An abuse desk is a team at a network provider or SaaS solution responsible for preventing fraud and abuser emanating from their network by enforcing their terms of service and acceptable use policies. Abuse desks usually comprise individuals from various backgrounds, including security, legal, customer service, network, email, and system administrators.
Abuse is reported to the abuse desk using the [email protected] role account for your domain(s) or via the abuse contacts defined in network ranges in RIR WHOIS records. Email spam and phishing from your network may be reported to you by signing up to Feedback Loops.
Anti-phishing refers to efforts to block phishing attacks. Phishing is a cybercrime where attackers pose as trusted entities and contact individuals through email, text, or telephone and ask them to share sensitive information. In a phishing attack, users are lured (phished) into providing account information, password, credit card information, bank account details, or other sensitive data. In addition, the phishing attempt might include trying to get the target to click on a URL link to download malware.
ARF (aka Abuse Reporting Format is used for reporting email threats reported by recipients using their “This is Spam” buttons and Feedback Loops (FBL).
The X-ARF format is an extensible schema-based JSON reporting format built off of the ARF format that may be used to report all types of abuse, like phishing, port probes, ssh attacks, and more, not more just email abuse.
ASN (aka autonomous system number) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
ASNs are allocated by RIRs.
An attack vector is a slight path by which an attacker or hacker can access a computer or network server to deliver a payload or malicious attack. Attack vectors allow hackers to exploit system vulnerabilities as well as the human element.
An AUP (aka acceptable use policy) is a set of rules that restricts how the network, website, or system may be used. An AUP sets guidelines for how a network or service may be used and is part of a “terms of service agreement”.
The most important part of an AUP is the code of conduct governing a user’s behavior while connected to the network and what actions will be taken should the policy be violated.
Backscatter is typically unwanted messages caused by incoming spam forging email addresses. It is caused when a mail server accepts a forged message that subsequently cannot be delivered, causing the receiving mail system to send a Delivery Service Notification (DSN) to the message Return-Path, which is forged.
This can be avoided by rejecting messages at the border of the MX.
Abusix Mail Intelligence includes a dataset that contains IP addresses of systems that have sent backscatter to our traps, which you can use to filter these messages.
Baiting is when cybercriminals lure a target into clicking on a URL and then place malware at the end of the URL’s destination. The URL could be contained in an email, returned by a web search, or included in an application popup; it could be anywhere. Once you click on the URL, a virus, worm, Trojan, ransomware, or other program is downloaded to your computer, giving the cybercriminals access to your system.
A bounce message or just “bounce” is an automated message from an email system, informing the sender of a previous email that the message had not been delivered (or some other delivery problem occurred). The original message is said to have “bounced”.
More often than not, a civil case involves two private parties involved in a lawsuit that a Court of Law is handling. Examples may include but are far from limited to defamation and libel proceedings, suits involving ownership of the disputed material.
Confirmed Opt-in, see Double Opt-in
Copyright law is the right of a copyright owner to control the use of their work for a limited period. The copyrighted work must be an original work in a tangible medium of expression, like a book, music, video, photography, and others.
Typically a copyright owner is the person who creates the creative work.
For example, if you wrote a book or took a photograph, you would be the copyright owner. An employer may be the copyright owner if the content was created for the employer by an employee.
The copyrighted work is the intellectual property in written content like books, pamphlets, brochures, pictures, catalogs, promotional materials, instructional materials, posters, or visual and audio content (films, slides, photographs, advertising).
Copyrighted material may also contain original literary, artistic, software code or musical expression, or work subject to copyright protection.
Cyber security is a subset of information security that involves active monitoring and protecting internet-connected network devices (e.g., hardware, software, programs, and data) from potential cyberattacks. It also protects the integrity of networks and data from unauthorized access.
Cyber threats are malicious attempts to damage or disrupt a computer network or system
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak, information leakage, and data spill.
Website defacement is an attack on a website that changes the visual appearance of a website. These are typically the work of defacers, who break into a web server and replace the hosted website with one of their own.
DKIM (aka Domain Keys Identified Mail) is an email authentication method designed to detect forged sender addresses in emails (email spoofing) or man-in-the-middle attacks, techniques often used in phishing and email spam.
DMARC (aka Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. By using both authentications methodologies SPF and DKIM, DMARC protects a domain from being used in business email compromise attacks, phishing emails, email scams, and other cyber threat activities.
DMCA (aka The Digital Millennium Copyright Act) is a 1998 United States copyright law that implements two 1996 World Intellectual Property Organization treaties. It criminalizes the production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works.
A copyright infringement notice is the result of a computer identified as engaged in an illegal transfer of copyrighted content (e.g.: music, videos, photography, or some other type of intellectual property).
The notice is sent to the ISP hosting the IP address of the computer identified in the transfer, identifying the particular infringement and the associated IP address. Legitimate notices will only come from a user’s own ISP.
DNS (aka Domain Name Service) is a critical internet service that translates names like www.google.com into the IP addresses in which this service resides.
DNSBL (aka Domain Name System Blackhole List, Domain Name System Blacklist, RBL, Real-time Blackhole list) uses DNS as a database lookup to a reputation provider (either as a blocklist or allow list), such as Abusix Mail Intelligence, to determine the trustworthiness of an IP, domain name, and hashed value (like a URL or file).
DNSBL functions and operations are defined by RFC5782.
DNSBLs may return DNS A or TXT records. The TXT record (if present) usually returns text that can be displayed to the user as part of the SMTP error text.
Multiple A records can be returned but must always be in the range 127.0.0.0/8, but must not be 127.0.0.1 (this is defined as the return code to say the DNSBL may have shut down and should not be queried) and 127.0.0.2, which is used as a test point and must be present.
The remainder of the 127.0.0.0/8 range can signify individual lists within an aggregated list or partition one big data set into multiple smaller pieces so that the user may treat each differently should they wish.
All return codes for Abusix Mail Intelligence lists are defined in our documentation.
DoS attack (aka denial-of-service attack) is a cyber-attack. The attacker seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting the services of a host connected to the internet. Denial of service is typically accomplished by flooding the targeted machine or resource with many requests intended to overload systems and prevent some or all legitimate requests from being fulfilled.
A double opt-in (aka COI, Confirmed Opt-in) occurs when a user signs up and is sent an email that includes a link to click and confirm the subscription. By using a double opt-in confirmation method, the chance of spam addresses being signed up is significantly reduced.
DSN (aka “Delivery Service Notification” or “bounce” message)
Once a mail server has accepted a message for delivery and cannot deliver the message to its final destination, it MUST generate a non-delivery report DSN to notify the sender that the message could not be delivered.
This can cause problems when a mail server accepts forged messages – see also backscatter.
An email account is simply a user account that can send and receive emails. The account is assigned one or more email addresses that consist of a “user address + @ + domain name.” All email addresses are unique.
An email address identifies an email destination to which messages are delivered. While early messaging systems used various formats for addressing, today, email addresses follow a set of specific rules standardized by RFC 5322.
Email appending is a practice that involves taking available customer data (first name, last name, and postal address) and matching it against a vendor’s database to obtain email addresses.
The purpose is to grow an email subscriber list to send customers information via email instead of traditional mail.
Email appending is a controversial practice in the email marketing world. The “Messaging Anti-Abuse Working Group” (M3AAWG) released a position paper stating the practice of email appending is a direct violation of M3AAWG values as an abusive practice.
An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message and sent to the recipient.
Email marketing is sending a commercial message to a group of people using email. Every email sent to a potential, or current customer could be considered email marketing in its broadest sense. It involves using email to send advertisements, request business, or solicit sales or donations.
An email server (aka mail server, mail exchanger, MX host, Mail Transfer Agent, MTA, and Mail Delivery Agent, MDA) is a software that transfers electronic mail messages from one computer to another using the SMTP protocol.
An ESP (aka email service provider) is a company that provides email marketing or bulk email service infrastructure to send messages. Typically an ESP provides the infrastructure to send the messages, offers templates and statistics for each message sent, handles unsubscribed, and monitors engagement for each list subscriber.
Common threats to email systems include the following: Malware. Increasingly, attackers are taking advantage of email to deliver various attacks to organizations through malware or malicious software, which contain viruses, worms, Trojan horses, and spyware.
A false-positive is an error in classification (or misclassification). In contrast, a false-negative is an opposite error where the result incorrectly fails (or misses), indicating the presence of a condition when it is present.
A feedback loop (FBL) allows mailbox providers to send complaints from their users to the sending organization. This can be done via the use of a “This is Spam (TIS)” button or manually via a helpdesk. Feedback loops send reports in MARF format and are usually opt-in services. Not all mailbox providers offer FBLs.
Greylisting is an SMTP email security technique that uses the temporary error codes in the SMTP protocol to delay messages from “new” IP addresses until it can be determined that the IP is legitimate and correctly implements a retry queue. This slight delay also provides additional time for DNSBLs to see the traffic and list the IP addresses, improving efficiency. Done correctly, this can be unobtrusive and yield excellent results.
Hailstorm spam is sent in very high intensities from many IP addresses in a brief period before disappearing and then using a different set of IP addresses.
This technique is used to evade anti-spam mechanisms that are not fast enough to react as the campaigns are short.
A hashbuster is random data inserted into a message to make it look unique to hashing algorithms or Bayesian training systems to evade detection.
