M3AAWG actively seeks to provide the necessary technical and strategic guidance to protect end-users’ online experience as government, Internet and public policy agencies worldwide develop new Internet policies and legislation. Working to reduce the spread of spam, bots and malware, M3AAWG has submitted comments on these proposals:
The Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) has submitted comments in response to the National Institute on Standards and Technology (NIST) Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework (CSF Concept Paper), released on January 19, 2023. As discussed in the Comments, M3AAWG generally supports the proposals outlined in the CSF Concept Paper. However, M3AAWG urges NIST to consider the impact of proposals that could potentially dilute the usefulness of a framework originally developed to focus on critical infrastructure cybersecurity risks and needs.
Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) supports the U.S. Federal Trade Commission’s (FTC) proposed rulemaking as part of its current mission in protecting the public from deceptive or unfair business practices to include a critical role in protecting consumers from ongoing and increasing impersonation schemes targeting businesses and governments alike. M3AAWG suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation. M3AAWG notes that the investigation of impersonation schemes requires cooperation and information from many entities. Specifically, WHOIS information is vital to the investigation of impersonation scams. The Comment identifies best practices to tackle impersonation scams, including the validation of commercial senders, DNS mitigation steps, and adoption of trusted notifier relationships to facilitate abuse reporting.
M3AAWG states that while spoofing is common in U.S. voice communications, originating number spoofing is extremely rare in U.S. text messaging, and the originating service provider is also almost always well known. This is due to voluntary industry agreements and operational checks currently in place in the U.S. These voluntary agreements and checks are effective - they ban and block the delivery of messages from not only spoofed but also invalid, unassigned, and unallocated phone numbers. M3AWWG's comments explain how the industry's current anti-spoofing safeguards work and state that they are effective.
It is in the public interest for anti-abuse actors to be able to contact, and obtain information about, the registrant of a public resource such as a domain name, in order to address cybercrime, hacking, botnets, phishing, and other abuse. For bona fide actors with a legitimate interest, access to WHOIS must be effective, functional, timely, and efficient to ensure appropriate cybercrime and abuse response. Thus, we would like to voice our agreement with the recommendations made in SAC118, as released by SSAC on July 15th 2021.
As a followup to the June 2021 survey report of cyber investigators and anti-abuse service providers on the ongoing impacts of ICANN’s implementation of the EU GDPR, the Temporary Specification for gTLD Registration Data (Temporary Specification, adopted in May 2018), M3AAWG and the Anti-Phishing Working Group (APWG) has released their recommendations for ICANN'S consideration.
