Common Inbound Abuse Channels That You Should Be Using For Solid Service Provider Security


Common Inbound Abuse Channels That You Should Be Using For Solid Service Provider Security

Service providers are flooded with reports of network abuse on a daily basis, making service provider security a top priority. To deal with the multi-layered abuse effectively, it’s important for service providers to use reliable inbound abuse channels to stay on top of the latest service provider security threats.

Cybercrime and network abuse are on the increase. Just to mention a few: 88% of organizations worldwide experienced spear phishing attempts in 2019, Data breaches exposed 36 billion records in the first half of 2020 and 95% of cybersecurity breaches are caused by human error.

To deal with this ongoing network abuse, service providers need all the latest abuse information and reports at their fingertips.

See also: The Five Biggest DDoS AttacksOf The Past Decade

Common Inbound Abuse Channels

Common Inbound Abuse Channels that reliably deliver up-to-the-minute information about security threats and network abuse include:

  1. The abuse@mailbox. A service provider’s abuse@mailbox is simply a mailbox where abuse reports can be directed. It’s important not to scan and block spam from this mailbox, as you could end up blocking reports of spam from within your own network. Rather tag all inbound traffic with a spam score that allows your team to easily sort and identify spam during the parsing and analyzing process. For enhanced security, don’t use an autoresponder when you receive the following types of mail in your abuse@mailbox:        
  • Envelope-sender contains “no-reply@”,“noreply@”, or “nobody@”
  • Messages with an empty envelope-sender
  • The subject line contains “[no-reply]”
  • Contains “X-Auto-Response-Suppress: All” (Microsoft Exchange)  Header
  • Contains “Auto-Submitted: auto-generated” (RFC 3834) Header
  1. Regional Internet Registries (RIRs). The five major RIRs are RIPE, ARIN, LACNIC, APNIC, and AFRINIC. They are responsible for delegating blocks of IP addresses to service providers. They keep accurate records of companies that have received each block, which is recorded in the RIRs’ whois services. If your abuse team detects abuse coming from a particular IP address, they can use the RIRs’ whois service to see who is responsible for the abuse. This abuse can then be reported to the abuser’s service provider, and it becomes their responsibility to mitigate or remediate it.
  2. Web Forms: Spam reports often come from a private person sending or forwarding you a spam message and asking you to make it go away. The biggest problems a network abuse team usually faces with these types of reports are either missing details on the incident or reports arriving in a format that cannot be parsed automatically. Web forms can help prevent this with fields that guide reporters through the process of submitting an accurate report.
  3. Application Programming Interfaces (APIs). APIs can be used to automate large amounts of data in the abuse handling process. The only disadvantage of an API is the amount of time needed to manage them.
  4. Abusix’s Abuse Contact DB. Abusix’s Abuse Contact Database works similarly to the RIRs whois service, as it allows you to report network abuse directly to network owners. The database is easy to use – it’s DNS driven and you can send requests to the DNS server in the same ways you would with an RBL or any other DNS-based list.

See also: How Spamexperts Can Improve Your Abuse Handling Process

Create A Structured Report Format

Unstructured data creates hours of unnecessary work, so it’s important for incoming reports to arrive in a common format that doesn’t require complicated rule sets. If you see high- or medium-volume reports coming from a reporter and they are not in a machine-parsable format, inform them that they should switch to a machine-parsable format such as XARF. XARF has become the M3AAWG (Messaging Malware Mobile Anti-Abuse Working Group) best practice.

Once the data has been received, it should be parsed and analyzed. The type, category, and priority level will depend on whether the abuse is mitigated or remediated. Remediation occurs when the abuse can be completely eliminated. Mitigation occurs when the abuse cannot be fully remediated, but its occurrence and effect can be minimized

Companies like Abusix have specialist products like AbuseHQ, which improves service provider security and reveals insights buried deep within your network abuse reports, helping your service provider reduce abuse and support ticket volumes. To find out more about how AbuseHQ can help abuse desks perform at their best, talk to our team to arrange a trial.

Read More


The definition of network abuse has become a hot subject again lately. People are wondering why there’s no clear definition...


Approximately 2,500 years ago, Sun Tzu, a Chinese general known as a great military strategist, allegedly wrote a book entitled...


With all of the cybercrime, famous spammers, and hacking in the headlines, you may think to yourself what will network...