ARF (Abuse Reporting Format)

[xsr]

Greetings!

I've been using csf ever since i discovered it. It's awesome. Even recommended it today to an abuse dept. teamleader (of a company with 4k+ servers) after resolving an abuse matter.
During the chat i had with this person, ARF came up. It looks like an upcoming standard for reporting abuse, which i would defenatelly would like to see within csf.
There is also a perl module for it, see the next link ( wordtothewise.com/resources/mimearf.html ). More information on the subject, obviously on Wikipedia ( en.wikipedia.org/wiki/Abuse_Reporting_Format ).

I am aware that it is mostly used for email reporting. yet i know that fail2ban also implemented it somehow. I think it could be used for reporting bruteforce attacks to originating network owners. (example reports for login failures in ARF blocklist.de/downloads/report_ssh.eml / blocklist.de/downloads/report_postfix.eml ).

Anyway, keep up the good work!

ffs @ 5 posts url posting limit

[fail2ban]

Hello xsr,

we have changed the Reports to X-ARF, because we could not send all Attacks, RFI, Malware and Phishing with ARF.
In X-ARF, we could send all Attack-Type:
x-arf.org/specification.html

regards
Martin (blocklist.de)

[ForumAdmin]

I'll look at adding X-ARF support to the reports, though I'm unsure whether to add an option to automated reporting as that could be fraught with problems (reporting false-positives by a client is the obvious issue).

[fail2ban]

Hello,

the Abuse-Department can set a Priority for the Typ and Category and "Reported-From".
When you recive a Message with:
Reported-From: x1@domain.tld
Category: abuse
Report-Type: login-attack

you can give the report a high priority and parse them automatically. If the Report-Type not "login-attack" or the "Reported-From" is a other Address, so you can forward the Report to manually evaluate from your Abuse-Team.
The recipient can decide how it handles prioritize the reports or what action should be executed.

Martin

[chirpy]

This is now implemented.