The “Display From” address is the email address that is displayed to the end user within their email client (MUA) and is not necessarily the same as the “Mail From” address.

The SMTP uses the “Mail From” address, while the MUA uses the “Display From” address to display the address in the From field.

The Display From address is also known as RFC5322.



2FA (Two Factor Authentication) is a process that uses two steps to authenticate a user.

Rather than just asking for a single piece of information to verify a user, an additional step is added. Such as using a temporary identity token good for minutes, vs. a forever password, that is sent to a cell phone or from an authenticator and is required to access an account.

Often, a third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly generated and frequently changing code to use for authentication.


An abuse desk is a security operations (SOC) function at a Network provider, Telco, ISP, hosting, VPN, SaaS provider, or colocation provider responsible for preventing fraud and abuse from their user or subscriber network.

Responsibilities of an abuse desk:

  1. Managing the abuse reporting role or email addresses announced by their RIR for any ranges their network is responsible for
  2. Coordinate with customer service and legal teams to enforce terms of service and acceptable use policies
  3. Comply with DMCA and law enforcement to protect Safe Harbor.

An Abuse desk team includes individuals from various backgrounds, including security, legal, customer service, network, email, and system administrators.

Access control restricts access, meaning entering, using, or consuming.

This could be to a place or resource.

Access management describes the roles that have access, the process, and the process for limiting and granting access (e.g., locks and login credentials).

Access management is a set of software tools that allow you to manage an application securely.

Management interfaces and procedures are vital to any security barrier to prevent unauthorized access and alteration of your resource, application, and associated data.

Account credentials are personal codes, such as a username, password, and answers to security questions used to access an account or complete a transaction.

An advanced persistent threat (APT) is a threat actor, often a stealthy nation-state, a state-sponsored or criminal gang that gains unauthorized access to a computer network.

APTs remain undetected for an extended period.

Dwell times in managed networks such as government, defense, financial services, legal services, industrial, telecoms, consumer goods, and other targets in the Americas have been reported as long as two months, Europe 6 months, and Asia 9 months.

With extended periods of being embedded in networks, attackers can advance their attacks and are more successful at completing their intended exploit.

An Amplification Attack is a type of DDoS attack that uses various internet protocols to multiply the size of each request sent to overwhelm a network’s bandwidth.

These volumetric attacks create congestion by consuming all available bandwidth between the target and the Internet.

Since amplification is used, large amounts of data are sent to a target by amplification or another means of creating massive traffic, such as requests from a botnet.

Anti-phishing refers to security efforts to block phishing attacks.

Phishing is a cybercrime where attackers pose as trusted entities and contact individuals through email, text, or telephone and ask them to share sensitive information.

In a phishing attack, users are lured (phished) into providing account information, password, credit card information, bank account details, or other sensitive data.

In addition, the phishing attempt might include trying to get the target to click on a URL link to download malware.

Anycast routing uses a collection of servers that all share the same (or set of) IP addresses to send data from a source computer to the server that requested the data from a server that is the closest to the requestor.

Anycast cuts latency and bandwidth costs improve availability, and improves responsiveness for users.

An API is an interface in an application that allows other applications to communicate to the host application.

The host is described as “implementing” or “exposing” an API. APIs hide the details of an application, exposing structured input to the sections that a programmer will find useful.

Some APIs are built to standards; others are unique.

See webhook for more information.

An Application Layer Attack is a type of DDoS attack that works like a DoS flood attack on a larger scale.

Bots send a large amount of traffic at their target, crowding out other users trying to access the target server.  Attackers typically direct traffic at time-intensive endpoints, like requests that require large database queries or generate big files.

This type of attack uses light requests for the attacker but is bandwidth-intensive, so the target’s resources and network are quickly overwhelmed.

AM is the life-cycle process for software applications, including operating, maintenance, version control, and upgrades.

Some AM processes also include Application Lifecycle Management (ALM) and Application Performance Management (APM) features.

If you host a web application, you will often experience attacks via malformed SSL requests.

Attackers using SSL, tunnel their HTTP attacks to the server. Inspecting SSL encryption packets is resource-intensive, and traffic during an attack can vary widely.

Therefore, if you have a web-based business, you may offload SSL traffic to the ADP and have it inspected for signs of attacks or violations of policy.

After examination, the ADP will simply re-encrypt the traffic and loop back to the origin.

ARF is used for reporting unwanted emails by recipients, who use their “This is Spam” buttons.

These reports and the report stream they are contained within are called Feedback Loops (FBL).

A similar type of report format that is used to report more than just “This is Spam” is the X-ARF format, an extensible schema-based JSON reporting format.

The X-ARF format may be used to report many more types of network abuse, like phishing, port probes, ssh attacks, and more.

An ASN (autonomous system number) is a collection of connected Internet Protocol (IP) routing prefixes (IP Address CIDRs) under the control of one or more network operators for a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.

RIRs allocate ASNs.

An attack vector is a path by which an attacker or hacker uses or attempts to use to access a computer or network server to deliver a malicious payload.

Attack vectors allow hackers to exploit system vulnerabilities, as well as the human element.

An AUP is a set of rules that restrict how the network, website, or system may be used.

An AUP sets guidelines for how a network or service can be used and is part of a “terms of service agreement”.

The most important part of an AUP is the code of conduct that governs a user’s behavior while connected to the network, and what actions will be taken should the policy be violated.


Backscatter consists of incoming spam, caused by malicious entities forging email addresses for your domain. Backscatter occurs when a mail server accepts a forged message, that it subsequently refuses to deliver due to forgery.

This refusal, causes the receiving mail system to send a Delivery Service Notification (DSN) to the forged message Return-Path (your mail system). Backscatter may be avoided by rejecting these types of messages at the border of the MX.

Abusix Mail Intelligence includes a dataset that contains IP addresses of systems that have sent backscatter to our traps, which you can use to filter these messages.

Baiting is when cybercriminals lure a target into clicking on a URL, and then place a fraudulent offer, impersonation of a legitimate website, or malware at the end of the URL’s destination.

The URL could be contained in an email, returned by a web search, or included in an application popup; it could be anywhere.

Once you click on the URL, the offer, a fake login site, or malware (a virus, worm, Trojan, ransomware, or another program) is downloaded to your computer, giving cybercriminals access to your system.

Bayesian spam filters use lists of words or attributes to identify spam. These are called Bayes classifiers and are a statistical technique for email filtering.

BGP is the standardized protocol used to route data on the internet.

Similar to the postal service, when it encounters a new piece of data BPG determines the best available path among autonomous systems on the Internet to travel.

BGP Hijacking or Route Hijacking is the illegal takeover of ranges of IP addresses, by corrupting Internet Routing Tables used within the BGP (Border Gateway Protocol).

A hijacker will announce and reroute network traffic for smaller ranges of a network without authorization from the owner of those addresses.

By announcing smaller ranges than the ASN, the smaller range will take priority in routing over a larger network containing the range.

A blocklist (previously referred to as a blacklist) is a list of IP addresses, domains, URLs, or email addresses that are considered as unsafe and therefore are denied access.

The opposite is a whitelist. Blocklists may be used in various areas within security architecture, like; firewalls, DNS servers, directory servers, web proxies, authentication, and API gateways.

Bot herders are cybercriminals who use automated techniques to manage bots within a botnet.

Activities include scanning to find vulnerable systems missing security patches to exploit, ssh attacks to crack account passwords, executing DDoS attacks to flood systems or networks to either take them down or distract from other attacks, and more.

A botnet is a network of Internet-connected devices running bots to launch DDoS attacks, steal data, send spam, and gain access to the device and its connection. The owner can control the botnet with C&C software.

The term “botnet” is a combination of “robot” and “network,” often with a negative connotation.

An internet bot is a software application that performs automated tasks by running scripts over the internet.

Bots are used to perform simple, structurally repetitive tasks much more quickly than is humanly possible.

Spambots send spam, while others may execute commands from a bot master.

While most bots are harmless and crucial for making the internet valuable and useful, they can be malicious when used to create a botnet.

Configured as a network, bots in a “botnet” are internet-connected devices, and each has similar malware, which ultimately allows cybercriminals to control the infected devices or bots in a coordinated manner, creating a network.

Bots can be versatile, sending emails, crawling the web, and conducting SSH attacks.

A bounce message is an automated message from a receiving email system, informing the sender of an email that the message had not been delivered (or some other delivery problem occurred).

The original message is said to have “bounced”.

Brandjacking occurs when someone assumes the online identity of a person (usually famous) or a business’ brand.

The term was coined by MarkMonitor. In Brandjacking, the hijacker assumes a target’s identity on social media or buying domains.

Similar to cybersquatting, identity theft, and phishing in nature, Brandjacking usually is an attack that leverages a politician, celebrity, or business’ identity.

A Brandjacker may not only seek to leverage the known brand for financial gain but may instead seek to damage the reputation of its target for hostile, malicious, or for political reasons.

A browser hijacking often occurs when a web browser add-on changes a user’s browser settings to spoofed websites, capturing sensitive or private data.

Even if the malware is removed, the settings may default to the malware’s browser settings after every reboot.

The ways that a browser hijacking can interfere with a user include:

  • Causing browser instability, errors, and performance problems
  • Impacting browser
  • Blocking favorite or frequently visited sites or causing web queries to fail
  • Block data submission
  • Steal personal or sensitive information
  • Installing adware, keyloggers, or ransomware.

In a brute force session hijacking, the attacker guesses a session-id and uses it to steal the session.

Successful brute force session attacks are usually reflective of using repeat, short or easy-to-guess session keys and weak security.

A brute-force attack is an attempt to decrypt data by trying all possible passwords or keys.

Obfuscation makes these attacks less effective, and the strength of the encryption system is measured by how long it would take to mount an attack.

Passwords are particularly vulnerable to these attacks, as hackers can use computer algorithms to crack them.

A buffer overflow, or overrun, is an anomaly where a program writes data to a buffer beyond its boundary, overwriting adjacent memory.

Malformed inputs can trigger overflows and cause erratic behavior, memory access errors, incorrect results, and crashes.

Exploiting buffer overflows is a security exploit, allowing malicious code or data to be written and gain unlimited access to resources.

Bulk messaging involves sending large quantities of emails or SMS messages.


The Canadian Anti-Spam Legislation (CASL) is designed to protect Canadian consumers and businesses from the misuse of digital technology, such as spam and other electronic threats.

It also helps businesses remain competitive in the global digital marketplace.

For more information, click here.

A CAPTCHA is a challenge-response test used in computing to determine whether the user is human or bot.

The most common CAPTCHA requires a user to review a distorted graphic containing letters or numbers and enter those characters in a form field.

In software engineering, software configuration management (SCM) involves tracking and controlling changes in the software.

If something goes wrong, SCM is used to determine what was changed and who changed it.

A CIDR range is a method for identifying IP addresses by the network prefix and the allocated range of IP addresses within the defined range.

The size of the routing prefix of the address is designated by suffixing the address with the number of significant bits, e.g.,

Civil cases, more often than not involve a lawsuit between two private parties, that a Court of Law handles.

Examples of civil cases may include trademark infringement, copyright abuse, defamation, and libel proceedings, as well as other suits involving ownership of disputed material.

Clickbait is content online or within electronic messages with provocative or shocking headlines.

Its primary purpose is to drive traffic to a website.

Advertisers and cybercriminals often use it.

Clipboard hijacking occurs when a hacker gains control of a user’s computer clipboard application, often they use malicious flash banner ads to execute the hijack; which involves inserting text, often a link to a malicious website, into a user’s computer clipboard.

A CASB is a software between users and cloud services, monitoring activity, warning administrators of hazardous actions, and enforcing security policies.

CASB enforces policies that include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection, and prevention.

Cloud infrastructure includes all the hardware and software needed to support the delivery of cloud services to a customer.

Cloud security safeguards virtual info, data, apps, services, and infrastructure.

It employs policies, tech, apps, and controls to secure data and ensure a secure cloud environment.

Cloud services are computing services offered through the internet in a service-oriented architecture.

NIST defines the models as; Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

Cloud services are the on-demand availability of computing services without managing the underlying hardware resources.

Large clouds are often distributed across several geographic locations, replicating processing and storage to prevent data loss due to environmental disasters.

Cloud storage refers to when data is stored on one or more servers and often in multiple geographic locations on the cloud.

Data stored in the cloud is segregated into logical pools and replicated to back it up and prevent data loss.

Cloud services are considered “community cloud services” when they use a shared cloud computing environment targeted to a limited set of organizations or individuals (e.g., ISPs, Telcos, Hosting providers, CISOs, abuse managers, etc.).

Compliance means conforming to a rule, specification, policy, standard, or law.

Organizations often keep data in secured storage to validate compliance.

Compliance software helps organizations manage their compliance data more efficiently.

The software to prove compliance may include data transfers, calculations, and audit trails.

Compromised accounts are those to which other individuals or cyber criminals have gained access.

These accounts can be vulnerable to harvesting personally identifiable information (PII) or being misused in attacks against others.

Additionally, compromised accounts can lead to computers becoming compromised as well.

A computer worm is malicious software that replicates itself and spreads to other computers across networks.

A content delivery network, or content distribution network, is a geographically distributed network of proxy servers and their data centers.

The goal is to provide high availability and performance by distributing the service spatially relative to end-users.

Copyright law is the right of a copyright owner to control the use of their work for a limited period. The copyrighted work must be an original work in a tangible medium of expression, like a book, music, video, photography, and others.

Typically a copyright owner is the person who creates the creative work.

For example, if you wrote a book or took a photograph, you would be the copyright owner. An employer may be the copyright owner if the content was created for the employer by an employee.

The copyrighted work is the intellectual property in written content like books, pamphlets, brochures, pictures, catalogs, promotional materials, instructional materials, posters, or visual and audio content (films, slides, photographs, advertising).

Copyrighted material may also contain original literary, artistic, software code or musical expression, or work subject to copyright protection.

Cross-site scripting (XSS) is a security vulnerability found in web apps.

Attackers can inject client-side scripts, bypass access controls, and cause various effects, from nuisance to security risk.

XSS accounted for 84% of all security vulnerabilities in 2007.

XXS attacks involve injecting malicious code into a vulnerable website, which is then delivered to the user’s browser and can disrupt services or steal info.

XSS attacks are the result of client-side scripts being injected into web pages viewed by users.

To execute the attack, cybercriminals often use a cross-site scripting vulnerability, like an insecure web plugin or the same-origin policy to bypass the website’s access controls.

XSS effects range from nuisances to a major security risk, depending on the sensitivity of the data handled by the website.

A cross-site scripting session hijacking is the result of a hijacker locating a vulnerability on the website or web server.

In a successful cross-site scripting attack, the attacker will inject malicious code into web pages.

The malicious code will allow the hijacker to see the user’s session key in a man-in-the-middle attack and then steal the session.

A cross-site scripting session hijacking results from a hijacker locating a vulnerability on the website or web server.

In a successful cross-site scripting attack, the attacker will inject malcode into web pages.

The malcode will allow the hijacker to see the user’s session key in a man-in-the-middle attack and then steal the session.

Cryptocurrency Hijackers mostly target individuals who have expressed an interest in cryptocurrency.

The attacker gets the target to unknowingly download malware which infects their computer and instructs the system to begin to mine (process the algorithms required) for cryptocurrency.

The impact on the affected computer’s performance is often low, but it can overtake the processing as well.

Cross-site request forgery (CSRF/XSRF), AKA one-click attack or session riding, is a malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.

It causes data leakage, a change of session state, or manipulation of an end user’s account.

Defenses include header, form, or cookie data. It can be used to make unwanted purchases, causing users to distrust an organization.

Cyber threats are attempts to damage or maliciously disrupt a computer network or system.

Cyberattacks are attempts to access, alter, or destroy data via unauthorized access.

They can target computer info systems, networks, or devices and can be used by individuals, groups, or states.

Depending on the context, they may be part of cyberwarfare or cyberterrorism.

Cyberattacks can range from spyware to destroying infrastructure and have become increasingly dangerous.

A Cyberattack is an offensive action that targets another computer or network to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent.

Cybersecurity involves active monitoring and protecting internet-connected network devices (e.g., hardware, software, programs, and data) from potential cyberattacks.

It also protects the integrity of networks and data from unauthorized access.

Cybersecurity is a subset of Information Security, while network security is a subset of cybersecurity.

Cybersquatting is the registration and use of domain names that are identical or similar to trademarks, service marks, company names, or names of individuals.

Cybersquatting is unauthorized by the legal owners of the identity, and registrants obtain and then use the domain name with the intent to profit from the brand equity built and legally owned by the legal trademark owner.


The Dark Web is part of the deep web.

The Dark Web is web content on darknets, networks that use the Internet but require specific software, configurations, or authorization to access.

Darknets include peer-to-peer networks, Tor (dot) online or Onionland, Freenet, I2P, and Riffle.

Users and private networks communicate and conduct business through the dark web using personal and traffic anonymization.

Dark web users often refer to the surface web and deep web (non-dark web content) as “clearnet” due to the lack of anonymity of its traffic.

A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak, information leakage, and data spill.

Data loss occurs when natural disasters, data storage hardware, transmission, or processing failures destroy information.

Additionally, data loss can occur if a data breach occurs and the data is stolen or erased by an attacker.

Backup and disaster recovery equipment and processes are necessary to restore lost data.

Otherwise, data loss can severely impact business operations.

Data masking is the process of hiding or obfuscating PII or sensitive data so that it does not have value to unauthorized personnel or network intruders.

Typical uses are protecting PII or sensitive data in the data field, such as hiding or obfuscating credit card numbers in a customer service application.

Data unavailability occurs when network outages occur. Data unavailability is a temporary condition.

Perpetrators seek to make a machine or network resource unavailable to its intended users by disrupting services.

Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests, overloading systems, and preventing legitimate requests from being fulfilled.

A single-machine DoS attack is uncommon nowadays. Instead, DDoS (distributed denial-of-service) attacks from multiple computers across the web have become more common, sometimes involving hundreds or thousands of systems.

Criminals launch DDoS attacks to target high-profile web servers, such as banks, for reasons like revenge or blackmail.

By sending too many requests, the hacker makes it impossible for the server to process legit requests, causing the website to slow or shut down, like a business closing its doors.

DDoS mitigation is a set of network management techniques and/or tools for resisting or mitigating the impact of distributed denial-of-service attacks on networks attached to the Internet by protecting the target and relay networks.

The deep web is internet content that standard web search engines do not index, in contrast to the surface web, which is indexed.

Content in the deep web is not public and therefore non-indexable by search engines.

The pages are hidden behind login forms, require registration, and are paywalled and not connected to any indexable page.

DID is a security and military strategy that seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space.

A DISK URL blocklist lists Online file storage URLs observed in the message body of spam sent to our primary traps.

This list compliments our domain blocklist since file storage services like Google Drive and Yandex Disk have become a common way for spam to avoid IP and domain blacklisting by hiding behind these services.

Additionally, these services are usually very poor at handling abuse of their services. Since it is not possible to represent a full URL in a DNS query and thus a DNSBL, URLs are first normalized, then SHA-1 hashed. The hash value is then used for lookup instead of the URL.

DKIM is an email authentication method designed to detect messages modified in transit, MITM attacks, and other phishing and email spam techniques.

For more information, click here.

DLs are formal languages designed to provide a structured description of a RESTful web API useful to humans and automated machine processing.

DLs are then incorporated into descriptive documentation for human programmers.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to protect domains from malicious spoofs, BECs, phishing emails, email scams, and other cyber threats. 

Domain owners gain control, allowing them to block malicious spoofs and take legal action. See this page for more info.

DMCA (aka The Digital Millennium Copyright Act)  is a 1998 United States copyright law that implements two 1996 World Intellectual Property Organization treaties.

It criminalizes the production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works.

A copyright infringement notice is the result of a computer identified as engaged in an illegal transfer of copyrighted content (e.g.: music, videos, photography, or some other type of intellectual property).

The notice is sent to the ISP hosting the IP address of the computer identified in the transfer, identifying the particular infringement and the associated IP address. Legitimate notices will only come from a user’s own ISP.

The Domain Name System (DNS) is a hierarchical naming system for computers, services, and other resources connected to the Internet.

It translates names to numerical IP addresses, providing a distributed directory service that has been used since the 1980s.

DNS is critical for locating and identifying computer services and devices.

DNS cache is the temporary storage of DNS lookups by a system or web browser.

A local copy of a relevant DNS lookup speeds up retrieving an IP address so that a URL can be resolved and a web page can be retrieved much quicker.

DNS hijacking occurs when a hacker redirects all user web traffic, using a rogue DNS server, to a fake spoofed website at another IP address.

Users of a website experiencing a DNS hijacking attack are often unaware that they have arrived at a spoof of the site they intended to visit.

The unaware redirection often leads to the web user divulging either sensitive or personal information.

A DNS query is a demand for information sent to a server.

In most cases, a DNS request is sent to ask for the IP address associated with a domain name, but in the case of an email blocklist, the query could be a request for information about an element found in an email, such as an IP address, domain, URL, email address, file, etc.

Additionally, the request might be in the form of a hash of the element.

When you type a domain, like, into your browser’s address bar, your browser makes a call answered by a DNS server about the physical location or IP address where that domain is located.

A DNS TXT record is a text file added to the DNS which contains things like; the list of authorized sending hosts and IP addresses for a domain as in the case of SPF, and instructions on where to return emails violating DMARC.

DNS TXT records are also used for other purposes as well, these are just a few of the email example use cases.

A DNSBL (Domain Name System Blackhole List, Domain Name System Blacklist, RBL, Real-time Blackhole list) is a hosted list that uses DNS as the mechanism for a database lookup to a reputation provider (the host of the DNSBL, either as a blocklist or allow list), such as Abusix Mail Intelligence, to determine the trustworthiness of an IP, domain name, and hashed value (like a URL or file).

DNSBL functions and operations are defined by RFC5782.

DNSBLs may return DNS A or TXT records, with the TXT record usually displaying text as part of SMTP error text.

Multiple A records can be returned but must be in the range, excluding and

The range can signify individual lists within an aggregated list or multiple smaller data sets.

Return codes for Abusix Mail Intelligence lists are in our documentation here.

A DNSRBL (Domain Name System Blackhole List, Domain Name System Blacklist, RBL, Real-time Blackhole list) is a hosted real-time list that uses DNS as the mechanism for a database lookup to determine the trustworthiness of an IP, domain name, a URL, email address or file.

The functions and operations of DNSRBLs are defined by RFC5782.

DNSSEC is a suite of IETF specs for securing DNS info on IP networks.

It provides origin authentication, denial of existence, and data integrity but not availability or confidentiality.

A domain blocklist will contain domains and IP addresses found in the message body of spam received to primary traps.

In addition, short URL links found in spam are followed and any intermediate or destination domains are also listed in this list.

Domain hijacking occurs when the ownership or control of a domain is transferred from its rightful owner to another party.

The most common domain hijacking is executed through a fraudulent change, in domain ownership or registrar transfer request, frequently in the form of an elaborate phishing campaign.

DoS attack (aka denial-of-service attack) is a cyber-attack.

The attacker seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting the services of a host connected to the internet.

Denial of service is typically accomplished by flooding the targeted machine or resource with many requests intended to overload systems and prevent some or all legitimate requests from being fulfilled.

A double opt-in (aka COI, Confirmed Opt-in) occurs when a user signs up and is sent an email that includes a link to click and confirm the subscription.

By using a double opt-in confirmation method, the chance of spam addresses being signed up is significantly reduced.

DSN (aka “Delivery Service Notification” or “bounce” message)

Once a mail server has accepted a message for delivery and cannot deliver the message to its final destination, it MUST generate a non-delivery report DSN to notify the sender that the message could not be delivered.

This can cause problems when a mail server accepts forged messages – see also backscatter.

DHCP is a network protocol that assigns IP addresses and parameters to devices via client-server architecture, eliminating manual configuration.

It supports IPv4 and IPv6 (DHCPv6).


An email account is simply a user account that can send and receive emails. The account is assigned one or more email addresses that consist of a “user address + @ + domain name.” All email addresses are unique.

An email address identifies an email destination to which messages are delivered.

While early messaging systems used various formats for addressing, today, email addresses follow a set of specific rules standardized by RFC 5322.

Email appending is a practice that involves taking available customer data (first name, last name, and postal address) and matching it against a vendor’s database to obtain email addresses.

The purpose is to grow an email subscriber list to send customers information via email instead of traditional mail.

Email appending is a controversial practice in the email marketing world. The “Messaging Anti-Abuse Working Group” (M3AAWG) released a position paper stating the practice of email appending is a direct violation of M3AAWG values as an abusive practice.

An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message and sent to the recipient.

Email authentication is used to vet sending domains and prevent spoofing and phishing using your brand.

It also reduces the risk of emails ending in spam folders for legitimate marketers.

Email marketing is sending a commercial message to a group of people using email. Every email sent to a potential, or current customer could be considered email marketing in its broadest sense. It involves using email to send advertisements, request business, or solicit sales or donations. 

An email server (aka mail server, mail exchanger, MX host, Mail Transfer Agent, MTA, and Mail Delivery Agent, MDA)  is a software that transfers electronic mail messages from one computer to another using the SMTP protocol.

An ESP (aka email service provider) is a company that provides email marketing or bulk email service infrastructure to send messages.

Typically an ESP provides the infrastructure to send the messages, offers templates and statistics for each message sent, handles unsubscribed, and monitors engagement for each list subscriber.

Common threats to email systems include the following: Malware. Increasingly, attackers are taking advantage of email to deliver various attacks to organizations through malware or malicious software, which contain viruses, worms, Trojan horses, and spyware.

Encryption is the process of encoding data. Encryption is accomplished using an algorithm and a set of keys, including public and symmetric keys.

Running the data through the algorithm with the keys in place transforms the data, originally in some sort of text format, into unreadable ciphertext.

Converting the data back into text format reverses the encoding formula.

The purpose of encryption is to protect the data from unauthorized parties.

An encryption key is usually a string of numbers or letters that encode or decode data when used with an algorithm.

The algorithm, the generation, length and complexity, security of both the key and key exchange all impact the effectiveness of the data encryption.

An exploit is the next step for an attacker after finding a vulnerability in a network, systems, software, processes, or people.

Exploits are where a vulnerability is leveraged for malicious activity by cybercriminals using malware, sequences of commands, or fraudulent offers or claims.

An exploit IP blocklist is a blocklist that contains IP addresses that have been observed to behave in certain ways that a genuine SMTP client never would.

IP addresses found on this list will either be compromised, botnet/virus-infected, proxies, VPNs, TOR exit nodes, or IPs that are NAT’ing for these hosts.

For more see Abusix Mail Intelligence Exploit IP List.


A False-Negative (FN) is a spam message but is incorrectly seen as a regular email.

Incoming False negatives are messages that come through our system that pass our anti-spam filtering. This annoyance to end-users should be reported to ensure that the message(s) are not seen again.

A False-Positive is a message that is not spam but is incorrectly being blocked as spam.

These messages could be inbound or outbound. Depending on the setup, the user and/or admin will be notified when an outbound message is quarantined.

A feedback loop is a way for mailbox providers to send complaints from their users to the sending organization.

This can be done via the use of a “This is Spam (TIS)” button or manually via a helpdesk.

Feedback loops send reports in MARF format and are usually opt-in services. Not all mailbox providers offer FBLs.

Firewalls are found on Layer 3 of the TCP/IP model.

A firewall establishes a barrier between a trusted network and an untrusted network, such as the Internet, by monitoring and controlling the flow of incoming and outgoing traffic based on security rules.


Governance is how rules, norms, and actions are structured, sustained, regulated, and held accountable within a social system, like territories, marketplaces, formal and informal organizations, groups of people, social networks, families, and computer networks.

Greylisting is a method of defending e-mail users against spam.

A mail transfer agent (MTA) using greylisting may “temporarily reject” any email from a sender it does not recognize.

If the mail is legitimate, the originating server will try again after a delay, and if sufficient time has elapsed, the email will be accepted.


Hacktivism is hacking, as a form of civil disobedience, to promote a political agenda or social change. Hacktivism’s roots are in the free speech, human rights, or freedom of information movements.

Well-known hacktivists include the Anonymous movement and WikiLeaks but may include an individual.

Often movements are groups of individuals working toward common goals without a single authority figure.

Hacktivism can be used for good and criminal, malicious and destructive purposes, undermining the internet’s social construct.

Hailstorm spam is a spam technique that is used to evade anti-spam mechanisms that are not fast enough to react as the campaigns are short.

The Abusix Mail Intelligence “Policy IP list” and “Newly Observed IP list” lists are helpful to prevent hailstorm spam, as in greylisting.

A hashbuster is random data inserted into a message to make it look unique to hashing algorithms or Bayesian training systems to evade detection.

An HMAC is a message authentication code (MAC) that includes a cryptographic hash function and a secret cryptographic key.

A MAC can simultaneously verify its integrity and authenticity.

HTTP Auth is the basic authentication method for an HTTP user agent (e.g., a web browser) to provide a username and password when making a request.

Request credentials are Base64 encoded ID and password pairs joined by a single colon.

A hybrid cloud is a network composed of private, public, and community cloud services, potentially from different providers.

While each entity is distinct, they are bound together and extend the capacity or capability of service through aggregation, enrichment, process management, and integration.

It should be noted that architecturally, while there are few differences between public-cloud, community-cloud, and private-cloud services, micro-segmentation and security concerns naturally increase when multiple organizations share applications, storage, and other resources.


ICMP is a supporting protocol used by network devices to send error messages and operational information indicating success or failure to other devices involved in a traffic exchange (e.g., service or host is not available).

ICMP is not a transport protocol like TCP and UDP used to exchange data, nor is it used by end-users except when performing network diagnostics like ping and traceroute.

Identity and access management systems identify, authenticate, and control access for individuals who use application resources including in some cases hardware.

Identity theft occurs when someone acquires and then uses another person’s personal identifying information (PII) without their permission to commit fraud.

PII includes a person’s name, date of birth, social security number, driver’s license number, bank account, credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access personal resources, such as financial resources.

Information Security (InfoSec) provides the foundation for data security, ensuring that physical and digital data is protected from unauthorized access, use, disclosure, disruption, modification, inspection, recording, or destruction.

Information security keeps data in any form, physical or digital, secure, whereas cyber security protects only digital data.

An information security policy is a set of rules and guidelines that govern how information technology assets and resources in an organization should be used, managed, and protected.

The policy applies to all networks, systems, users, and data in an organization.

NIST defines IaaS cloud computing as: “Where a consumer can deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure, but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).”

IaaS vendors offer online services that provide high-level APIs to their customers to manage and control the computing resources, location, data partitioning, scaling, security, backup, etc.

Additionally, IaaS clouds often offer a virtual-machine disk-image library, raw block storage, file or object storage, firewalls, load balancers, IP addresses, virtual local area networks (VLANs), and software bundles.

Internal networks (Local Area Network) refer to the internal network of IP addresses.

Conversely, an external network (aka a public or wide area network) refers to the external network IP addresses.

An Internet Exchange Point (IXP) is where data between network operators is exchanged.

ISAT is the training that organizations provide their employees to create awareness of information security management within their environment.

When employees are well trained and feel empowered, they can better protect themselves and sensitive data.

The training should target specific user roles that expose organizations to increased risk levels with specialized courses.

Organizations that need to comply with government regulations (e.g., Gramm–Leach–Bliley Act [GLBA], the Payment Card Industry Data Security Standard [PCI], Health Insurance Portability and Accountability Act [HIPPA], Sarbox) are required by contract to provide formal ISAT annually for all employees.

IDS are found on Layer 2 of the TCP/IP model.

An IDS is designed to monitor a network in real-time, identify potential threats for malicious activity or policy violations, identify potential threats early, and notify the IPS for handling and SIEM for Cyber Security logging and monitoring.

IPS are found on Layer 2 of the TCP/IP model.

An IPS is designed to take the information reported by the IDS and cross-check it for similar reported activity (e.g., check a blocklist or allow list) and action the potential threat by applying policy rules and blocking, allowing, or rate-limiting traffic from the source.

IoT devices connect to the internet, typically via wireless networks, and include embedded systems, wireless sensors, home and building automation (including smart home, devices and appliances like; lighting, thermostats, security cameras, home appliances, and more).

The devices are controlled using smartphones and smart speakers.

An IP address (Internet Protocol Address)  is a numerical label assigned to each device connected to a computer network that uses the internet protocol for communication.

IP Blockers are applications that hide your IP address, the most famous of which is TOR, but there are many others.

An IP blocklist is a list that contains the IP addresses of hosts that have sent emails to our primary traps (only our trap domains that have never been used for genuine mail or had been rejecting all mail for >1 year) along with some manual network entries that we maintain.

Common causes for an IP address being listed here include compromised accounts, infected hosts, botnets, spam gangs, purchased email address lists, poor sign-up processes, bad web forms, open proxies, TOR exit nodes, and VPNs.

For more information, see How to Check Whether Your IP Address is Blocklisted.

IP Hijacking is where ranges of IP addresses not currently in use by their owner are stolen and used for criminal activity.

This exploits some weaknesses in the Border Gateway Protocol (BGP), which designate paths for routed data packets and redirect the addresses to the criminal.


IPv4 defines an IP address as a 32-bit number.

IP addresses are written and displayed in a human-readable format as

Due to a reduction in the supply of IPv4 addresses, a new version of IPv6 that uses a 128-bit number was developed and has been used in addition to IPv4 since the mid-2000s.

IPv6 defines an IP address as a 128-bit number.

IP addresses are written and displayed in a human-readable format as 2001:db8:0:1234:0:567:8:1.

ISO/IEC 27002 is an information security standard published by the ISO and IEC titled “Information technology – Security techniques – Code of Practice for information security controls.”

It provides best practice recommendations on information security controls for those responsible for initiating, implementing, or maintaining information security management systems (ISMS).

More information here.

In an IXP hijacking, the Network Operator establishes a “peering” connection between their ASN and a target ASN and announces hijacked ranges through the exchange.

Since IXPs often do not monitor their exchanges for network abuse, it often takes a long time to address problems, if at all.


The physical layer in the TCI/P model contains all the functions needed to carry the bitstream over a physical medium to another system.

For example: the data center connected to the internet.

The data link layer in the Open Systems Interconnection model (OSI model) organizes the bitstream into a data unit called a “frame” and delivers the frame to an adjacent system.

For example: IDS, firewalls, etc.

The network layer in the Open Systems Interconnection model (OSI model) (TCI/P model) delivers packet data from source to destinations at non-adjacent systems.

The transport layer in the TCI/P model delivers process-to-process information.

The application layer in the TCI/P model presents users with interfaces and the data or any other information that the user requires.

Law enforcement organizations are the governmental agencies responsible for enforcing laws, maintaining public order, and managing public safety.

The primary duties of law enforcement include the investigation, apprehension, and detention of individuals suspected of criminal offenses.

LEO Cases are information requests related to ongoing criminal cases.

A State or Federal prosecutor is trying the case, pursuing criminal charges against an individual, company, or entity for a felony or misdemeanor.

List washing is where bad email addresses are removed from a mailing list that was not built using confirmed opt-in (COI) to clean it up.


A mailbox provider, or mail service provider, is a company that provides email hosting. They implement email servers to send, receive, accept, and store emails for other organizations or end users. Another similar term “email service provider” describes a company hosting a marketing bulk email sending service, but not mailboxes for individual users.


Malicious activities are external threats to your network performed by cybercriminals that infiltrate your system to steal information, sabotage your operations, or damage your hardware or software.

Malware (aka malicious software)  is any software intentionally designed to cause damage to a computer, server, client, or computer network.

File types include computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper, and scareware.

A malware session hijacking occurs when the hijacker tricks a user into clicking on a link that installs malware on their device.

The malware then looks for a session cookie on the user’s device and sends it to the hijacker who can then steal the session.

“Too many concurrent SMTP connections; please try again later.” means the server you’re sending through is busy, and you probably don’t have SMTP authentication enabled.

MFA (like 2FA) is a process that uses two or more steps in authenticating a user.

These factors include knowledge (something only the user knows), possession (something only the user has), and inheritance (something only the user can become, e.g., a user within a specific network range).

Micro-segmentation allows security architects to logically divide data centers into distinct security segments, down to individual workload levels.

The security architect then defines security controls and delivers services for each segment.

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.

Mirai is malware that turns Linux devices, primarily cameras and routers, into bots.

Mirai is one of the largest and most disruptive botnets used to conduct some of the largest DDoS attacks in recent history.

A MITM attack is a cyberattack where a cybercriminal secretly inserts themselves in the middle of a data stream, relaying data between two parties and listening and possibly altering the communications.

The attacker may simply spy on the private conversation intercepting sensitive information, altering messages, or inserting new ones.

Properly certificated, authenticated, and TLS encrypted communications are required to prevent MITM attacks.

Software multi-instance is a software architecture where each tenant uses a separate software instance.

Software multi-tenancy is a software architecture common in cloud computing, in which a single instance of the software is used to serve multiple tenants.

Multi-tenant software is designed to provide every tenant (group of users, e.g., organization) a dedicated share of the instance, including; its unique data set, configuration, user management, and tenant functionality.

An MX is a server responsible for email for a given domain defined by an MX record in DNS.

See email server.


A network is a system of connected nodes or stations to permit data communication between devices, using various channels or methods (telemetry, text, audio, video, etc.).

Network devices (aka network hardware or network equipment) are electronic devices required for communication and interaction between devices on a computer network. Specifically, they mediate data transmission in a computer network.

Network hijacking is the unauthorized use of groups of IP addresses, known as ranges.

Network hijacking includes IP hijacking, prefix hijacking, BGP hijacking, or route hijacking.

Network security is a subset of cyber security.

The job of network security is to make your network more secure by providing technical expertise for network devices and security systems like firewalls and intrusion detection systems and protocols that apply encryption and digital certificates.

Network traffic is the amount of data or network packets moving across a network at a given point in time.

It’s also the main component for network traffic measurement, network traffic control, and simulation.

Network traffic analysis provides one of the components essential to network security.

Unusual traffic is an indicator of an attack. Thus, Network traffic reports help inform how network security might configure firewalls, IDS, IPS, and other systems to prevent recurring attacks from being successful in the future.

A network consists of many nodes, or stations, to allow data communication using various channels or methods (telemetry, text, audio, video, etc).

A newly observed domain blocklist is built using a Passive DNS sensor network and is not reliant on any data from WHOIS allowing it to work across every TLD and ccTLD.

This also means that a domain could have been registered months previously but not used for email until now.

The list contains all of the newly observed domains identified within the last 25 hours, with each domain wildcarded. Being on the list does not mean the domain is bad, but knowing a domain is new can be useful for other things like scoring or meta-rules like greylisting or sending a temp fail.


For more, see Abusix Mail Intelligence Newly-Observed Domains.

A newly observed IP blocklist is built by storing every IP address that has sent SMTP traffic to our traps or to our partners over the last 30 days.

Any new IPs found in the list that has not been seen previously are listed for 25 hours.

An IP address on this list doesn’t necessarily mean that the IP address is bad, but this is useful for scoring and meta-rules, especially when combined with other data and greylisting or sending a temp fail.


For more see Abusix Mail Intelligence Newly-Observed IP List.

An NGFW is a deep-packet inspection firewall that not only performs port/protocol inspection and blocking but also:

  • includes application inspection intrusion prevention
  • adds the capacity for additional external source information from cloud-based threat intelligence sources.

The number of connections refers to limits on the number of messages and connections that an email server can process. The rate considers message processing rates, SMTP connection, and SMTP session timeout. The limits work together to protect an email server from being overwhelmed by accepting and delivering messages.


The Microsoft Office 365 suite is a hosted, online version of the traditional installed version of Microsoft Office software. This online service is subscription-based and includes Office, Exchange Online, SharePoint Online, Lync Online, and Microsoft Office Web Apps.

An open mail relay is a Simple Mail Transfer Protocol (SMTP) server configured so that anyone on the internet can send email through it, not just mail destined to or originating from known users. Open relays are exploited by spammers and worms and blocklisted.

Open source is software or source code freely available for possible modification and redistribution of the source code, documentation, or product.

Open source code gets released under a software license often on sites like GitHub, and depending on the license terms, others may download, modify, and publish their version (fork) back to the community.


The movement began to respond to closed, non-interoperable, proprietary code; by encouraging open collaboration.

It is a model used across a wide range of disciplines outside of software, like drug discovery.

The OSI model is a seven-layer networking model that describes the communication functions of a telecommunication or computing system to promote interoperability communication protocols.


Each intermediate layer serves functionality to the layer above it and is served by the layer below it.


Page hijacking occurs when a hacker uses a cross-site scripting attack to insert malware on the target webpage, to redirect traffic for the page, to another webpage, normally on another website, which spoofs the content of the hacked page.

A penetration test is an authorized simulated cyberattack on a computer system performed to evaluate the system’s security.


A PEN test is performed to identify weaknesses (also known as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.

Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artifacts, including application content or protocol metadata such as headers.

Active or passive wiretaps and traffic analysis (e.g., correlation, timing, or measuring packet sizes) or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring.

PM is distinguished by being indiscriminate and very large scale rather than by introducing new types of technical compromise.

The IETF community’s technical assessment is that PM is an attack on the privacy of Internet users and organizations. The IETF community has strongly agreed that PM is an attack that needs to be mitigated where possible.”


See more here

Pharming is derived from the words “farming” and phishing” and is a cyberattack intended to redirect a website’s traffic to another, fake site through the installation of malware.

Pharming occurs when the malware either changes the hosts’ file on a victim’s computer, or web server or by exploiting a vulnerability in DNS server software.

Phishing is a social engineering attack wherein a fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, and credit card details, disguising oneself as a trustworthy entity. Additionally, a phishing attack may be designed to get the target to download malicious software unintentionally. 

A phishing site (website) is often a “spoofed” or “copycat” site of a legitimate brand’s website.

The fake site intends to trick you into providing sensitive business, personal information like a credit card or login credentials to the fake site.

Don’t be fooled by a site that initially looks real; be careful at all times with every internet transaction you make.

PII (aka Personally identifiable information, Personal Data, Personal Information) is defined as any data or information that permits an individual’s identity to whom the information applies.

This information may be in the paper, electronic, or other media and may include text, photographic, DNA, or additional related information.

A ping is a commonly used ICMP diagnostic for determining network packet loss and throughput issues.


The ping flood attack is used for DDoS attacks, where the attacker overwhelms the victim with ping packets.

Rate limiting ping requests and effective security control requiring user IP addresses to be privileged is good controls against this type of attack.

NIST defines PaaS cloud computing as: “The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.

The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.”


PaaS vendors offer a toolkit and standards for development and channels for distribution and payment.

The computing platform typically includes an operating system, programming-language execution environment, database, and web server.

Application developers develop and run their software on the cloud platform.

Some PaaS solutions automatically scale computing and storage resources to match demand so that administrators do not have to allocate the additional resources required manually.

An email “Policy” blocklist list all IP addresses that should not be connecting directly to external SMTP servers, but should instead be using their ISP or mail providers’ smart host to relay messages using some form of SMTP authentication.

The list is also designed to preemptively list any IP address that does not appear to be suitable for use with an SMTP server to catch newly compromised hosts, hijacked IP space, etc. immediately without requiring trap hits for listings.

For more see Abusix Mail Intelligence – Policy IP List.

Responsibilities of a postmaster typically include management of email server network security, cyber security, and related procedures, as well as the enforcement of the organization’s authorized use policy.

The practice of protecting means to defend, protect, shield, guard, safeguard means to keep secure from danger or against attack. Defend denotes warding off an actual or threatened attack. Defending the country’s protection implies using something (such as a covering) as a bar for the admission or impact of what may be attacked or injured.

Pretexting is where a cybercriminal impersonates an authority figure or someone the employee or customer would easily trust to get their personal information.

A Pretexting Attack is where a cybercriminal impersonates an authority figure or someone the employee or customer would easily trust (e.g., have a pretext to act) and provides personal or sensitive information.

Privacy is the right and ability of an individual or group to seclude themselves or information about themselves.

Thus the right to privacy is the freedom from interference or intrusion.


In computing, information privacy is the right of the user to control how their personal information is collected and used by an application or organization.

Cloud services are considered “private cloud services” when operated solely for a single organization.

Private cloud services may be hosted directly by an organization or externally by a third party; additionally, they may be managed directly by an organization or a third party.

Protected data means any non-public business or personal data possessed or controlled by either of the individual or companies in their business.

The data is not employee personal data, but data associated with a specific person, entity, or person, maintained by the sellers confidential.

The data may include credit card information, taxpayer identification or social security number, or other non-public identifying or sensitive information.

This data also consists of any information protected under any relevant data privacy law.

A Protocol Attack is a type of DDoS attack which targets how internet protocols facilitate how computers communicate over the internet and aim to exhaust server or firewall resources.

Protocol attacks are designed to eat up the processing capacity of network infrastructure resources like servers, firewalls, and load balancers by targeting Network Layer 3 and Layer 4 with malicious connection requests.

Cloud services are considered “public cloud services” when the services are delivered over the public Internet.

Most public cloud providers offer direct-connection services that allow customers to link their legacy data centers to their cloud-resident applications securely.

Punitive IP or range blocklisting is the blocklisting of addresses in a similar range that do not exhibit abusive behavior but are in the same neighborhood as an abusive address.

The purpose of punitive blocklisting is to get the attention of a network owner and not security.


Quid pro quo is when a cybercriminal requests personal information for a reward, i.e., money, a gift, or a free service.

Quid pro quo’s are not unusual; more and more cybercriminals use free apps or software as a trojan horse to further an exploit.


Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless the victim pays a ransom.

Rate-limiting is a strategy for limiting network traffic. It puts a cap on how often someone can repeat an action within a certain timeframe – for instance, trying to log in to an account.

Rate-limiting can help stop certain kinds of malicious bot activity. It can also reduce strain on web servers. However, rate-limiting is not a complete solution for managing bot activity.

Real-time Blackhole List, see DNSBL.

Registration Data Access Protocol is a protocol designed as a successor to the WHOIS protocol.

It is used to look up relevant registration data from such internet resources as domain names, IP addresses, and autonomous system numbers.

A registered trademark symbol ® provides notice that the preceding word or symbol is legally registered with a national trademark office.

Trademarks are symbols or words that are legally established as representing an organization or a product or service and ensure the owner’s legal rights and are critical when defending an organization against fraud in a court of law.

Regulatory compliance is an organization’s compliance with relevant laws, policies, and regulations.

Regulations and accrediting organizations include; PCI-DSS and GLBA in the financial industry and HIPAA in healthcare. Compliance frameworks, like COBIT and standards, like NIST help guide compliance regulations.

A Request for Preservation of information sent by law enforcement to a network operator is designed to prevent the destruction of data, with the express intent to serve a Subpoena later to obtain the preserved data.

REST is a software design used to exchange data in well-defined formats to increase interoperability.

Using this approach, client-server data exchange allows for more robust and flexible servers, allowing fluid data inputs.

RAML is a YAML-based language for describing REST APIs.

RAML by design encourages reuse, enables discovery and pattern-sharing, and aims for best practice standards.

RSDL is a machine- and human-readable XML description of HTTP web applications.

RSDL provides documentation for the resource(s), the relationships between the resources, operations, and the parameters that must be supplied and required.

Ultimately, RSDL’s goal is to simplify the reuse of REST services beyond their use in a web browser, extending their use to other websites or machines.

Reverse domain name hijacking (RDNH) is the legal countermeasure to brandjacking and occurs when a rightful trademark owner attempts to claim a domain by making a cybersquatting claim against a domain name’s owner.

RDNH is often used by larger corporations and famous individuals to defend their trademark and prevent libel or slander.

A Regional Internet Registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a region of the world. Internet number resources include IP addresses and autonomous system (AS) numbers.

Roles accounts are generic email addresses configured for network management and include; info@, support@, abuse@, postmaster@, webmaster@,…

See RFC2142 for more information.


A safe harbor is a legal provision that eliminates legal or regulatory liability in certain situations, provided that certain conditions are met.

In the case of DMCA, to incentivize the cooperation by service providers to participate in the DMCA notice and takedown process, service providers that took certain steps to educate their users, cooperate with copyright owners, remove repeat infringers from their sites were granted immunity from possible copyright infringement liability. This is referred to as the DMCA Safe Harbor.

For more information see here.

Superseded and replaced by Transport Layer Security (TLS)

A security breach is any security incident that results in unauthorized access to networks, devices, applications, or data.

SIRP involves monitoring and detecting security events on a network or system and executing a series of appropriate responses to those events.

A SIEM system is a Cyber Security monitoring solution in which any intrusion activity or violation is collected centrally for a managed network.

SIEM systems combine activity from many logging sources in an enterprise and thus differentiate between false alarms and threats.

Upon finding threats, the SIEM solution will alert administrators.

Security measures refer to the steps taken to prevent or minimize criminal acts, espionage, terrorism, or sabotage.

Security solutions refer to the tools that a company deploys to protect against unauthorized or criminal use of electronic data. Cyber security services are the overarching processes to achieve this security and protect against common cyber threats.

A Security Vulnerability is a weakness, flaw, or error found within a network, a system, its software, security processes, or people that have the potential to be leveraged by a cybercriminal to compromise a network.

Sensitive information is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.

If disclosed to others, sensitive information can provide an advantage to adversaries. Loss, misuse, modification, or unauthorized access to sensitive information can adversely affect the privacy or welfare of an individual, a business, or nation, depending on the information released.

An SLA is a software service agreement that covers the expectations of quality, availability, and responsibilities between the service and the user.

The SLA often contains data rates, throughput, jitter, or other measurable attributes of service, as well as the party responsible for reporting quality or service failures.

It will also contain a definition for mean time between failures (MTBF), mean time to repair, or mean time to recovery (MTTR).

In a session fixation hijacking, the hijacker will send a user a link containing a session-id created by themselves, that is the hijacker fixes an anticipated session-id.

An example might be fixing a session-id within an advertisement and asking the user to log in, using that fake session-id contained in the link, allowing the hijacker inside.

A session hijacking attack occurs when an attacker either guesses, confiscates, or gets a user to click through on a URL with a session-id the hijacker created, and then gains unauthorized access to the target web server.

A session key is a single-use symmetric key used to encrypt messages.

Session keys should be designed to prevent an attacker’s easy prediction or reuse of a key.

Asymmetric algorithms to encrypt the key, like what is used by PGP and GPG, are best.

A session side jacking occurs when a hijacker has access to the user’s network traffic via a man-in-the-middle wi-fi attack.

Using packet sniffing the man-in-the-middle can search for session-ids and then hijack or steal the session.

A URL is a web address, and a short URL is simply a shorter version of that web address.

A Short URL blocklist, lists URLs observed in the message body of spam sent to our primary traps.

The list compliments the domain blacklist since Short URLs have become a common way for spam to avoid domain blacklisting by hiding behind URL shortening services since it is not possible to list some Short URL domains (e.g. bitly) without causing significant false positives.

Additionally, shortening services are usually very poor at handling abuse of their services. Since it is not possible to represent a full URL in a DNS query, and thus a DNSBL, short URLs are first normalized, then SHA-1 hashed.

The hash value is then used for lookup instead of the URL.

For more see Abusix Mail Intelligence – Short URL Hash List.

A session ID is a unique number a server assigns to clients accessing the server to track user activity during a session.

According to the SBA (US Small Business Administration), a small business is a business with fewer than 1,500 employees and a maximum of $38.5 million in average annual receipts.

Text message phishing is a communications channel that is sometimes used for phishing attempts.

This type of phishing is also known as “smishing,” and it is like email phishing. It is sent via SMS / text messages for the phishing message designed to deceive victims.

SMTP (Simple Mail Transfer Protocol) is an internet standard communication protocol for electronic mail transmission.

See RFC788 for more information.

SMTP AUTH is an extension of SMTP, whereby a client can log in using any authentication mechanism supported by the server.

See RFC4409 for more information.

An SMTP Auth Blocklist is a subset of an exploit zone, listing only IP addresses of hosts which have been observed behaving as exploited members of botnets, proxies, VPNs, TOR exit nodes, and hosts that have been attempting to authenticate to our honeypots acting maliciously within the last 12 hours.

The list is used to identify account compromises and to block exploited hosts from authenticating with your services running on HTTP, IMAP, SMTP, SSH, etc., to prevent dictionary or brute force attacks or logging into services with phished credentials, etc. The listing time for this list is shorter than our other lists, to avoid false positives with IP addresses that might be rotated within a DHCP pool.

For more see Abusix Mail Intelligence – Authentication IP List (AuthBL).

SMTP servers are any servers that use SMTP to send and receive mail messages.

The Smurf attack is used for DDoS attacks, where the attacker spoofs the victim’s IP address and then broadcasts many ICMP packets from the spoofed address.

Other devices will respond by replying to the source IP address (spoofed), thus flooding the victim’s computer.

Snowshoe spam is a spamming technique where unsolicited email is sent using many domains and IP addresses to weaken reputation metrics and avoid filters.

A Security Operation Center (SOC) is a centralized cyber security function within an organization that employs people, processes, and technology to continuously monitor and improve an organization’s security posture by preventing, detecting, analyzing, and responding to cybersecurity incidents.

A Cyber Security SOC acts as the command center by taking in telemetry from an organization’s network, devices, and information systems, regardless of the location of those assets. By collecting context from all sources, advanced threats are more likely to be identified. Ultimately over time, the SOC becomes the cyber security center in which every event is logged within the organization is logged, correlated, and monitored.

For each of these events, the SOC then makes the decision on how the events are then managed and acted upon.

Social Engineering is a term for a wide range of user-directed interactions (which may include one or more steps) that use psychological manipulation to trick the unsuspecting users into making security mistakes or giving away sensitive information.

Social media are internet platforms that allow you to broadcast your message as wide as you wish.

It promotes the fluid sharing of ideas, thoughts, and information.

Content includes antidotal personal information, photos, videos, and occasionally documents.

Social networking is where people use dialog on social media to build relationships and social networks with people who share similar personal or career interests, activities, backgrounds, or real-life connections.

NIST defines SaaS cloud computing as:

“The consumer can use the provider’s applications on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.”


SaaS vendors offer online services that provide structured application software and databases and price their solution on a subscription or pay-per-use basis.

Users access SaaS applications across the internet, usually using a web browser. Meanwhile, the SaaS vendor manages infrastructure and platforms that run the applications, simplifying maintenance and support.

SaaS applications differ from on-premise solutions in that they are designed to scale at run-time to meet changing work demands.

Transparent to the user, this is accomplished by using load balancers to distribute the work over the set of virtual machines.


These applications are designed in this fashion to accommodate many users or data. Additionally, SaaS solutions are almost always multi-tenant solutions, serving more than one organization simultaneously.

Spamming is the use of messaging systems to send an unsolicited message to many recipients for commercial advertising, non-commercial proselytizing, or any unlawful purpose.

A Spam Block occurs when an IP address or domain associated with spam attempts to send a spam message.

A Spam Filter is a program used to detect unsolicited and unwanted emails and prevent those messages from getting to a user’s inbox.

A spam filter searches for specific criteria on which it bases judgments.

More sophisticated programs, such as Bayesian filters or other heuristic filters, identify spam through suspicious word patterns or word frequency.

Email filtering is the processing of email to organize it according to specified criteria.

The term can apply to human intelligence, but most often refers to the automatic processing of messages at an SMTP server, possibly applying anti-spam techniques.

A Spam Folder is a location for storing unwanted emails, as determined by a spam filter.

This folder is also sometimes called a “junk folder.”

Both mail servers used Spam folders and the user’s email client to file unwanted mail that makes it past the blocklists, which instead bounced the mail.

Spam Traps are email addresses or entire domains created to lure unsolicited email spam.

The practice of sending email spam, advertising a website, or phishing. The word is a portmanteau of the words “spam” and “advertising.” It also refers to vandalizing blogs, online forums, or wikis with hyperlinks to get a higher search engine ranking for the vandal’s website.

Spear phishing is an email spoofing attack that targets a specific organization or individual seeking unauthorized access to sensitive information.

A spear-phishing attack is an email spoofing attack that targets a specific organization or individual seeking unauthorized access to sensitive information.

SPF is an email authentication method designed to detect forged sender addresses during email delivery, by checking the sender domain and IP address, claimed in the envelope of the email, used when an email gets bounced.

When used in combination with DMARC, SPF may be used to detect the forging of the visible sender in emails (aka email spoofing) as well as the bounce address.

Spoofing is a scam in which a criminal disguises an email address, display name, phone number, text message, website URL, or IP address, to convince a person or computer (in an electronic transaction) that they are interacting with a known and trusted entity.

SSH is a protocol used to operate network services securely over an unsecured network.

SSH is most commonly used for remote login into website administration and command-line execution applications.

An SSH Brute Force attack is a cybersecurity attack in which an attacker uses trial and error to guess credentials to access a server.

Brute force attacks do not require vulnerabilities to be successful.

An SSL certificate is installed on your webserver to ensure that when a web browser attempts to see your website, the SSL certificate then enables a secure encrypted connection between the web browser and your webserver.

A Subpoena is a written order from a Court of Law that requires the production of otherwise not publicly available or accessible information.

The surface web is internet content that is standard web search engines index.

The SYN flood is used for DDoS attacks, where the attacker initiates an SYN packet connection to a server but does not finalize the connection.

Since an SYN packet is a three-way handshake used to establish a connection, the target server waits for a half-opened connection, consuming resources and making the victim unresponsive to other legitimate traffic.


The TCP is one of the main protocols of the Internet protocol suite.

The entire communications suite is commonly referred to as TCP/IP.

With TCP, systems can send reliable, ordered, and error-checked delivery messages, or octets, to other hosts on an IP network.

The internet, email, file transfer, and remote system administration depend on TCP. Thus, TCP is a critical piece of the Transport Layer of the TCP/IP suite.

Additionally, SSL/TLS is commonly used with TCP communications.

The TCP/IP model is a five-layer model for networking. From bottom (the link to the internet) to top (the user application), these are (1) the physical connection, (2) data link, (3) network, (4) transport, and (5) application layers. Since the model defines hardware, the TCP/IP model gaps are filled in by IETF standards and protocols.

Text messages are messages sent via the telephone-based “Short Message Service” (SMS).

A threat is the hypothetical of a future event wherein an attacker uses the vulnerability to exploit the network or target individual.

An attacker may use multiple attacks at the same time to exploit different known or potential vulnerability.

While nothing may have happened yet at the “threat” stage, knowing of the threat, the security team can assess whether or not a security action plan needs to be created and implemented to mitigate the threat.

TLS is designed to provide communications security.

Messaging widely uses the protocol (e.g., email, instant messaging, and voice over IP) and HTTPS.

TLS provides authenticity, integrity, cryptography, and privacy by using certificates between two or more applications.

TLS is the successor to SSL.

Trademark infringement is an intellectual property violation and involves the reuse of an entity’s recognized, registered, and exclusive rights of use attached to a registered trademark, without that trademark owners’ expressed authorization or grant of use.


The UDP is one of the main protocols of the Internet protocol suite.

With UDP, systems can send messages or datagrams to other hosts on an IP network.

UDP is a simple connection-less communication model with a minimum of protocol mechanisms. It has no handshaking dialogues; there is no guarantee of delivery, ordering, or duplicate protection.

If error-correction facilities are needed at the network interface level, an application may instead use Transmission Control Protocol (TCP) or Stream Control Transmission Protocol (SCTP), designed for this purpose.

The UDP flood is used for volumetric DDoS attacks.

The attacker initiates the attack by sending many UDP packets host to random ports, forcing the victim’s system to reply with many ICMP packets, consuming resources, and making the victim unresponsive to other legitimate traffic.

Unauthorized Access is where a person or another system gains logical or physical access without expressed permission for their access to another network, system, application, data, or other resources.

The unregistered service mark symbol ℠ provides notice that the word or symbol represents a specific service of an organization.

Often service marks precede the approval of a trademark. In many jurisdictions, only registered trademarks can defend legal rights.

The unregistered trademark symbol ™ provides notice that the word or symbol represents a specific service of an organization.

Often unregistered trademarks precede the approval of a trademark.

In many jurisdictions, only registered trademarks can defend legal rights.

A Uniform Resource Locator (URL) is a web address e.g. is a URL.

User Credentials (Log-In) are often a username and password pair, similar keyed or 2FA information, that uniquely identifies someone to confirm their identity when logging into a computer, phone, network, and websites.

User hijacking occurs when a hacker steals a user’s account credentials (e.g, user log in and password) associated with an application.

The hacker will then use the account to impersonate the account owner, execute a financial transaction, steal personal information about the user or ransom the user to regain access to their account. Typically, account hijacking is most commonly executed through brute force trial and error guessing, pharming, or phishing emails sent to the user.


Vishing (Voice Phishing), also known as vishing, is a phishing attempt delivered through a phone call.

Vishing calls often originate from a spoofed or faked phone number made to appear like a legitimate company being impersonated.

So just because it looks like your bank, do not trust the caller, let it go to voicemail. If it is important, they will leave a message.

VPNs provide a proxy server to users wishing to obfuscate their location or IP address to bypass censorship, geoblocking, or hide from potential attackers.

Users also often wish to protect and encrypt their communications against profiling or MITM attacks.

While VPN providers market their services as privacy-enhancing, citing security features, users must be aware that the transmitted content is not encrypted before entering the VPN’s proxy.

Content is again visible at the exit point, meaning the VPN has oversight at both ends of the path.


A web application is a software that runs on a web server.

The application user accesses the application through a web browser.

Commonly-used web applications include webmail, shopping, and banking.

Web application firewalls are built to provide web applications security by applying a set of rules to an HTTP session.

Since applications are online, they often need to keep certain ports open to the internet.

WAFs detect distributed denial of service (DDoS) attacks in their early stages, absorb the volume of traffic making it more difficult for the attacker to try different types of website attacks against the application and the database that is used.

Web proxies are often used to enforce acceptable use policy, and to ease administration since no client browser configuration is required.

Web proxies are also commonly used by ISPs in countries where bandwidth is limited, like island nations, in particular, to improve customer response times by caching.

Web servers are found on Layer 5 of the TCP/IP model.

A web server is computer hardware and software that hosts HTML web content and serves that content (or error) based upon HTTP or, more commonly, HTTPS requests made by a web browser or web crawler.

In addition, the webserver can also log the information provided by visitors.

A webhook is commonly used to interface an application to another application’s API or web page by making a JSON formatted HTTP POST to the target application/web page.

See API.

Website Defacement is an attack on a website that changes the visual appearance of a website.

Defacements are caused by either a vulnerability in website code or breaking into the webserver and either the insertion or replacing of hosted website code with code created by the defacer.

A Welcome List (previously referred to as a Whitelist) is a list of IP addresses and domains that are suppressed from any false positive block listings.

A whaling attack is a highly targeted phishing attack targeted at senior executives within an organization.

The message masquerades as a legitimate email and encourages victims to perform secondary action, such as transferring funds.

WHOIS is a widely used protocol for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system.

GDPR has vastly limited WHOIS information by requiring the redaction of the most valuable information to security researchers.

RDAP is replacing the current WHOIS protocol

Wi-Fi is a family of wireless network protocols based on the IEEE 802.11 family of sharing.

It is meant only for local area networking of devices and Internet access nearby digital devices to exchange data by radio waves.

Wi-Fi is the most widely used networking protocol in the world.

A Wi-Fi network is a specific subcategory of a wireless network with high-frequency and a local area network (WLAN) technology.

Wi-Fi Routers are found on Layer 3 of the TCP/IP Model.

A wireless router is a device that performs the functions of a router and includes the functions of a wireless access point.

It is used to provide access to the Internet or a private computer network. Depending on the manufacturer and model, it can function in a wired local area network, a wireless-only LAN, or a mixed wired and wireless network.

A wireless network is any computer network that uses non-wired (e.g. wi-fi, cellular, microwave, Bluetooth, Zigbee, etc.) connections between its network nodes.

A wireless router is a wireless local area network (WLAN) device that forwards a packet to its intended destination.

A wireless router works the same way as a hard-wired home or business local area network (LAN) but allows greater mobility for laptops and tablets.

WOV is a time frame within which defensive measures are compromised.


To stop attacks or take down illegal content, informing the owner or maintainer of the source is the only way to mitigate issues and therefore is an essential part of the internet infrastructure.

The X-ARF format is an extensible schema-based JSON reporting format built off the ARF format that can be used to report all types of abuse, like phishing, port probes, ssh attacks, and more, not just email abuse.

See more here 


Zero reputation for an IP address or domain will occur when a new server is configured on a new IP address or with a new domain that has never been used before.

It doesn’t mean the new IP address or domain is necessarily bad, it simply means it’s new and therefore it will be untrusted by some who apply Zero-Trust Security Models.

The Zero-Trust Security Model is built around the premise of “never trust, always verify,” which means that devices are not trusted by default, even if they are connected to your own managed network and were previously verified.

The traditional security model which involves trusting devices or those that connect to it via a VPN, within a corporate perimeter makes little sense in distributed computing environments today.

Thus, the zero trust model promotes mutual authentication and checking the identity and integrity of devices regardless of their location. It also provides access to applications and services based on the device identity, device health, and user authentication.

Get in touch

Talk to us

Do you want to remove your IP/domain from one of our blocklists?
Please use our lookup-service and follow the instructions there in order to get that resolved.