Defining Success in The Global Reporting Project cover

·

Defining Success in The Global Reporting Project

For over 15 years, Abusix has been dedicated to enhancing Trust and Safety on the internet, starting the company with the creation of the Abusix Global Abuse Reporting project. While many security companies have focused on developing more robust firewalls or acting as digital police, identifying problematic networks and providing tools to combat online abuse are ultimately the key to improving network trust and the safety of users.

You might be wondering why abuse reporting is so important and how successful Abusix is at tackling it.

The Importance of Abuse Reporting

Abuse reporting plays a crucial role in internet security, primarily because owners of compromised systems are often unaware of their vulnerability. The essence of security transcends mere blockade or enforcement; it's about minimizing the lifespan—Time-to-Live (TTL)—of resources that malicious actors exploit. Our dedication to abuse reporting has been instrumental in mitigating such exploitations.

How Abusix Tackles Abuse Reporting

Initially, we needed a way to identify compromised accounts, systems, and malicious servers.

Blackhole MX (orginally called SpamFeed.me) in 2008 was Abusix's inaugural service. It allowed domain owners to direct non-MX record domains to MX servers around the globe, which Abusix manages.

A testament to the success of this first service is that today, Abusix receives spam and abuse across machines using a steadily increasing 350,000 domains to identify compromised accounts, systems, or abusive mailstreams.

Next, fifteen years ago, the market, including Abusix, needed a method to find the abuse address for any IP address worldwide.

So, in response, the Abusix Contact Database was created and launched. This tool allows reporters worldwide to use a simple DNS service to look up the abuse contact for each network, regardless of the RIR (Regional Internet Registry).

Today, abuse reporters query this free DNS service on average, 824K times a second, 54.8 million times a day. In fact, over the last 90 days, we have provided reporters reporting abuse back to the network operators with the abuse address of networks across the globe over 5 billion times. Trust and Safety and Global Reporting is genuinely part of Abusix’s DNA.

The third trend we identified was the need for a uniform but universal abuse reporting format for various attack attacks.

The format needed to be human—and machine-readable and adaptable for use in emails, RESTful APIs, or streams. The solution we found involved expanding the existing Abuse Reporting Format (ARF, RFC 5965), designed for reporting spam, into an Extensible Abuse Reporting Format (X-ARF). This new X-ARF format expanded the standard permitting any type of abuse to be reported uniformly. While we list 18 different report schemas in our GitHub repository, internally we use over 175 different schemas for a wide range of other attack types and can quickly share with you any that you might find missing that you might need.

The beauty of X-ARF is it retains the ARF structure that so many abuse desks are already tooled for. This structure, consisting of three MIME parts: a human-readable part, a metadata summary, and evidence part. However, X-ARF differentiates itself by incorporating a JSON container in the third MIME part with standardized labels for standard elements. Instead of the original spam email as evidence, the third mime part is a JSON container with metadata that includes the appropriate labels and meta data for reporting abuse such as web crawler, trademark, counterfeit goods, copyright abuse, DDoS machine, or other abuse types. This standardized email report structure and JSON labeling expedites the reading of reports for both humans and machines and may easily be applied to RESTful APIs, Streams and even abuse management data backbones.

Currently, an increasing number of reporters appreciate the benefits of this standardized reporting format, making it easier for receiving abuse desks to process their inbound reports. As a result, over 260 companies and government CERTs worldwide now use X-ARF as their preferred abuse reporting format, especially when reporting abuse between each other.

The Fourth Initiative: Sharing Spamtrap Data

Since Abusix's inception, we've shared our own spamtrap data from our Blackhole MX project to help network operators (ISPs and Hosting Providers in particular) hosting abuse see problems within their network and thus take meaningful action addressing compromised users and machines as well as acting against bad actors within their networks. In the last few years we expanded our reporting to include the reporting of potentially compromised account reports back to mail operators.

Currently, Abusix sends over 100,000 spam trap hits daily to networks worldwide hosting compromised users and machines.

Clearly, Abusix has helped to shape the Trust and Safety ecosystem that exists today, and we have used and continue to use our infrastructure to develop effective strategies for efficient abuse management and the global good. Making the internet safer isn’t something new, its the good citizen we strive to be.

