An abuse desk is a group of people responsible for preventing abusive behavior emanating from their network by enforcing acceptable use policies or terms of service.
Abuse is reported to the abuse desk using the [email protected] role account for your domain(s) or via the abuse contacts defined in network ranges in WHOIS that has been delegated to you by an RIR. Email spam received from your network can also be reported to you by signing-up to Feedback Loops.
Abuse desks usually comprise individuals from various backgrounds, including legal, customer service, network, email, and system administrators.
Abuse Reporting Format is used for reporting email-borne threats via Feedback Loops (FBL), lately renamed MARF (Mail Abuse Reporting Format).
Abusix designed X-ARF as an extensible schema-based reporting format that can be used for reporting all abuse types, not just email.
An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
ASNs are allocated by RIRs.
An acceptable use policy (AUP), acceptable usage policy, or fair use policy, is a set of rules applied by the owner of a network, website, or service that restricts how the network, website, or system may be used.
An AUP sets guidelines as to how it should be used.
The most important part of an AUP document is the code of conduct governing a user’s behavior while connected to the network and what actions will be taken should the policy be violated.
Backscatter is typically unwanted messages caused by incoming spam forging email addresses. It is caused when a mail server accepts a forged message that subsequently cannot be delivered, causing the receiving mail system to send a Delivery Service Notification (DSN) to the message Return-Path, which is forged.
This can be avoided by rejecting messages at the border of the MX.
Abusix Mail Intelligence includes a dataset that specifically contains IP addresses of systems that have sent backscatter to our traps, which you can use to filter these messages.
A bounce message or just “bounce” is an automated message from an email system, informing the sender of a previous email that the message had not been delivered (or some other delivery problem occurred). The original message is said to have “bounced”.
Commercial sexual exploitation of children is a commercial transaction that involves children prostitution, child pornography, including live streaming of any sort of sexual content, advertisement of child pornography websites, and the sale and trafficking of children.
More often than not, a Civil case involves two private parties involved in a lawsuit that is being handled by a court of law. Examples may include but are far from limited to defamation and libel proceedings, suits involving ownership of material, court cases regarding a content dispute.
Confirmed Opt-in, see Double Opt-in
Website defacement is an attack on a website that changes the visual appearance of a website. These are typically the work of defacers, who break into a web server and replace the hosted website with one of their own.
Domain Keys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol.
It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. By using both authentications methodologies SPF and DKIM, DMARC protects a domain from being used in business email compromise attacks, phishing emails, email scams, and other cyber threat activities.
The Digital Millennium Copyright Act is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization. It criminalizes the production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works.
Domain Name Service. This is a critical service of the Internet that translates names like www.google.com into IP addresses.
A Domain Name System-based Blackhole List, Domain Name System Blacklist (DNSBL), or Real-time Blackhole List (RBL).
DNSBL uses the Domain Name System as a database lookup to a reputation provider, such as Abusix Mail Intelligence, to determine the trustworthiness of an IP, domain name, and hashed value (like a URL or file).
Its function and operation are defined by RFC5782.
A DNSBL can return DNS A or TXT records. The TXT record (if present), usually returns text that can be used to display to the user as part of the SMTP error text.
Multiple A records can be returned, but must always be in the range 127.0.0.0/8, but must not be 127.0.0.1 (this is defined as the return code to say the DNSBL may have shut down and should not be queried) and 127.0.0.2 which is used as a test point and must be present.
The remainder of the 127.0.0.0/8 range can be used to signify individual lists within an aggregated list or to partition one big data set into multiple smaller pieces so that the user may treat each differently should they wish.
A double opt-in occurs when a user signs up and is then sent an email which includes a link to click and confirm the subscription. By using a double opt-in confirmation method, the chance of spam addresses being signed-up is greatly reduced.
Short for “Delivery Service Notification” or “bounce” message.
Once a mail server has accepted a message for delivery and is unable to deliver the message to its final destination, it MUST generate a non-delivery report DSN to notify the sender that the message could not be delivered.
This can cause problems when a mail server accepts messages which are forged – see also “Backscatter”.
