Configure Inbound Processing

Configuring Inbound Processing

Access the settings menu AbuseHQ to configure Inbound Processing.

1. Click your name in the top right corner

2. Select Settings from the drop-down menu

3. On the left side of your screen, select Inbound Processing under Automation.

Inbound Processing Explained

Inbound Processing located in AbuseHQ settings gives you the power to decide which events reach AbuseHQ and how to enrich these events.

The Inbound Processing configurable flow chart presents the flow of your events before they hit AbuseHQ.

The “Incoming Events” or input node is where the parsed email and API events come into inbound processing. The events are then triaged and tagged with the event type, and “AbuseHQ” is where data is sent to be orchestrated in your AbuseHQ instance.

Inbound Processing is fully configurable, with an API integration to return values from your radius server or CRM and to otherwise fit your inbound identification and tagging requirements.

The AbuseHQ default configuration includes a filter called “IsRecent” and a resolver called “IPResolver”.

These inbound processing steps do the following:

Step 1, “Is recent”

1. If an event matches the “IsRecent” date filter it is the event is passed on to the “IPResolver” as shown by the green arrow.

2. The event doesn’t match the “IsRecent” date filter, it is dropped and is not further processed. The flow chart illustrates this with no connected Nodes/Links on the “Failed” or red output of the filter.

Step 2, “IP Resolver”

1. Upon receiving an event from the “Is Recent” node, the resolver attempts to enrich the IP address for an event and add a subscriber id. The event is then passed to AbuseHQ (“AHQ”). Some resolvers resolve domain reports, like phishing reports to an IP address to further help identify a subscriber.

In Inbound Processing, there are several options to manipulate incoming data.

Integrity Checks

Three Integrity Checks validate the configuration of your Inbound Processing Flow. This is shown on the upper right side of the screen. These checks are

• “No loops” checks if there are loops in your inbound processing flow. This prevents events from being sent into limbo.

• “Connection to AHQ” checks to make sure that there is at least one connection from “Input” to “AHQ” so that is at least theoretically possible for events to reach the AbuseHQ. You could be over-filtering, but that is easy enough to fix.

• “No disconnected nodes” checks if there are unreachable nodes and subgraphs.

Saving Changes

All changes you make are saved but not directly taken live. This setting allows you to ensure that you configure everything correctly and not jeopardize real incoming data.

When you are done configuring, you can either take the current configuration live by clicking the blue Take config live button or reset the inbound processing flow chart to the currently applied config by clicking Reset to live config .

Filtering reports based on age

Sometimes, you may only handle reports for up to X days. This might be a legal or technical requirement; in some cases, it may just be your subjective choice of handling things.

Setting up a Filter in Inbound Processing is very simple, and this exact "IsRecent" Filter is already part of the Default Inbound Processing Chain.

Opening the “IsRecent” node will show a form on the right side with all configuration options for this filter. The fields are more or less the same for all Filters.

Set a name, description, and the actual logic of the filter. In our case, we want to operate on the event’s date and check if it is younger than 30 days (“30d”). Some other examples of valuable filters may be:

• Check if the event IP is in your configured networks.

• Check if the event IP is in a network with a specific tag.

• Filter based on the type of the event (spam, copyright, etc.).

• Filter based on the sender's email address.

Dropping misdirected reports

Misdirected abuse reports, with IP addresses you are not responsible for, are sometimes sent to your abuse address and can become noise.

AbuseHQ's Inbound processing will filter out everything except the networks you have configured in your Network Settings (Settings > Networks), allowing you to focus on only what is essential.

Learn More

If you want to understand a little bit more about this feature, we recommend the following articles:

• What Is Inbound Processing and Why Is It Important?

• How to Use Inbound Processing

• Why You Need AbuseHQ’s Inbound Processing Capabilities

• CRM Integration Through API - Subscriber Resolver

• Subscriber resolving via X-Header

• Ubersmith Resolver Guide

• API Resolver Caching