Published Documents
M3AAWG has submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), Request for Comment on Product Security Bad Practices Guidance. M3AAWG generally supports the stated goals of reducing customer risk by prioritizing security throughout the product development process and discouraging the use of bad security practices, particularly where critical infrastructure and national critical functions are potentially impacted. However, the document lacks clarity on its role and purpose in relation to other CISA publications and comments. The draft guidance does not specify who is responsible for taking action, what specific actions are required, and which level of the security management stack this document is meant to address. These elements should be clarified throughout. Merely avoiding bad practices will not be sufficient to meet security standards. Avoiding bad practices must be supplemented with industry-standard security best practices. In addition, since CISA has previously issued advice on many of the areas covered, it would be helpful to clarify the objectives of this new draft guidance, the context for its release, and how it modifies or complements past guidance. For example, if the intent is to reinforce or summarize existing recommendations, this should be stated explicitly. Conversely, if the document introduces new recommendations or updates, those changes should be clearly highlighted.
M3AAWG has submitted comments to the Department of Homeland Security's (DHS) Proposed Rulemaking on “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements”. M3AAWG recognizes the key role effective cyber incident reporting can have in addressing the impacts of cybersecurity incidents and combating online abuse. Cyber incident reporting can minimize consequences to victims, capture lessons learned, and improve cybersecurity nationwide, thereby increasing the likelihood that perpetrators will be held accountable. However, overly broad cyber incident reporting rules often do not, on balance, yield benefits commensurate with the significant costs those rules impose on both reporting entities and the government.
We generally support CISA’s efforts to craft a proposed rule that seeks to achieve the intended goals of the CIRCIA mandates. However, M3AAWG urges CISA to consider the following suggestions to clarify or modify its proposed rule, as detailed below. We note that our comments today are focused on certain critical areas of concern to our members and do not represent a comprehensive discussion of all issues covered in the expansive CIRCIA NPRM.
M3AAWG has submitted Comments on the NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. With the growing importance of AI in society and the challenges of AI-related security and abuse issues, appropriate management of AI risk is becoming ever more pertinent, which is why M3AAWG welcomes the opportunity to submit comments.
Comments Submission Date: May 29, 2024
M3AAWG has submitted Comments on the NIST AI 100-4, Reducing Risks Posed by Synthetic Content: An Overview of Technical Approaches to Digital Content Transparency. Synthetic content is already a concern in areas such as profit-oriented cybercrime, fake news, and election interference. It therefore represents a risk to national security as a whole. M3AAWG welcomes the opportunity to comment on the current version of NIST AI 100-4 from our perspective as security and anti-abuse specialists.
Comments Submission Date: May 29, 2024
M3AAWG has submitted Comments on the NIST SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models. The increasing importance of secure development of software and AI systems carries specific risks associated with the abuse of AI systems and AI tools used in software development. As a group of anti-abuse specialists, M3AAWG thus welcomed the opportunity to comment on the current version of NIST SP 800-218A.
Comments Submission Date: May 29, 2024
M3AAWG has submitted Comments on the transposition of the Revised Directive on Security of Network and Information Systems (NIS2) into EU national law.
Countries Submitted: Sweden, Netherlands
The Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) made recommendations to the Office of the National Cyber Director (ONCD) regarding the security of open-source software (OSS) in comments submitted to that office on Oct. 3rd, 2023 in response to the Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization.
Comments Submitted: October 3, 2023
M3AAWG recognizes that the scope of the powers described in the proposals is limited to situations where there has been a serious relevant failure in relation to an internet domain registry or any of its registrars in scope country code top-level domains (.uk) and generic top level domains (gTLDs) (.scot / .wales / .cymru / .london) that are targeting the UK. We generally support the powers in order to protect the public from harm in these limited circumstances. View the document to review the full scope of comments submitted.
Comments Submitted: August 31, 2023
M3AAWG welcomes the Contracted Party House’s consideration of long overdue changes to the Base gTLDs Registry Agreement (RA) and the Registrar Accreditation Agreement (RAA) related to the pertinent issue of DNS Abuse. Comments have been submitted for the Amendments to the Base gTLD RA and RAA to Modify DNS Abuse Contract Obligations. In these Comments, M3AAWG urges that these amendments be part of a coordinated effort to address DNS Abuse now and going forward.
M3AAWG has submitted Comments focused on technical recommendations in response to the UK government's request for Review of the Computer Misuse Act 1990: consultation and response to call for information. These comments provide recommendations supporting efforts to tackle online abuse and cybercrime while respectfully urging the UK government to liaise with key security and anti-abuse groups including M3AAWG and its partner organizations as well as key UK-based and international industry stakeholders.
The Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) has submitted comments in response to the National Institute on Standards and Technology (NIST) Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework (CSF Concept Paper), released on January 19, 2023. As discussed in the Comments, M3AAWG generally supports the proposals outlined in the CSF Concept Paper. However, M3AAWG urges NIST to consider the impact of proposals that could potentially dilute the usefulness of a framework originally developed to focus on critical infrastructure cybersecurity risks and needs.
Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) supports the U.S. Federal Trade Commission’s (FTC) proposed rulemaking as part of its current mission in protecting the public from deceptive or unfair business practices to include a critical role in protecting consumers from ongoing and increasing impersonation schemes targeting businesses and governments alike. M3AAWG suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation. M3AAWG notes that the investigation of impersonation schemes requires cooperation and information from many entities. Specifically, WHOIS information is vital to the investigation of impersonation scams. The Comment identifies best practices to tackle impersonation scams, including the validation of commercial senders, DNS mitigation steps, and adoption of trusted notifier relationships to facilitate abuse reporting.
The Messaging, Malware, and Mobile Anti Abuse Working Group (M3AAWG) welcomes the opportunity to review the draft report from ICANN’s Security Stability and Resiliency Review Team (Two).
The Messaging, Malware, and Mobile Anti Abuse Working Group (M3AAWG) welcomes the opportunity to review the draft report from ICANN’s Security Stability and Resiliency Review Team (Two).
M3AAWG submitted comments to ICANN on April 5, 2019 asking that additional actionable information be included in the DAAR system. The comments are listed on the ICANN correspondence website at https://www.icann.org/resources/pages/correspondence.
A joint survey conducted by the Anti-Phishing Working Group (APWG) and M3AAWG looks at how cyber investigators use WHOIS data and how the European Union’s General Data Protection Regulation (GDPR) has affected their anti-abuse efforts. The letter from M3AAWG and survey are also available on the ICANN site at https://www.icann.org/en/system/files/correspondence/upton-to-marby-et-a...
Submitted jointly by the Anti-Phishing Working Group (APWG), M3aawg and First, this document describes a short-term method for authorized parties to access non-public WHOIS data via designated IP addresses.
M3AAWG submitted these short comments to ICANN stating that an expert group from the Anti-Abuse community should be created to facilitate the certification of qualified applicants from the security field.
M3AAWG provided comments on the proposed interim Calzone Model for ICANN agreements' compliance with the European Union's GDPR.
M3AAWG provided comments on the ICANN report. The filed comments also are available on the ICANN website at https://www.icann.org/resources/pages/gdpr-legal-analysis-2017-11-17-en
M3AAWG provided input on the new sections added to the draft ICANN report. The comments can also be found on the ICANN site at http://mm.icann.org/pipermail/comments-cct-recs-27nov17/attachments/20180107/9b99c6d2/M3AAWG-ICANN-CCT-NewSections-2018-01-0001.pdf
M3AAWG submitted these comments in response to the U.S. Federal Trade Commission's request for comments on 16 CFR Part 316 of the CAN-SPAM Rule. The comments can be viewed on the FTC site at https://www.ftc.gov/policy/public-comments/2017/08/30/comment-87
M3AAWG responded to the Federal Communications Commission's May 2017 Notice of Proposed Rulemaking (“NPRM”) relating to net neturality that was titled Restoring Internet Freedom. Our comments can also be found on the FCC site at https://www.fcc.gov/ecfs/filing/1082812398671.
M3AAWG responded to the Federal Communications Commission's May 2017 Notice of Proposed Rulemaking (“NPRM”) relating to net neturality that was titled Restoring Internet Freedom. Our comments can also be found on the FCC site at https://www.fcc.gov/ecfs/filing/1082812398671.
Operazione Safety-Net: Migliori pratiche per Combattere le Minacce Online, Mobili e Telefoniche - Operation Safety-Net: Best Practices to Address Online, Mobile, and Telephony Threats (2015)
OPERACIÓN SAFETY NET MEJORES PRÁCTICAS RECOMENDADAS PARA ENFRENTAR AMENAZAS EN LÍNEA, MÓVILES Y TELEFÓNICAS Operation Safety-Net: Best Practices to Address Online, Mobile, and Telephony Threats (2015)
MEILLEURES PRATIQUES FACE AUX MENACES EN LIGNE, MOBILES ET DE TÉLÉPHONIE - Operation Safety-Net: Best Practices to Address Online, Mobile, and Telephony Threats (2015)
WHOIS information plays a key role in determining where to report instances of abuse involving domain names. This paper explains some of the important WHOIS elements used to fight spam, phishing, malware distribution and other threats.
WHOIS information plays a key role in determining where to report instances of abuse involving domain names. This paper explains some of the important WHOIS elements used to fight spam, phishing, malware distribution and other threats.
Submitted on May 27, 2016 responding to a U.S. Federal Communications Communications Notice of Proposed Rulemaking from the Wireline Competition Bureau. All comments and the FCC proposal are available at http://apps.fcc.gov/ecfs/proceeding/view/view?name=16-106.
