Network Abuse

Many years ago, back when huge levels of spam involved hundreds of thousands of emails, there was a group of people who spent a lot of time talking about what to do about abuse. One of the distinctions we made was abuse of the net as opposed to abuse on the net. We were looking at abuse of the network, that is activity that made the internet less useable. At the time abuse of the network was primarily spam; sure, there were worms and some malicious traffic, but we were focused on email abuse.
In the last 20 years, multiple industries have arisen around network abuse. I’m sitting at a conference with hundreds of people discussing how to address and mitigate abuse online. In the context of the early discussions, we’re mostly focused on abuse of the network, not abuse on the network.
But abuse on the network is an issue. It’s a growing issue, IMO. The internet has contributed to the rise and normalization of the alt-right. Social media is a medium used for abuse on the net. Incidents range from bullying of school kids to harassment of celebrities to sharing of child abuse material. All of these things are abuse on the net. They are an issue. They need to be addressed.
Today M3AAWG gave the 2017 Mary Litynski Award to Mick Moran from Interpol for his work in fighting child exploitation and abuse on the net. As I tweeted during the session, I have a phenomenal amount of respect for Mick and people like him who work tirelessly to protect children online. I don’t talk much about child abuse materials*, but I know the problem is there and it’s bad.

One of the discussions I’ve had with some folks lately is how we can better fight abuse on the net. Many of the tools we’ve built over the years are focused on volume – more complaints mean a more serious incident. But in the case of abuse on the net, or who is wrong. volume isn’t really an issue. It’s a hard problem to solve. It’s easy to create a system that lets the good guys get information, but it’s hard to create a system that also keeps the bad guys out and prevents gaming and is effective and values single complaints of problems.
Folks like Mick, and the abuse teams at ISPs all over the world, are integral to finding and rescuing abused and exploited children. Their work is so important, and most people have no idea they exist. On top of that, the work is emotionally difficult. Some of my friends work in that space, dealing with child abuse materials, and all of them have the untold story of the one that haunts them. They don’t talk about it, but you can see it in their eyes and faces.
We can do better. We should do better. We must do better.
 
*Note: Throughout this post I use the term “child abuse materials” to describe what is commonly called child pornography. This is because porn isn’t necessarily bad nor abusive and the term child porn minimizes the issue. It’s important to make it clear that children are abused, sometimes for years, in order to make this material. 

Related Posts

October 2016: The Month in Email

We’ve returned from London, where I spoke at the Email Innovations Summit and enjoyed a bit of vacation. My wrap-up post also mentions an article I wrote for the Only Influencers site, which looks at questions I get asked frequently: “Why does spam make it to the inbox and our legitimate marketing email doesn’t? Should we just copy their tactics?”
Parliament2ForBlog
In industry news, Yahoo caught our attention for two surprising moves: disabling forwarding and — much more disturbing — creating software for intelligence agencies to search customer email.
Some legal updates this month: The Second Court of Appeals upheld an earlier ruling that companies are in fact liable for the activities of their affiliates, including spam and fraudulent claims. This is important, as we often see spammers and cybercriminals use affiliates to distance themselves from these activities. We also saw another fine assessed for a violation of CASL, and noted with appreciation the transparency and thoughtful process that the Canadian Radio-television and Telecommunications Commission (CRTC) demonstrates in explaining their actions.
Another excellent report is the one created by the Exploratorium to explain their recent experience with being phished. It’s a good piece to share with your organization, in that it reminds us that these cybercriminals are exploiting not just our technology but our trust-based connections to our friends and colleagues. It’s important to raise awareness about social engineering as a part of information security. And speaking of email security, we were delighted to note that André Leduc received the 2016 J.D. Falk award this month at M3AAWG for his excellent work on this topic. It’s a fitting legacy to our friend, J.D., who died five years ago this month. We miss him.
Finally, we’d be remiss in observing Halloween without a post about zombies. Feel free to read it aloud in your spookiest voice.

Read More

And… we're back from London

The Email Innovations Summit in London was a good conference. Much smaller than Vegas, but with a number of very interesting talks. I got to meet a number of folks I’ve only known online and we had some interesting conversations at the conference and at the pub-track in the evenings.
FullSizeRender 3
I had so many grand plans for doing some work while in London. So many plans. And then I actually mostly disconnected and ignored anything I “should” be doing.  Instead, Steve and I did some touristing, some relaxing, some family time and some connecting with his college friends. We also (over)heard a lot of conversations about the US Election. One night at dinner every table around us was talking about our candidates and what they thought of them. It’s always interesting to hear what non-Americans think about our country.
In addition to missing two debates, it seems we missed some online news, too. I think the biggest thing was another large DDoS attack against that took out many major websites. I’m starting to see some comments that spam levels were down during the attack, too, but haven’t dug into that yet.
I did have an article published in the Only Influencers newsletter last week: Marketers Can’t Learn from Spam. All too often marketers think spammers are better at unboxing because they see spam in their inbox. But spammers are just more criminal and spend a lot of effort trying to bypass filters. These aren’t lessons marketers can learn from.
Unfortunately, due to our London trip, we are going to miss M3AAWG in Paris, which starts today. Two weeks between conferences was exactly the wrong time for going to both. Never fear, many folks will be tweeting what they can using #m3aawg38.
We’re both slowly getting back into the swing (and timezone!) of back to work. Blogging will pick up over the next few days. And I have new castle pictures to share.

Read More

2016 J.D. Falk Award

André Leduc received the 2016 J.D. Falk award this week at the Paris meeting of M3AAWG. He was recognized for spearheading two distinct projects.
The first was the Operation Safety Net – Best Practices to Address Online, Mobile, and Telephony Threats  This 76 page report was written by global security experts. One of the major goals of the report was to discuss security in language accessible to policy makers and management. The report, newly updated in 2015, is available at the M3AAWG website. Making technical language accessible is, to my mind, one of the most important parts of getting security recommendations implemented.
In addition to his work in making security recommendations accessible, André was the lead architect behind the Canadian Anti-Spam Legislation. This legislation has greatly reduced the amount of spam received by Canadians. According to Leduc, CASL has improved permission practices by senders outside of Canada.
Congratulations to André.

Read More