions I get asked frequently: “Why does spam make it to the inbox and our legitimate marketing email doesn’t? Should we just copy their tactics?”
Parliament2ForBlog
In industry news, Yahoo caught our attention for two surprising moves: disabling forwarding and — much more disturbing — creating software for intelligence agencies to search customer email.
Some legal updates this month: The Second Court of Appeals upheld an earlier ruling that companies are in fact liable for the activities of their affiliates, including spam and fraudulent claims. This is important, as we often see spammers and cybercriminals use affiliates to distance themselves from these activities. We also saw another fine assessed for a violation of CASL, and noted with appreciation the transparency and thoughtful process that the Canadian Radio-television and Telecommunications Commission (CRTC) demonstrates in explaining their actions.
Another excellent report is the one created by the Exploratorium to explain their recent experience with being phished. It’s a good piece to share with your organization, in that it reminds us that these cybercriminals are exploiting not just our technology but our trust-based connections to our friends and colleagues. It’s important to raise awareness about social engineering as a part of information security. And speaking of email security, we were delighted to note that André Leduc received the 2016 J.D. Falk award this month at M3AAWG for his excellent work on this topic. It’s a fitting legacy to our friend, J.D., who died five years ago this month. We miss him.
Finally, we’d be remiss in observing Halloween without a post about zombies. Feel free to read it aloud in your spookiest voice.

Read More

M3AAWG in Philly This Week

Today marks the training day for M3AAWG 37 in Philly. With all the traveling and speaking I’ve been doing lately we’re not going to be there. So no tweeting from me about the conference.
logo
We’ve been attending various M3AAWG meetings since way early on – 2004? 2005? in San Diego. The organization has grown and matured and really come a long way since the early days. One of the challenges of M3AAWG is that it is a true working group. This isn’t like the various conferences I’ve been attending recently. I think there are two things that makes M3AAWG different from other conferences.
One of the most obvious things is the lack of a vendor floor. Sure, there are vendors and sponsors but vendors don’t bring in displays and have sales people stand around them to talk to folks. The conference does have demos and negotiations and meetings, but done differently than other events.
The other difference I’ve noticed is that M3AAWG is much more about participation. As the name says, this is a working group. Everyone is encouraged to get involved in things they’re interested in or that they think they can contribute to. Other conferences are a lot more about information being shared by speakers and panels. But during M3AAWG conferences, there are 2 mornings devoted to round tables.
The round tables are a true community effort, and probably deserve some discussion for people who’ve never been to the conference. Before the conference, members of the community submit ideas for things they think M3AAWG should discuss. These suggestions are reviewed by the board and leadership and ones that fall within M3AAWG’s purview are taken to the conference.
The first day of roundtables each topic is discussed in small groups. Volunteers facilitate a 20 – 30 minute discussion on the topic at hand with attendees. After time is called, attendees go to another topic and discuss that one. Part of what is discussed is not just the issue (say, how to get off a blacklist) but also what the final work product looks like. Is this a document for M3AAWG members? A panel at a future conference? A public document?
The second day is refinement of the roundtable topics and commitment from people to move the project forward. Champion is the person who is project managing this. Other roles depend on the work product. For presentation or panels, there is one set of roles. For documents there are roles as writers and editors and contributor.
M3AAWG has written and produced some useful resources and information over the years. Many of those resources are public, like best practice documents and metric reports. Other docs and reports are specifically for members.
The working group part of M3AAWG in one of its real strengths. Experts on all sides of the business of email get together to keep email useable and workable. Early on it there were a few barriers and some suspicion about various participant groups. But, as the industry as grown things have changed. Many folks have moved from ISPs to ESPs and back. There’s also a bigger place for companies that provide services to ESPs and ISPs, like us here at Word to the Wise. We’ve built bridges and technology and have been a positive force on the world.
 

Read More

Policy is hard

We’re back at work after a trip to M3AAWG. This conference was a little different for me than previous ones. I spent a lot of time just talking with people – about email, about abuse, about the industry, about the ecosystem. Sometimes when you’re in a position like mine, you get focused way too much on the trees.

Of course, it’s the focusing on the trees that makes me good for my clients. I follow what’s going on closely, so they don’t have to. I pay attention so I can distill things into useable chunks for them to implement. Sometimes, though, I need to remember to look around and appreciate the forest. That’s what I got to do last week. I got to talk with so many great people. I got to hear what they think about email. The different perspectives are invaluable. They serve to deepen my understanding of delivery, email and where the industry is going.

One of the things that really came into focus for me is how critical protecting messaging infrastructure is. I haven’t spoken very much here about the election and the consequences and the changes and challenges we’re facing. That doesn’t mean I’m not worried about them or I don’t have some significant reservations about the new administration. It just means I don’t know how to articulate it or even if there is a solution.
The conference gave me hope. Because there are people at a lot of places who are in a place to protect users and protect privacy and protect individuals. Many of those folks were at the conference. The collaboration is still there. The concern for how we can stop or minimize bad behavior and what the implications are. Some of the most difficult conversations around policy involve the question who will this affect. In big systems, simple policies that seem like a no-brainer… aren’t. We’re seeing the effects of this with some of the realities the new administration and the Republican leaders of congress are realizing. Health care is hard, and complex. Banning an entire religion may not be a great idea. Governing is not like running a business.
Talking with smart people, especially with smart people who disagree with me, is one of the things that lets me see the forest. And I am so grateful for the time I spend with them.

Read More