Note: The FCC released its Rules to Protect Broadband Consumer Privacy on October 26, 2016, quoting several comments from M3AAWG.
Written in plain language by M3AAWG and the London Action Plan (LAP), Operation Safety-Net outlines the current and emerging threats faced by consumers, businesses and governments with recommended best practices to address these threats. For a brief overview of the document, see the brochure explaining the global depth and breadth of these best practices in the Supporting Documents section from the For the Industry menu tab.
M3AAWG submitted these comments with the new M3AAWG Bot Metrics Report in response to the U.S, Federal Communications Communications request for comments on the status of the implementation of CSRIC III best practices.
Dr. Vixie's August 4th written response to additional questions requested after the hearing on botnet takedowns is also available from the official U.S. Committee on the Judiciary Committee hearing website at
www.judiciary.senate.gov/download/vixie-qfrs-71514 .
The extended written statement by Dr. Paul Vixie, author of several IETF DNS standards and Farsight Security, Inc. CEO. He also, augments his testimony starting around 1 hour and 34 minutes in the official hearing video (http://bit.ly/BotnetTakedownHearing2014) from the U.S. Senate Committee on the Judiciary website at http://www.judiciary.senate.gov/meetings/taking-down-botnets_public-and-... . Dr. Vixie testified at the July 15, 2014 hearing at the request of M3AAWG.
Submitted to the U.S. State Department in January 2014, responding to its request for Stakeholder Input on the Role of Governments, International Telecommunication Union Council Working Group on Internetprelated Public Policy Issues.
Submitted to ICANN in response to their misuse survey report.
Submitted to ICANN in August 2013 in response to ICANN's Expert Working Group report.
Submitted in July 2013 to the ITU Council Working Group on International Internet–Related Public Policy Issues (CWG–Internet) in response to a request for comments on effectively countering and combatting spam.
Submitted to ICANN in July 2013
Comments on this report can also be viewed on the ICANN site at http://forum.icann.org/lists/comments-thick-whois-initial-21jun13/
Submitted to the NIST in April 2013
Response to two questions in the National Institute of Standards and Technology Request for Information is also posted at the NIST site with comments from other organization
Submitted to Industry Canada in February 2013 - Letter submitted in response to request for comments on the draft Electronic Commerce Protection Regulations related to CASL.
M3AAWG Comments on Preliminary Issue Report on Uniformity of Contracts to Address Registration Abuse
Response to staff recommendations in the ICANN report.
Submitted to RIPE in August 2012
Response to RIPE’s proposal to introduce a new contact attribute named "abuse-c
Response to the final report from the ICANN WHOIS Policy Review Team
Response to the December 5, 2011 ICANN report from the WHOIS Review Team (WRT).
Submitted to U.S. Congress committees on the judiciary in December 2011
MAAWG outlined technical issues with S.968, Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, and H.R.3261, Stop Online Piracy Act, in a letter to the judiciary committees of the U.S. Senate and U.S. House of Representatives.
Submitted to ICANN in November 2011
Responses to ICANN on issues in the draft report covering the intrnationalization of domains can be read on the draft report comment site at http://forum.icann.org/lists/ird-draft-final-report/
Submitted to NIST in November 2011- Responding to a Request for Information from the U.S. Department of Commerce (DoC) and U.S. Department of Homeland Security (DHS), the comments are also available on the NIST site.
MAAWG submitted comments in September 2011
The comments were submitted to the National Institute of Standards and Technologyon its draft NICE plan.
A response from MAAWG to the Canadian commission were submitted in September 2011.
Submitted comments on the regulations to the Canadian Radio-television and Telecommunications Commission (CRTC) draft regulations.
MAAWG submitted a response in September 2011 to the Science and Technology Committee, UK House of Commons
The committee's inquiry covered a variety of questions related to malware and cyber-crime.
MAAWG responded to the Department of Commerce (DOC) Internet Policy Task Force's seventy-seven page green paper on "Cybersecurity, Innovation and the Internet Economy."
MAAWG members, and our members' customers, like all Internet users, rely daily on Internet names. MAAWG commented on the proposed budget from the perspective of encouraging ICANN to continue to offer a reliable, high performance, cost effective, scalable and trustworthy system of domain names.
MAAWG comments were submitted in April 2011 on the ICANN site in response to the ICANN Call for Public Comment
Responding to the ICANN WHOIS Review Team, MAAWG submitted comments on the useablity, access, accuracy and reliability of WHOIS and on the improvement of WDPRS.
MAAWG comments were submitted December 2010 in response to the BIS proposal.
The UK Department for Business Innovation and Skills launched its proposals for implementing the revised EU Electronic Communications Framework. The BIS document set out their preferred approach to implementation and asked questions on a limited number of specific issues.
