David Barnes <.zululabs.com> 06/02/2017 to Australian Hi Chris, ....I am concerned that no review is imminent. Do you suggest i take this up with the minister? With regards to the Protect Notice - I think perhaps I have confused you. There are 2 components to DMARC: inbound & outbound. All but one component (35) of the notice deals with inbound. My read is that there is no explicit outbound notice or guide. My question is given outbound email and marketing emails are the domain of your department, should you not advise on best practices? Australian Internet Security Initiative 06/02/2017 to me Dear David Firstly I apologise for the delay in responding to your last email of 28 January but unfortunately after having last Monday (30 January) off, I had to leave work early on Tuesday unwell and then spent the rest of the week off work unwell returning this morning. There has only been one review of the Spam Act to date, conducted some time ago by what is now the Department of Communications and the Arts (DoCA). As far as we know no review of the Spam Act 2003 is currently scheduled. In 2015-16, however, DoCA conducted a review of the operations of the ‘objectives, function, structure, governance and resource base of the ACMA to ensure it remains fit-for-purpose for both the contemporary and future communications regulatory environment’. The draft report of the review proposed (Proposal 6) that: within the next 12 months, the ACMA examine whether some or all of the following functions can be referred to industry for self-regulation, in consultation with relevant industry bodies: · technical standards; · Integrated Public Number Database; · Do Not Call Register; · Action on unsolicited communications, including Spam. The final report of this review has not yet been issued. You are probably already aware of this, but if not you may be interested to know that in August 2016 the Australian Signals Directorate issued a Protect Notice ‘Malicious Email Mitigation Strategies’ which refers to DMARC and has been promoted by dmarc.org. Regards Chris Assistant Manager CSUCES From: David Barnes [mailto:zululabs.com] Sent: Saturday, 28 January 2017 12:09 PM To: Australian Internet Security Initiative Subject: Re: FW: Enquiry Received - ACMA-ENQ-3572FIGC86 [Ref: CSC2017-2360] CRM:000603003022 [SEC=UNCLASSIFIED] Hi Chris, this latest article is quite relevant as to the send policies for campaigning (not receiving): http://www.electronicdirect.marketing/qantas-spam-or-not-learn-more-about-email-brand-protection-deliverability/ I have some very specific views on this and how our SPAM-Act of 2003 is now less relevant and not that well enforced. It fails to meet the industry expectations domestically and when we compete internationally. It is actually doing damage to domain reputations. Also I think organisations that can be proven to know of ways to protect their customers against spoofing of their brand should be held to account when the costs of doing so are within the means of that organisation. Is there are review occurring of the SPAM Act? David Barnes Global CEO, Zulu Labs On 23 January 2017 at 09:39, Australian Internet Security Initiative wrote: David Thank you for your email and we are happy to review further. Can you please forward the most relevant of your publications where you are of the view that DMARC falls under the realm of the ACMA so that we can review the rationale for your assertion concerning the ACMA’s responsibility. We will then respond to you as appropriate. Regards Chris From: David Barnes [mailto:zululabs.com] Sent: Friday, 20 January 2017 2:45 PM To: Australian Internet Security Initiative Cc: ACMA Customer Service Centre Subject: Re: FW: Enquiry Received - ACMA-ENQ-3572FIGC86 [Ref: CSC2017-2360] CRM:000603003022 [SEC=UNCLASSIFIED] Hi Chris, I quote: "Mitigation Strategy #20 – Block spoofed emails Mitigation Block spoofed emails using Sender ID or Sender Policy Framework (SPF) to check incoming emails, and a ‘hard fail’ SPF record to help prevent spoofing of your organisation’s domain. Rationale SPF, or alternative implementations such as Sender ID, aid in the detection of spoofed emails and therefore reduce the success rate of such cyber intrusion methods. Implementation Guidance Configure SPF records for your organisation’s domains and subdomains, and configure a wildcard SPF record to match non-existent subdomains. Sender ID is an alternative version of SPF that checks the legitimacy of the sender’s email address that is displayed to the email recipient. Additional implementations include DomainKeys Identified Mail (DKIM). Domain-based Message Authentication, Reporting and Conformance (DMARC) standardises how email receivers perform email authentication using the SPF and DKIM mechanisms. Reject emails from the Internet that have your organisation’s domain as the email sender." These are security related inbound measures which advises server administrators and mail administrators how to guard against spoof and phising. This does not advise senders as to how to protect themselves from being Spoofed. It is my view and I am very well published on this that DMARC for outbound email sits within ACMA's realm. Who I can talk to further on this? David Barnes Global CEO, Zulu Labs On 20 January 2017 at 10:03, Australian Internet Security Initiative wrote: Dear David Thank you for your enquiry to the ACMA Customer Service Centre regarding DMARC. This is not a question for the ACMA and you could contact the Australian Signals Directorate (www.asd.gov.au) who develop and manage strategies to mitigate targeted cyber intrusions and who are responsible for the Australian Government Information Security Manual (The ISM). If you have not already found the DMARC information on their site they have information about DMARC at https://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-details.htm. Regards Chris Assistant Manager Cyber Security and Unsolicited Communications Enforcement Section