How do anti-abuse teams share data?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Anti-abuse data sharing happens at multiple levels, from informal to highly structured. The effectiveness depends on which layer you're operating at and what problem you're trying to solve.
The most structured layer is industry organizations. M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group) provides a trusted forum where ISPs, ESPs, mailbox providers, and security vendors share threat data. The trust framework is the key: organizations share more with parties they've vetted than they would publicly. M3AAWG also facilitates specific working groups where members share data about coordinated campaigns.
ISACs (Information Sharing and Analysis Centers) provide sector-specific sharing frameworks. The Communications ISAC and Financial Services ISAC both include email abuse data relevant to their sectors. These provide real-time threat feeds and machine-readable data sharing via STIX/TAXII protocols.
For technical data exchange, the two main standards are STIX (Structured Threat Information Expression, a format for describing threat indicators) and TAXII (Trusted Automated Exchange of Indicator Information, a transport protocol for distributing STIX data). These enable automated machine-to-machine sharing rather than human-curated feeds.
Bilateral sharing between organizations happens outside formal frameworks too. If Gmail and a major bank both notice a coordinated phishing campaign against bank customers, their abuse teams can exchange indicators directly. This is often faster than formal channels for active incidents.
Feedback loops are a more limited form of sharing: mailbox providers send complaint data back to ESPs and senders automatically when users mark messages as spam. This is standard practice and gives legitimate senders visibility into which messages generated complaints.
For organizations wanting to participate in data sharing, M3AAWG membership is the standard entry point. Joining an ISAC relevant to your sector is worth it if you're in financial services, healthcare, or critical infrastructure.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.