👋 How can we help you?

Submitting data via email to Data Channels

How to alias your abuse@ address or forward different types of email

 

Introduction

The SMTP data channel configuration applies to the following situations

Sending to your AbuseHQ instance

  • reports sent to the abuse@ role address, including abuse web form submittals from your website

Reporting abusive behavior to Abusix

  • spam trap emails
  • emails reported as spam by users in your mail platform
  • other (e.g., reports of abuse to be routed to network or DNS operations through Abusix Global Reporting)

Please remember that sending in data via the API with XARF field formatting is recommended, as sending the data via API guarantees that data may be processed and used immediately. Learn more about sending data to our API.

Email Formats

Using standards increases the chances of your data being parsed automatically. Therefore, the ideal email format uses MARF and XARF for SMTP. These two standards make report handling automatic and straightforward and should be followed as much as possible. But that said, we automatically parse other formats like Shadowserver’s format, IODEF, TAXII, and others.

Be aware there are situations where your data may not be parseable, as various factors can influence the outcome; for example, when an issue applies to an entire ASN, it does not make sense to create an event for every single IP address in your network. Contact support if you have questions about this.

Sending abuse reports to your AbuseHQ instance by email

Aliasing your abuse@ role address(es) to AbuseHQ

  • Abuse reports sent to the abuse@ role address should be forwarded by “aliasing” your abuse@ role address by adding the Abusix data channel email address provided to you when you configured the email data channel in app.abusix.com.
  • If you send reports that you receive at an email address other than the abuse@ role address, “alias” that address to the email address provided in app.abusix.com.
Forwarding from an email client does not work! By “aliasing” role addresses, we ensure that the emails are not altered in transit, no additional headers are added, and the report is not repackaged in an envelope in an email. Forwarding using an email client changes the formatting of messages, and every email client changes the formatting differently. Check the corresponding user manuals of your email client to learn how to set up an email alias. For example: MS Outlook

Forwarding abuse reports from web forms or internal platforms to AbuseHQ

  • You may have to submit via email if you have a web form for reporting abuse or a system generating alerts in your network. In these cases, use XARF for SMTP. Also, see our documentation. link for more information.
  • If you wish to send reports from internal systems, avoid bulk email reports as they are manpower intensive to parse and maintain the parsers, vs. the fire-and-forget integration provided by Submitting data via the API to Data Channels

Reporting abusive behavior to Abusix by email

You may Report Abusive Behaviour to Abusix; to both, report back to the network owner and Send data to your AbuseHQ instance.

An example is when you have an abuse report stream that might include information about your network (and you are using AbuseHQ) AND you wish to report abusive behavior to other networks from the same stream.

When we process information in this stream, we split the data between networks.

Forwarding spam trap emails

When configuring your Data Channel, you will be asked to provide a “data type.”

When the “data type” is Spam trap emails the email addresses must only be genuine email traps that should never receive benign traffic.

  • Please configure the address to forward the trap hits directly. Please don't pack the data in an envelope.
  • When you forward traps, the envelope FROM of the sent message should be the original FROM value sent to the trap. Please don’t ever use your address in a trap email.
  • We can provide Redaction/Anonymization, but only when the email is in its original format, and all headers are intact.
  • If you can not send the trap information in its original form for some reason, for the information to be useful, we will need you to attach a header x-originating-ip to the original mail containing the IP address of the malicious sender that sent the mail to the trap.

“This Is Spam” user reports

When configuring your Data Channel, you will be asked to provide a “data type.”

When the “data type” This is Spam, the expected emails are spam reports generated by the user “This Is Spam” buttons in your user’s email UI.

  • The reported spam from the “This is Spam” buttons should be sent as an attachment in an envelope report mail and not directly forwarded.
  • If available, attach information about the original
    • sender's IP address to the report mail carrying the envelope using the x-originating-ip header.
    • envelope FROM value to the report mail carrying the envelope using the x-original-from header.

Other

When configuring your Data Channel, you may select the “data type” Other

This data type has no specific requirements, though using XARF formatting via email will always be the fastest and least costly reporting method.

When you specify an “other” category in the comments, please tell us what kind of data you are sending so we have some context when evaluating and processing the data in the channel.

  • “Other” data will be held in staging and not be parsed automatically until we have a clear view of the objective.

Learn more about Data Channels

This will help provide you with an Overview of the XARF Format

 

Send us a message

Having trouble with your setup or a technical issue? Get in touch with our team of Abusix experts.

Click the chat button at the bottom and send us your questions. Alternatively, you can email us at support@abusix.com

 

also, follow our LinkedIn Channel for updates & subscribe to our YouTube Channel for the latest Abusix how-to-videos.

Did this answer your question?
😞
😐
🤩