Information Security aka InfoSec provides the foundation for data security, ensuring that physical and digital data is protected from unauthorized access, use, disclosure, disruption, modification, inspection, recording, or destruction. Information security keeps data in any form, physical or digital, secure, whereas cyber security protects only digital data.
Internal networks (aka Local Area Network) refer to the internal network of IP addresses. Conversely, an external network (aka a public or wide area network) refers to the external network IP addresses.
Internet Security Awareness Training (ISAT) is a subset of general security awareness training given to members of an organization regarding the protection of various information assets of that organization. Even small and medium enterprises should provide ISAT training.
Organizations that need to comply with government regulations (i.eGLBA, PCI, HIPAA, Sarbox) are required by contract to provide formal ISAT annually for all employees.
An IPS (Intrusion prevention system) is a network security and threat prevention tool used with an Intrusion detection system (IDS). IDS and IPS tools are designed to monitor a network in real-time, identify potential threats early, and then respond to the threat accordingly.
An IP address (internet protocol address) is a numerical label assigned to each device connected to a computer network that uses the internet protocol for communication.
IP Hijacking is where ranges of IP addresses not currently in use by their owner are stolen and used for criminal activity.
This exploits some weaknesses in the Border Gateway Protocol (BGP), which designate paths for routed data packets and redirect the addresses to the criminal.
Law enforcement organizations are the governmental agencies responsible for enforcing laws, maintaining public order, and managing public safety. The primary duties of law enforcement include the investigation, apprehension, and detention of individuals suspected of criminal offenses.
LEO Cases are information requests related to ongoing criminal cases. The case is being tried by a State or Federal prosecutor, pursuing criminal charges against an individual, company, or entity for a felony or a misdemeanor.
List washing is where bad email addresses are removed from a mailing list that was not built using confirmed opt-in (COI) to clean it up.
Malicious activities are external threats to your network. They are activities performed by cybercriminals that infiltrate your system to steal information, sabotage your operations, or damage your hardware or software.
Malware (aka malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network. File types include computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper, and scareware.
“Too many concurrent SMTP connections; please try again later.” means the server you’re sending through is busy, and you probably don’t have SMTP authentication enabled.
Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.
An MX is a server responsible for email for a given domain defined by an MX record in DNS
A network is a system of connected nodes or stations to permit data communication between devices, using various channels or methods (telemetry, text, audio, video, etc.).
Network devices (aka network hardware or network equipment) are electronic devices required for communication and interaction between devices on a computer network. Specifically, they mediate data transmission in a computer network.
Network security is a subset of cyber security. The job of network security is to make your network more secure by providing technical expertise for network devices and security systems like firewalls and intrusion detection systems and protocols that apply encryption and digital certificates.
The number of connections refers to limits on the number of messages and connections that an email server can process. The rate considers message processing rates, SMTP connection, and SMTP session timeout. The limits work together to protect an email server from being overwhelmed by accepting and delivering messages.
The Microsoft Office 365 suite is a hosted, online version of the traditional installed version of Microsoft Office software. This online service is subscription-based and includes Office, Exchange Online, SharePoint Online, Lync Online, and Microsoft Office Web Apps.
An open mail relay is a Simple Mail Transfer Protocol (SMTP) server configured in such a way that it allows anyone on the internet to send email through it, not just mail destined to or originating from known users. Open relays are exploited by spammers and worms and blocklisted.
Phishing is a social engineering attack wherein a fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, and credit card details, disguising oneself as a trustworthy entity. Additionally, a phishing attack may be designed to get the target to download malicious software unintentionally.
A phishing website is often a “spoofed” or “copycat” site of a legitimate brand. The fake site intends to trick you into providing sensitive business or personal information. The type of information they collect includes account passwords, credit cards, or other confidential information. Don’t be fooled by a site that initially looks real; be careful at all times with every internet transaction you make.
PII (aka Personally identifiable information, Personal Data, Personal Information) is defined as any data or information that permits an individual’s identity to whom the information applies. This information may be in paper, electronic, or other media and may include text, photographic, DNA, or additional related information.
The practice of protecting means to defend, protect, shield, guard, safeguard means to keep secure from danger or against attack. Defend denotes warding off an actual or threatened attack. Defending the country’s protection implies using something (such as a covering) as a bar for the admission or impact of what may be attacked or injured.
Pretexting is where a cybercriminal impersonates an authority figure or someone the employee or customer would easily trust to get their personal information.
Protected data means non-public, personal data possessed or controlled by either of the companies in the course of their business. The data is not employee personal data, but data associated with a specific person or entity or person, maintained by the sellers confidential. The data might include credit card information, taxpayer identification or social security number, or other non-public identifying or sensitive information. This data also consists of any information protected under any relevant data privacy law.
