M3AAWG Publishes ARF/X-ARF Usage Recommendation

M3AAWG, the Messaging, Malware, and Mobile Anti-Abuse Working Group (http://www.m3aawg.org) recently published a document affirming their recommendation that Abuse Reporting Format (ARF) be the preferred method of reporting email abuse through feedback loops (FBLs) and other means. In addition, the document recommends that the X-ARF format be used to report any abuse incidents that are not email-based.

The ARF standard was first published in 2005, and it defines a format for reporting abuse messages that is intended to be easily parsed by machine-based methods. The format also encapsulates any potentially dangerous payload in the report in an attachment to the report, ensuring that it doesn’t get automatically loaded and executed by the receiver of the report. Both of these features combine to allow for greater efficiency in the processing of reports, since tools can be written to automate such processing.

X-ARF is not yet a mature standard like ARF, but the intent of its champions is to extend the ARF standard to allow for reporting of other types of abuse, such as attempted login attacks, to the appropriate parties. M3AAWG believes at this time that as this effort proceeds, it will be a viable method for such reporting. Time will tell on this front, as there are other possible formats for this, such as the TAXII mechanism, which makes use of the STIX language.

In addition to extolling the virtues of ARF and X-ARF, the document also discusses the common tactic of designating an address other than the standard abuse address for receiving such reports when enrolling in FBLs, as well as strategies for processing ARF reports that might arrive unbidden at your normal abuse address.

What It Means To You

If you’re an email marketer or other sender of bulk mail, or you work an abuse desk at a mailbox provider, you’re probably already enrolled in numerous FBLs, most of which are sending complaints to you in ARF format, so this may be old hat to you. (If you’re a marketer or bulk sender and you’re not enrolled in FBLs, you really should be. )There’s not much groundbreaking information in this document, but it does serve as a starting point for someone who’s looking to learn about the ins and outs of ARF, and how it can help you fight abuse leaving your network.