Abuse Reporting Format

Last updated

The Abuse Reporting Format (ARF) also known as the Messaging Abuse Reporting Format (MARF) is a standard format for reporting spam via email.

Contents

History

A draft describing a standard format for feedback loop (FBL) reports was posted by Yakov Shafranovich in April 2005 [1] and evolved to the current RFC   5965. [2] AOL, who pioneered the field in 2003, initially used a different format, and converted to this de facto standard in 2008. [3] Feedback loops don't have to use ARF, but most do.

In January 2010, the IETF chartered [4] a new working group working towards the goal of standardizing the ARF format. The WG was called Messaging Abuse Reporting Format WG or MARF, which produced RFC   5965. In 2012 it was extended by RFC   6591 and RFC   6692 to define Failure Reports, for reporting email authentication failures. In 2015, the latter report type was further extended by RFC   7489 to define DMARC's Failure Reports.

Purpose

The ARF format is designed to be extensible, providing for generic spam reporting, e.g. from users to some anti-spam center or help desk, or for opt-out operations. The format defines a new MIME type to be included in a multipart/report attachment, and includes at least the headers of the offending message. Although the draft description acknowledges that some operators may choose to modify or redact that portion for privacy or legal reasons, it recommends that the entire original email message be attached, including the unmodified recipient address.

An ARF-encapsulated FBL report comes with the same subject as the offending message. Much like bounce messages, an abuse report consists of a human readable part, followed by a machine readable part, and the original message. The machine readable part's type is message/feedback-report, whose definition is the core of the draft. Extensibility is achieved by including a Feedback-Type field that characterizes the report. Possible values of this field are:

abuse
spam or some other kind of email abuse;
fraud
indicates some kind of fraud or phishing activity;
virus
report of a virus found in the originating message;
other
any other feedback that doesn't fit into other types;
not-spam
can be used to report an email message that was mistakenly marked as spam. [5]

An IANA registry is provided for the Feedback-Type, as well as for the other field names. [6] Each field name may either be relevant for any type of feedback, or for a specified type only. Some fields may appear multiple times. For example, the Source-IP field, containing the IP address from which the original message was received, may appear in any type of FBL report, but only once; the Removal-Recipient field, indicating email addresses to be removed, may only appear in opt-out reports, but one or more times. In addition, there is a DKIM-Failure subtype, with its own IANA registry.

An example report for email abuse is as follows. (Note that only the first three lines of the machine readable part are required.)

From:<abusedesk@example.com>Date:Thu, 8 Mar 2005 17:40:36 EDTSubject:FW:Earnmoney To:<abuse@example.net>MIME-Version:1.0 Content-Type:multipart/report;report-type=feedback-report; boundary="part1_13d.2e68ed54_boundary"--part1_13d.2e68ed54_boundaryContent-Type: text/plain; charset="US-ASCII"Content-Transfer-Encoding: 7bitThis is an email abuse report for an email message received from IP192.0.2.2 on Thu, 8 Mar 2005 14:00:00 EDT. For more informationabout this format please see http://www.mipassoc.org/arf/.--part1_13d.2e68ed54_boundaryContent-Type: message/feedback-reportFeedback-Type: abuseUser-Agent: SomeGenerator/1.0Version: 1Original-Mail-From: <somespammer@example.net>Original-Rcpt-To: <user@example.com>Received-Date: Thu, 8 Mar 2005 14:00:00 EDTSource-IP: 192.0.2.2Authentication-Results: mail.example.com;               spf=fail smtp.mail=somespammer@example.comReported-Domain: example.netReported-Uri: http://example.net/earn_money.htmlReported-Uri: mailto:user@example.comRemoval-Recipient: user@example.com--part1_13d.2e68ed54_boundaryContent-Type: message/rfc822Content-Disposition: inlineFrom: <somespammer@example.net>Received: from mailserver.example.net (mailserver.example.net     [192.0.2.2]) by example.com with ESMTP id M63d4137594e46;     Thu, 8 Mar 2005 14:00:00 -0400To: <Undisclosed Recipients>Subject: Earn moneyMIME-Version: 1.0Content-type: text/plainMessage-ID: 8787KJKJ3K4J3K4J3K4J3.mail@example.netDate: Thu, 2 Sep 2004 12:31:03 -0500Spam Spam SpamSpam Spam SpamSpam Spam SpamSpam Spam Spam--part1_13d.2e68ed54_boundary--

See also

Related Research Articles

<span class="mw-page-title-main">Email</span> Mail sent using electronic means

Electronic mail is a method of transmitting and receiving messages using electronic devices. It was conceived in the late–20th century as the digital version of, or counterpart to, mail. Email is a ubiquitous and very widely used communication medium; in current use, an email address is often treated as a basic and necessary part of many processes in business, commerce, government, education, entertainment, and other spheres of daily life in most countries.

Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email messages to support text in character sets other than ASCII, as well as attachments of audio, video, images, and application programs. Message bodies may consist of multiple parts, and header information may be specified in non-ASCII character sets. Email messages with MIME formatting are typically transmitted with standard protocols, such as the Simple Mail Transfer Protocol (SMTP), the Post Office Protocol (POP), and the Internet Message Access Protocol (IMAP).

The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync.

A multicast address is a logical identifier for a group of hosts in a computer network that are available to process datagrams or frames intended to be multicast for a designated network service. Multicast addressing can be used in the link layer, such as Ethernet multicast, and at the internet layer for Internet Protocol Version 4 (IPv4) or Version 6 (IPv6) multicast.

A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whether a sending host's IP address is blacklisted for email spam. Most mail server software can be configured to check such lists, typically rejecting or flagging messages from such sites.

An email address identifies an email box to which messages are delivered. While early messaging systems used a variety of formats for addressing, today, email addresses follow a set of specific rules originally standardized by the Internet Engineering Task Force (IETF) in the 1980s, and updated by RFC 5322 and 6854. The term email address in this article refers to just the addr-spec in Section 3.4 of RFC 5322. The RFC defines address more broadly as either a mailbox or group. A mailbox value can be either a name-addr, which contains a display-name and addr-spec, or the more common addr-spec alone.

Various anti-spam techniques are used to prevent email spam.

Sender Policy Framework (SPF) is an email authentication method which ensures the sending mail server is authorized to originate mail from the email sender's domain. This authentication only applies to the email sender listed in the "envelope from" field during the initial SMTP connection. If the email is bounced, a message is sent to this address, and for downstream transmission it typically appears in the "Return-Path" header. To authenticate the email address which is actually visible to recipients on the "From:" line, other technologies such as DMARC must be used. Forgery of this address is known as email spoofing, and is often used in phishing and email spam.

A bounce message or just "bounce" is an automated message from an email system, informing the sender of a previous message that the message has not been delivered. The original message is said to have "bounced".

Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.

HTML email is the use of a subset of HTML to provide formatting and semantic markup capabilities in email that are not available with plain text: Text can be linked without displaying a URL, or breaking long URLs into multiple pieces. Text is wrapped to fit the width of the viewing window, rather than uniformly breaking each line at 78 characters. It allows in-line inclusion of images, tables, as well as diagrams or mathematical formulae as images, which are otherwise difficult to convey.

WHOIS is a query and response protocol that is used for querying databases that store an Internet resource's registered users or assignees. These resources include domain names, IP address blocks and autonomous systems, but it is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The current iteration of the WHOIS protocol was drafted by the Internet Society, and is documented in RFC 3912.

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email, a technique often used in phishing and email spam.

A media type is a two-part identifier for file formats and format contents transmitted on the Internet. Their purpose is somewhat similar to file extensions in that they identify the intended data format. The Internet Assigned Numbers Authority (IANA) is the official authority for the standardization and publication of these classifications. Media types were originally defined in Request for Comments RFC 2045 (MIME) Part One: Format of Internet Message Bodies in November 1996 as a part of the MIME specification, for denoting type of email message content and attachments; hence the original name, MIME type. Media types are also used by other internet protocols such as HTTP and document file formats such as HTML, for similar purposes.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat activities.

<span class="mw-page-title-main">Barry Leiba</span> American computer scientist and software researcher

Barry Leiba is a computer scientist and software researcher. He retired from IBM's Thomas J. Watson Research Center in Hawthorne, New York in February 2009, and now works for FutureWei Technologies as a Director of Internet Standards. His work has focused for many years on electronic mail and anti-spam technology, on mobile computing and the Internet of things, and on Internet standards.

<span class="mw-page-title-main">Feedback loop (email)</span> Process of forwarding user complaints to senders

A feedback loop (FBL), sometimes called a complaint feedback loop, is an inter-organizational form of feedback by which a mailbox provider (MP) forwards the complaints originating from their users to the sender's organizations. MPs can receive users' complaints by placing report spam buttons on their webmail pages, or in their email client, or via help desks. The message sender's organization, often an email service provider, has to come to an agreement with each MP from which they want to collect users' complaints.

Spam reporting, more properly called abuse reporting, is the action of designating electronic messages as abusive for reporting to an authority so that they can be dealt with. Reported messages can be email messages, blog comments, or any kind of spam.

A mailbox provider, mail service provider or, somewhat improperly, email service provider is a provider of email hosting. It implements email servers to send, receive, accept, and store email for other organizations or end users, on their behalf.

Murray S. Kucherawy is a computer scientist, mostly known for his work on email standardization and open source software.

References

  1. Yakov Shafranovich (14 April 2005). "New Abuse Draft". Shaftek.org. Archived from the original on 7 October 2008. Retrieved 17 November 2008.
  2. John Levine (1 September 2010). "ARF is Now an IETF Standard". CircleID. Archived from the original on 5 September 2010. Retrieved 12 September 2010.
  3. Christine Borgia (27 June 2008). "AOL Converting All FBLs to ARF on 9/2/08". AOL. Archived from the original on 2 December 2008. Retrieved 17 November 2008.
  4. IETF. "MARF charter" . Retrieved 26 January 2010.
  5. Kepeng Li; Barry Leiba (November 2011). "Email Feedback Report Type Value: not-spam". PROPOSED STANDARD. IETF . Retrieved 11 November 2011.
  6. "Messaging Abuse Reporting Format (MARF) Parameters". Protocol Registries. IANA. 26 May 2010. Retrieved 29 November 2011.