Introduction
The SMTP data channel configuration applies to the following situations
Sending to your AbuseHQ instance
- reports sent to the abuse@ role address, including abuse web form submittals from your website
Reporting abusive behavior to Abusix
- spam trap emails
- emails reported as spam by users in your mail platform
- other (e.g., reports of abuse to be routed to network or DNS operations through Abusix Global Reporting)
Please remember that sending in data via the API with XARF field formatting is recommended, as sending the data via API guarantees that data may be processed and used immediately. Learn more about sending data to our API.
Email Formats
Using standards increases the chances of your data being parsed automatically. Therefore, the ideal email format uses MARF and XARF for SMTP. These two standards make report handling automatic and straightforward and should be followed as much as possible. But that said, we automatically parse other formats like Shadowserver’s format, IODEF, TAXII, and others.
Be aware there are situations where your data may not be parseable, as various factors can influence the outcome; for example, when an issue applies to an entire ASN, it does not make sense to create an event for every single IP address in your network. Contact support if you have questions about this.
Sending abuse reports to your AbuseHQ instance by email
Aliasing your abuse@ role address(es) to AbuseHQ
- Abuse reports sent to the abuse@ role address should be forwarded by “aliasing” your abuse@ role address by adding the Abusix data channel email address provided to you when you configured the email data channel in app.abusix.com.
- If you send reports that you receive at an email address other than the abuse@ role address, “alias” that address to the email address provided in app.abusix.com.
- See Inbound Processing, Event Types for all the types of Vulnerabilities and Abuse that AbuseHQ automatically tags and orchestrates.
Access the System Settings menu within AbuseHQ to configure Data Channels.
You will need to access this menu within the Admin Portal to access the Data Channels:
- Click the Settings option in the left menu under AbuseHQ.
- Click on Data Channels.
- Next click on Create Data Channel.
The next screen will guide you through a couple of steps that will get your report forwarding started.
Forwarding abuse reports from web forms or internal platforms to AbuseHQ
- If possible, don’t use email for internal reports but submit them via our API using a XARF Schema.
- You may have to submit via email if you have a web form for reporting abuse or a system generating alerts in your network. In these cases, use XARF for SMTP. Also, see our documentation. link for more information.
- If you wish to send reports from internal systems, avoid bulk email reports as they are manpower intensive to parse and maintain the parsers, vs. the fire-and-forget integration provided by Submitting data via the API to Data Channels
Reporting abusive behavior to Abusix by email
You may Report Abusive Behaviour to Abusix; to both, report back to the network owner and Send data to your AbuseHQ instance.
An example is when you have an abuse report stream that might include information about your network (and you are using AbuseHQ) AND you wish to report abusive behavior to other networks from the same stream.
When we process information in this stream, we split the data between networks.
Forwarding spam trap emails
When configuring your Data Channel, you will be asked to provide a “data type.”
When the “data type” is Spam trap emails the email addresses must only be genuine email traps that should never receive benign traffic.
- Please configure the address to forward the trap hits directly. Please don’t pack the data in an envelope.
- When you forward traps, the envelope FROM of the sent message should be the original FROM value sent to the trap. Please don’t ever use your address in a trap email.
- We can provide Redaction/Anonymization, but only when the email is in its original format, and all headers are intact.
- If you can not send the trap information in its original form for some reason, for the information to be useful, we will need you to attach a header
x-originating-ip
to the original mail containing the IP address of the malicious sender that sent the mail to the trap.
“This Is Spam” user reports
When configuring your Data Channel, you will be asked to provide a “data type.”
When the “data type” This is Spam, the expected emails are spam reports generated by the user “This Is Spam” buttons in your user’s email UI.
- The reported spam from the “This is Spam” buttons should be sent as an attachment in an envelope report mail and not directly forwarded.
- If available, attach information about the original
- sender’s IP address to the report mail carrying the envelope using the
x-originating-ip
header. - envelope FROM value to the report mail carrying the envelope using the
x-original-from
header.
- sender’s IP address to the report mail carrying the envelope using the
Other
When configuring your Data Channel, you may select the “data type” Other
This data type has no specific requirements, though using XARF formatting via email will always be the fastest and least costly reporting method.
When you specify an “other” category in the comments, please tell us what kind of data you are sending so we have some context when evaluating and processing the data in the channel.
- “Other” data will be held in staging and not be parsed automatically until we have a clear view of the objective.
Learn more about Data Channels
This will help provide you with an Overview of the XARF Format
Send us a message
Having trouble with your setup or a technical issue? Get in touch with our team of Abusix experts.
Click the chat button at the bottom and send us your questions. Alternatively, you can email us at [email protected]