Internet Giants Issue Anti-spam, Anti-phishing Best Practices

Written by

Network operators and social media giants are updating their best practices for email marketing, to require opt-in for all mailing lists and to better fight phishing.

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) represents more than one billion mailboxes from some of the largest network operators worldwide, including AT&T, CenturyLink; Orange; Sprint; Time Warner Cable; and Verizon Communications; as well as internet giants like AOL; Facebook; Google; LinkedIn; PayPal; Twitter; and Yahoo! Inc.

To improve the effectiveness of their campaigns, the guidelines say that marketers should only use opt-in processes in building their lists, obtaining recipients’ permission before sending messages. The M3AAWG Senders Best Common Practices, Version 3.0, also recommends using technologies that provide better transparency into the originating sender, to help reduce phishing attacks, and address data security issues.

“Laws are necessary to define what high-volume senders can and can’t do within a jurisdiction,” said Michael Adkins, M3AAWG chairman of the board, in an email. “These best practices outline what they should do operationally to help improve email deliverability and to operate as a good citizen of the global Internet community.”

While a single opt-in process that requires recipients to check a box or otherwise proactively request commercial emails from the sender is acceptable, the guidelines recommend going further with a double opt-in process that involves sending recipients a confirmation message with a link or other instructions to verify they want to be added to the list.

Email appending or “epending,” the illicit process of taking known demographic information and using various methods to determine an end user’s email address, is never acceptable, and unsubscribing from a list should be simple and direct. 

On the phishing front, the guidelines note that data security procedures should be not be overlooked simply because a list might contain only email addresses; reliable names and addresses are highly valuable to cybercriminals.

Sender transparency, or clearly indicating who is responsible for sending the message, is critical to identifying and reducing messaging abuse.  Senders need to maintain current IP and domain information in WHOIS, an Internet directory widely referenced by network operators for crucial information about the sender of a message.  Email authentication technical specifications such as DKIM and DMARC also help ISPs identify phishing emails; i.e., fraudulent messages that appear to come from recognizable brands or organizations but are intended to steal end users’ personal information.

What’s hot on Infosecurity Magazine?