Email appending is a practice that involves taking known customer data (first name, last name, and postal address) and matching it against a vendor’s database to obtain email addresses.
The purpose is to grow an email subscriber list with the intent of sending customers information via email instead of through traditional mail.
Email appending is a controversial practice in the email marketing world. The “Messaging Anti-Abuse Working Group” (M3AAWG) released a position paper stating the practice of email appending is in direct violation of their values as an abusive practice.
An email service provider (ESP) is a company that offers email marketing or bulk email services.
Typically an ESP provides the infrastructure to send the messages, offers templates and statistics for each message sent, handles unsubscribed, and monitors engagement for each list subscriber.
A feedback loop (FBL) allows mailbox providers to send complaints from their users to the sending organization. This can be done via the use of a “This is Spam (TIS)” button or manually via a helpdesk. Feedback loops send reports in MARF format and are usually opt-in services. Not all mailbox providers offer FBLs.
The SMTP technique uses the temporary error codes in the SMTP protocol to delay messages from “new” IP addresses until it can be determined that the IP is legitimate and correctly implements a retry queue. This small delay also provides additional time for DNSBLs to see the traffic and to list the IP addresses thereby improving efficiency. Done properly, this can be unobtrusive and yield very good results.
Hailstorm spam is sent in very high intensities from many IP addresses in a very short period of time, before disappearing and then using a different set of IP addresses.
This technique is used to evade anti-spam mechanisms which are not fast enough to react as the campaigns are so short.
A hashbuster is random data inserted into a message to make it look unique to hashing algorithms or Bayesian training systems to evade detection.
This is where ranges of IP addresses not currently in use by their owner are stolen and used for criminal activity.
This exploits some weaknesses in the Border Gateway Protocol (BGP), which is used to designate paths for routed data packets and redirects the addresses to the criminal.
Law Enforcement Organization
These information requests are always related to ongoing criminal cases. The case is being tried by a State or Federal prosecutor, pursuing criminal charges against an individual, company, or entity for either a felony or a misdemeanor.
This is where bad email addresses are removed from a mailing list that was not built using confirmed opt-in (COI) to clean it up and make it useful.
Malicious activities are external threats to your network. They are activities performed by cybercriminals that infiltrate your system to steal information, sabotaging your operations, or damage your hardware or software.
Malware (aka malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network.
A Mail Exchanger is a server responsible for email for a given domain as defined by an MX record in DNS.
Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, and credit card details, by disguising oneself as a trustworthy entity.
A Request for Preservation of information is often sent to prevent the destruction of data, with the express intent to serve a Subpoena at a later date to obtain the preserved information.
Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
Real-time Blackhole List, see DNSBL.
Registration Data Access Protocol is a protocol designed as a successor to the WHOIS protocol.
It is used to look up relevant registration data from such internet resources as domain names, IP addresses, and autonomous system numbers.
A regional Internet registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a region of the world. Internet number resources include IP addresses and autonomous system (AS) numbers.
Snowshoe spam is a technique where spam is sent using lots of different domains and IP addresses to weaken reputation metrics and avoid filters.
Spamming is the use of messaging systems to send an unsolicited message to large numbers of recipients for commercial advertising, non-commercial proselytizing, or any prohibited purpose.
Spamtraps are email addresses or entire domains that are created to lure spam.
The practice of sending e-mail spam, advertising a website. The word is a portmanteau of the words “spam” and “advertising”. It also refers to vandalizing blogs, online forums, or wikis with hyperlinks in order to get a higher search engine ranking for the vandal’s website.
Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the email delivery.
It is limited only to detect a forged sender claimed in the envelope of the email which is used when the mail gets bounced. When used in combination with DMARC, it can be used to detect the forging of the visible sender in emails (email spoofing).
A Subpoena is a written order from a Court of Law compelling the production of information that is otherwise not publicly available or accessible.
Trademark infringement is a violation of the exclusive rights attached to a trademark without the trademark owner’s authorization or any licensees.
WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system.
It had been ruined by GDPR which caused most of the useful information to be redacted and is due to be replaced by RDAP.