A growing shared responsibility in making the Internet safer

But, trust and safety on the Internet are not responsibilities that a single organization can shoulder. An organic and unified community effort is necessary to prevent abuse. Dealing with adversaries is like a game of whack-a-mole: once a compromised account or system is corrected, a malicious actor's resources are eliminated, another compromised user or system emerges, or the malicious actor appears in a different location. Therefore, it is crucial to report abuse to other network operators as soon as you see it and process abuse reports about your own network swiftly. Sharing indicators of compromise (IOCs) and other relevant information is critical to creating a safer internet.

Broadening the community of reporters

Recognizing the potential for abuse and fraud through network and mail system attacks, intellectual property theft, trademark abuse, cyberbullying, and child exploitation is crucial. To address this, we've developed Abusix’s Global Reporting (aka Data Channels). This Abusix service makes it easy for any organization to report abuse back to the orginating network for free, whether a single submission or bulk reporting via an API.

Be wary of imitators who exploit data solely for their own security solutions and profit. These organizations collect your data without any intent of timely informing the originating network of the abuse. As a result, network operators often lack evidence of problems, which allows vulnerability and compromise problems to fester and endanger others online. Such security organizations typically rely on their 'black boxes', which protect their paying customers from abuse, rather than reporting the issue to the network operator for resolution. This approach promotes internet insecurity instead of helping to eliminate the source of abuse or danger.

Conversely, Abusix's Global Reporting is a genuine partnership. Its primary mission is to report abuse (IOC) to the originating network in a standardized, easy-to-process format (XARF). This helps identify problems at their source, remediate compromised users and accounts, and facilitate the takedown of malicious actors, something a blocklist alone cannot achieve.

Ultimately, Trust and Safety, requires building network operator trust models to truly achieve user safety, not just building a blocklist.

Abusix’s Success So Far

Global Reporting

In the first 90 days of our new seamless Abusix Global Reporting using our Data Channel we have data for the first four reporters:

1) The typical abuse reports we processed were for:

2) The total number of reports exceeded 1.05 million, and they were sent to 4,876 individual abuse desks, mostly in Europe, reflecting the geography of the reporters.

3) The most significant volumes of reports sent were:

  • 464,000 reports to Microsoft
  • 75,000 to Google
  • 27,000 to Promio
  • 24,000 to ISXhost UK
  • 22,000 to Sendgrid
  • 20,000 to Amazon
  • 18,000 to Send in blue
  • 16,000 to Webanizer

To track future success of this project we will compare

  1. % of network operators with working abuse addresses
  2. % of all network operators reporting abuse to their peers on their own and using our Global Reporting tools.
  3. The number of abuse reporters (other than network operators) reporting abuse to network owners on their own and using our Global Reporting tools.
  4. % of all reporters using standardized reporting formats including ARF and XARF

Abusix Feedback Loop reporting solution

Our Abusix This-Is-Spam Feedback Loop reporting solution which follows RFC 9477 is a subset of and leverages our Global Reporting architecture. recently launched.

While still early, ESPs, ISPs, and Mailbox providers that add the CFBL header will drive market adoption.

At the current time, we have five reporters either reporting or queued up for us to report on their behalf.

To track future success of this project we will compare

1) % of ESPs and mailbox providers inserting the CFBL header

2) % of all mailbox providers processing CFBL header

In the end, the new RFC compliant feedback loop will benefit all senders. Whether the data is used to identify malicious or compromised accounts or simply to unsubscribe recipients from newsletters, everyone stands to gain.

Getting Started with Abusix

Abusix leads the effort to report abusive Internet traffic back to its origin, as such we have become the clear leader in creating a community that understands that Trust and Safety, require the building of network operator data exchange and trust models to truly achieve user safety.

If you want to get started, first create a free account at https://app.abusix.com, and then pick your project

Read More

·

The definition of network abuse has become a hot subject again lately. People are wondering why there’s no clear definition...

·

Network abuse on the Internet has been on the rise for the past 20 years. Since 98% of all internet...

·

An abuse team has to deal with so many reports, and the end...