MAAWG comments were submitted November 2010 in response to the DoC request.
The U.S. Department of Commerce’s Internet Policy Task Force requested comments on government policies that restrict Internet information flow, seeking to understand why these restrictions have been instituted; what, if any, impact they have, and how to address negative impacts. The DoC will publish a report contributing to the Administration’s domestic policy and international engagement on these issues.
MAAWG Comments on ICANN FY 11 Update to Plan for Enhancing Internet Security, Stability & Resiliency
MAAWG comments were submitted November 2010 in response to ICANN’s Plan.
ICANN requested comments on an update to its initial plan that will be implemented in the 2010-2011 operational year. The updated plan is intended as a baseline document for ICANN and its community for organizing its security, stability and resiliency efforts.
MAAWG comments were submitted October 2010 based on the ICANN request.
ICANN conducted an exploratory study in 2009 to assess an approximate percentage of domain names (through a statistical sampling plan) contained in the top 5 gTLD registries that used privacy or proxy registration services. The study indicated that at least 18% (and probably not much more than 20%) of the domain names contained in the top 5 gTLD registries used privacy or proxy registration services.
The MAAWG letter supporting elements of FISA (see www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Language=E&list=agenda) was submitted September 2010.
MAAWG submitted a letter supporting the global sharing of abuse-fighting information between law enforcement that is included in Canadian Bill C-28 establishing the federal Fighting Internet and Wireless Spam Act (“FISA”).
MAAWG comments were submitted in response to U.S. Federal Communications Commission recommendations in September 2010.
The U.S. FCC’s Public Safety and Homeland Security Bureau (PSHSB) requested comment on the creation of a Cybersecurity Roadmap. The plan would identify vulnerabilities to communications networks or end-users and develop countermeasures and solutions in preparation for, and response to, cyber threats and attacks in coordination with federal partners.
MAAWG comments were submitted to the Department of Commerce’s request in September 2010. The DoC site has all submitted comments.
The Department of Commerce’s Internet Policy Task Force undertook a comprehensive review of the nexus between cybersecurity challenges in the commercial sector and innovation in the Internet economy. The Department was seeking comments on measures to improve cybersecurity while sustaining innovation.
The MAAWG response was submitted July 2010 in response to ICANN’s initial report for RAA improvements.
The ICANN report describes recommendations on the proposed form of a Registrant Rights and Responsibilities Charter, and describing the potential topics for additional amendments to the RAA. It also includes a proposal for next steps the GNSO Council should consider in determining whether to recommend the ICANN Board adopt a new form RAA.
MAAWG offered comments on the U.S. Department of Homeland Security’s strategy in July 2010
The U.S. Department of Homeland Security’s draft plan is focused on maintaining a secure cyberspace, which is critical to the health of the economy and national security. It outlines how the federal government might address the recent and alarming rise in online fraud, identity theft, and misuse of information online.
MAAWG submitted comments in March 2010. As recommended by MAAWG and others, ARIN changed course on this topic.
The initial draft policy would have allowed ISPs to hide the true customer of a domain name. The revised Version 2 policy that was implemented recognized the need for the customer name to remain in the SWIP and RWHOIS information.
MAAWG submitted these comments in January 2010 to the U.S. Federal Communications Commission on its open Internet proposal. The FCC requested public input on draft rules to preserve an open Internet. The FCC is seeking to preserve a platform based on a historically open architecture that has been accessible to anyone with a basic knowledge of its protocols.
Outlines a voluntary set of principles for messaging system operators that discourages bulk messaging abuse of peer-to-peer messaging platforms
ريق العمل المعني بمكافحة إساءة استعمال المراسلة (MAAWG.org) مدونة سلوك لمشغلي نظام المراسلة
反滥发信息工作组(MAAWG.org) 信息系统运营商行为准则 - The Messaging Anti-Abuse Working Group (MAAWG.org) Code of Conduct for Messaging System Operators in Chinese (2005)
Code de déontologie du Groupe de travail contre les abus des messageries électroniques (MAAWG.org) à l'intention des opérateurs de messagerie - The Messaging Anti-Abuse Working Group (MAAWG.org) Code of Conduct for Messaging System Operators in French (2005)
Рабочая группа по противодействию компьютерным злоумышленникам в области передачи сообщений (MAAWG.org) Кодекс поведения операторов систем обмена сообщениями -The Messaging Anti-Abuse Working Group (MAAWG.org) Code of Conduct for Messaging System Operators in Russian (2005)
Grupo de Trabajo contra el envío abusivo de mensajes Messaging Anti-Abuse Working Group MAAWG.org Código de conducta para los operadores de sistemas de mensajería -The Messaging Anti-Abuse Working Group (MAAWG.org) Code of Conduct for Messaging System Operators in Spanish (2005)