You, an Internet Service Provider (ISP) or telecom company, deal with sensitive customer data every day, making you a target for cyberattacks of all sorts. That’s why email anti-abuse best practices are crucial.
This article provides a short overview of email anti-abuse, talks about what M³AAWG is, the relationship between service providers and email anti-abuse, and discusses current best practices for email anti-abuse.
Email Anti-Abuse — A Short Overview
Email abuse such as email spoofing, phishing attacks, and spam can compromise customer safety and sensitive data, clutter inboxes, and waste valuable time and resources. Anyone with an email address is at risk. Because of this, ISPs need to have mechanisms and software in place to prevent email abuse. In general, you have a responsibility towards your customers to provide good anti-abuse protection (and not only).
What Is M³AAWG?
The Messaging Malware and Mobile Anti-Abuse Working Group (M³AAWG) is a non-political, technology-neutral working body founded in 2004. You can think of them as the global authority that sets the best practices for email abuse. They come together to fight against botnets, spam, viruses, malware, and any other online exploitation and abuse. Members share information about new technology deployments and operational-level evaluations of technical initiatives to stop abuse and online threats. Members include:
- Internet Service Providers (ISPs)
- Email Service Providers (ESPs)
- Telecom companies
- Social networking companies
- Security researchers
- Various leading software and hardware vendors
- Major antivirus vendors and security vendors.
Focusing on operational practices, they develop cooperative approaches, develop and publish best practices papers, position statements, educational and training videos, and other materials to help the online community fight online abuse. Forms of abuse that can threaten end-users include:
- Malware - including bots, viruses, and malicious code
- Mobile - protecting against malware and messaging abuse on text and voice services
- Messaging - protecting against abuse on any messaging platform, including email and texting.
The Relationship between Service Providers & Email Anti-Abuse
Network abusers (cybercriminals) are sly and use crafty methods to hide their location and IP address to launch an attack. Since attacks are common and can target anyone with an email address, ISPs need to come up with ways to overcome them. Below is a small list of the types of abuse most commonly seen:
- Spam - any email sent to end-users that the receiver specified they didn’t want to receive is spam. Service providers should subscribe to as many Feedback Loops as necessary (which we will talk about in a bit)
- Spamvertising - when an end-user engages a third party to advertise a product or service
- Outbound phishing (hosting and inbound for client credentials) - a fraudulent site pretending to be a legitimate company that instructs an individual (end-user) to enter confidential information. The abuser then has everything they need to rob the individual of sensitive information
- Hacked or defaced pages - not all hacked accounts are used for phishing; some are defaced, and the end user’s data is destroyed or corrupted. Abusers can also inject malicious code or upload bots to cause additional problems.
You can take a look at our Business Email Compromise and How to Prevent It article for more information about the different kinds of attacks that can occur and how to detect and prevent them.
And although no system is ever 100% foolproof, service providers must do everything they can to ensure the network infrastructure won’t be easily hijacked and is resilient to security threats. Lack of internal resources, automation, or a lousy network reputation are all contributing factors to your downfall and customer dissatisfaction. Focus on any area where you may be lacking.
Thankfully, there are some M³AAWG best practices you can follow to help with the most common challenges you may face.
Current M³AAWG Best Practices for Email Anti-Abuse
Different service and network providers all have different system management policies and processes in place, which can have an effect on attacks. Below are some universal best practices stated by M³AAWG to help keep your customers safe from attacks.
1. Prevent Abuse
There are multiple ways hosting providers can prevent abuse. Some of them include:
- Vet customers before they become a problem - you must have a vetting process in place to proactively identify malicious activity before it occurs. Since hosting providers are at the mercy of their clients’ worst activities, vetting them is of utter importance for maintaining a good reputation, decreasing online abuse, and decreasing overall costs.
- Require customers to maintain updated software - not having up-to-date software is one of the main reasons abuse occurs in the hosting space. Contractual agreements should specify to always keep installs, plugins, hardware, etc., up to date (enforce automatic software updates if possible). Not doing so increases the risks to the security of customer environments and those of others.
- Prevent abusers from becoming customers - preventing fraudulent accounts with abusive activities before they even get into a host’s system should be a high priority. You may include preauthorization of new accounts, keeping records of any previously terminated fraud accounts, and even having a fraud scoring system in place to automatically reject accounts that fall below a specified number.
- Strengthen customer passwords - require two-factor authentication and complex passwords. Additionally, maintain a password and policy history for each client.
- Security, security, security - hosting providers must always maintain strong internal security systems and practices. Otherwise, any recommended measures are useless if abusers can guess important passwords or bypass security systems. Providers can also follow PCI security standards.
2. Detect and Identify
- Use confidential client identifiers - create a unique identifier for each customer, unintelligible to outside parties. This maintains the customer’s identity and privacy while giving you a simple way to identify customers.
- Make community abuse reporting straightforward - provide methods through which members can report perceived abuse from the network in question. Maintain redundant communication channels such as email, phone, chat, ticketing systems, and a social media presence to account for the failure of any one or more channels and constantly monitor them.
- Respond promptly to complaints - failure to address abuse reports can result in negative consequences for either your clients or your reputation. This can be automated to include the original complaint, a ticket number, and any other identifiable information to assure the client that the complaint was received and a follow-up will ensue.
- Set up Feedback Loops - setting these up will help keep you off of Domain Name System Blacklists (DNSBL), limits any reputation damage, and allows staff to proactively deal with both abusers and abused (compromised) clients. For a list of available Feedback Loops, see the Word to the Wise ISP information page.
3. Remediate
Remediation priorities allow you to make case-by-case assessments and resolve issues to prioritize the most critical ones for a given provider or customer. For example, data theft from the corporation is of higher priority than a small spamvertising campaign.
It’s important to remember that priorities differ based on the location of the issue and the hosting provider. Additionally, the source of the report and the amount of damage to your reputation should also be taken into account for remediation priorities.
Below are some more best practices for remediation priorities:
- Respond quickly to high-priority issues - high-profile complaints, blacklist removals, and takedown requests require more than a simple acknowledgment of receipt. The reporting agency or customer must be contacted before to address the issue and after issue resolution. There may be a need for additional communication if there are lingering issues that remain.
- Communicate proactively when company or industry-wide events occur - in the unfortunate event that a severe compromise occurs that may put multiple clients or a group at risk, develop a communication plan to make them aware of the issue and a series of steps to resolve it. Time is of the essence in citations such as these, so communications must be timely. Support staff should also be made aware of the issue to offer additional assistance to those who need it.
- Suspend service to non-responsive customers - if a compromised client or a client engaging in compromising activity has not taken the proper steps to remediate the issue, you can remove services or shut them down. This can mean they have a suspended web page where they have to contact you to regain access, or you turn off key aspects of the hosting environment. For example, a repeat spam offender may not have the ability to send emails for a while.
- Terminate non-responsive customers - to further protect you, your reputation, and other customers, the relationship between you and a non-responsive customer who continues to generate abuse on the network must be terminated.
Secure Your Email Services Easily
ISPs and service providers have a huge responsibility to customers to make them feel safe and understand their needs. Since most customers don’t understand the risks they subject themselves to on a daily basis, it is up to us to protect their data and confidentiality.
Thankfully, Axigen understands all about customer data and confidentiality, offering an extensive security toolset through our email server. No matter your business model or needs, we offer a fast and friendly interface with flexible solutions for your customers. Customers are never alone in their journey towards a safer email with our 24/7 support and assistance. Let’s move securely forward, on your terms.