Quid pro quo is when a cybercriminal requests personal information for a reward, i.e., money, a gift, or a free service. Quid pro quo’s are not unusual; more and more cybercriminals use free apps or software as a trojan horse to further an exploit.
Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless the victim pays a ransom.
Real-time Blackhole List, see DNSBL.
Registration Data Access Protocol is a protocol designed as a successor to the WHOIS protocol.
It is used to look up relevant registration data from such internet resources as domain names, IP addresses, and autonomous system numbers.
RDAP is a protocol designed to be the successor to the WHOIS lookup protocol. RDAP is used to look up relevant registration data from such internet resources as domain names, IP addresses, and autonomous system numbers.
A Request for Preservation of information sent by law enforcement to a network operator to prevent the destruction of data, with the express intent to serve a Subpoena later to obtain the preserved data.
A regional Internet registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a region of the world. Internet number resources include IP addresses and autonomous system (AS) numbers.
An RIR (Regional Internet Registry) is an organization that manages the allocation and registration of Internet number resources within a region of the world. Internet number resources include IP addresses and autonomous system (AS) numbers.
Security measures refer to the steps taken to prevent or minimize criminal acts, espionage, terrorism, or sabotage.
Security solutions refer to the tools that a company deploys to protect against unauthorized or criminal use of electronic data. Cyber security services are the overarching processes to achieve this security and protect against common cyber threats.
Sensitive information is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.
SMTP (Simple Mail Transfer Protocol) is an internet standard communication protocol for electronic mail transmission.
SMTP AUTH (SMTP Authentication) is an extension of SMTP whereby a client may log in using any authentication mechanism supported by the server.
SMTP servers are any server or message transfer agent (MTA) that uses SMTP to send and receive mail messages.
Snowshoe spam is a technique where spam is sent using many different domains and IP addresses to weaken reputation metrics and avoid filters.
Spamming uses messaging systems to send an unsolicited message to large numbers of recipients for commercial advertising, non-commercial proselytizing, or any unlawful purpose.
A Spam block occurs when an IP address or domain associated with spam tries to send a spam message.
A spam filter is a program used to detect unsolicited and unwanted emails and prevent those messages from getting to a user’s inbox. A spam filter looks for specific criteria on which it bases judgments. More sophisticated programs, such as Bayesian filters or other heuristic filters, identify spam through suspicious word patterns or word frequency.
A spam folder is a location for storing unwanted emails as determined by a spam filter. This folder is also sometimes called a “junk folder.” Spam folders are used by both mail servers and the user’s email client to file unwanted mail that makes it past the blocklists which instead, bounce the mail.
Spam traps are email addresses or entire domains that are created to lure spam.
The practice of sending email spam, advertising a website, or phishing. The word is a portmanteau of the words “spam” and “advertising.” It also refers to vandalizing blogs, online forums, or wikis with hyperlinks to get a higher search engine ranking for the vandal’s website.
Spear phishing is an email spoofing attack that targets a specific organization or individual seeking unauthorized access to sensitive information.
SPF is an email authentication method designed to detect forging sender addresses during email delivery.
It is limited only to detect a forged sender claimed in the envelope of the email, which is used when the mail gets bounced. When used in combination with DMARC, it can be used to detect the forging of the visible sender in emails (email spoofing).
A Subpoena is a written order from a Court of Law compelling the production of otherwise not publicly available or accessible information.
The TCP/IP model is a five-layer model for networking. From bottom (the link to the internet) to top (the user application), these are (1) the physical connection, (2) data link, (3) network, (4) transport, and (5) application layers. Since the model defines hardware, the TCP/IP model gaps are filled in by IETF standards and protocols.
Trademark infringement is a violation of the exclusive rights attached to a trademark without the trademark owner’s authorization or any licensees.
A person or a system gains logical or physical access without permission to a network, system, application, data, or other resources.
Often a username and password that uniquely identifies someone on a computer system, and a username/password combination is referred to as a login, often required for users to log in to websites.
WHOIS is a widely used protocol for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system.
WHOIS information has been vastly limited by GDPR, which requires the redaction of the most valuable information.
RDAP is replacing the current WHOIS protocol.
A wireless network is any computer network that uses wireless data connections between network nodes.
A wireless router is a wireless local area network (WLAN) device that forwards a packet to reach its intended destination. A wireless router works the same way as a hard-wired home or business local area network (LAN) but allows greater mobility for laptops and tablets.
To stop attacks or take down illegal content, informing the owner or maintainer of the source is the only way to mitigate issues and therefore is an essential part of the internet infrastructure.
The X-ARF format is an extensible schema-based JSON reporting format built off of the ARF format that may be used to report all types of abuse, like phishing, port probes, ssh attacks, and more, not more just email abuse.