Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

You mention email, do you suggest 1 email per incident #25

Open
PeterPann23 opened this issue Sep 29, 2021 · 5 comments
Open

You mention email, do you suggest 1 email per incident #25

PeterPann23 opened this issue Sep 29, 2021 · 5 comments

Comments

@PeterPann23
Copy link

Hi,

The items are per incident, how would one send the email?
You have samples?

@FrederikP
Copy link
Collaborator

As stated in our README, if you want to use email/smtp to transport xarf, then the email looks like described in this section: https://github.com/abusix/xarf#xarf-via-smtp

Currently you'll need to send one email per xarf report. I gave some of the reasons for the decision in the other issue #23

Still, we are open to any discussion regarding requirements for abuse reporting and want to make sure that organizations can start using xarf for reporting abuse whereever it makes sense.

@IByte
Copy link

IByte commented Feb 25, 2022

I'm not sure whether to ask my question here or in a newly created issue. I'm just going to ask it here, as it is also about e-mail.

My question: Does requiring a Content-Type header of "multipart/report; report-type=feedback-report" mean that XARF reports cannot be generated using a standard end-user e-mail client (e.g. Gmail)?

@FrederikP
Copy link
Collaborator

I guess so, for now most users of xarf report automatically and not via an email client, but it's actually a pretty good point.

The reason for the header is that people who are receiving tons of abuse reports in different formats need a quick way of finding out whether something contains an xarf report or not. In the best case this is possible without looking into the attachment itself.
Do you have an idea to solve both problems at once?

Side note:

At abusix we also have plans to provide user friendly reporting tools that take care of generating xarf and sending it to the responsible abuse contact automatically.

@IByte
Copy link

IByte commented Feb 25, 2022

Do I have an idea... Well, off the top of my head, instead of requiring custom headers, you could require that the subject line starts with a signal word like "[XARF-REPORT] "...

Thanks for your quick response, and I am looking forward to seeing your new ideas for making abuse reports easier (and not just for SSH, but for e.g. web server probing as well).

@Artoria2e5
Copy link

Artoria2e5 commented Aug 19, 2024

I'm using fail2ban with an elevated (I say that to pretend to be responsible) fail threshold, with the builtin xarf-login-attack.conf action. I find IByte's idea quite good and has accordingly modified it on my end. Would it be a good idea to PR them so more messages follow that signal word?

(Now Subject: [XARF-REPORT] Abuse $IP - $DATE, used to be Subject: abuse report about $IP - $DATE at https://github.com/fail2ban/fail2ban/blob/master/config/action.d/xarf-login-attack.conf)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants