x-arf: Network Abuse Reporting 2.0

Specification

This is a short specification for the new X-ARF (Extended Reporting Format). A more specific specification will be coming soon. We are working hard, to present a pretty good first draft to the community and start a valuable discussion to improve the draft frequently. Some people will already start reporting very soon, that way we can test first ideas and move step by step, check and verify that our approach is going to the right direction.

If you are interested in joining us and start reporting in X-ARF or you think that you might have some valuable ideas, let us know (info@x-arf.org). We are happy to get as much feedback as possible.

Idea of X-ARF:

X-ARF will be designed as a pure container format, where we can plug in as many specific containers as we want to. The content of these containers can be completely different from others. The container itself will be defined in schemes. These schemes contain all information, that are mandatory and are optional for every single field. To make it easy for machines and humans to read the content we use YAML. The schemes are defined in JSON.

To make sure that everybody can understand all different schemes, we want to establish a community, that discusses new containers, additional information for existing containers, uses X-ARF for reporting and abuse handling. These schemes will be versioned and published on this webpage. That way every parser is able to validate the newest X-ARF schemes and is able to handle it.

But now lets start with the Overview.

Overview:

Header:

We want you to add some headers to your X-ARF Reports.

• "Auto-Submitted: auto-generated" according to RFC3834
  [mandatory if autogenerated]
• "X-ARF: YES" according to RFC822
  [mandatory]
• Content-Type: multipart/mixed
  [mandatory]

Subject:

We recommend to use an easy to understandable subject line as followed.

• abuse report about <source> - <date> [recommended]

1st mime Part:

• human readable
• Content-Type:text/plain
• charset=utf-8

2nd mime Part:

• yaml(www.yaml.org) structured cont, must validate against provided JSON scheme ( www.json.org, json-schema.org)
• machine and human readable
• Content-Type: text/plain
• charset=utf-8
• name="report.txt"

3rd mime Part:

• of any mime type
• Contains e.g. evidence (which may be anonymized)
• of any content
• Optional or mandatory as defined in the referred schema

Content of the 2nd mime Part: Mandatory Keys/Fields

Within the 2nd mime Part we will use some of the following fields. Please be aware, that this is an draft and we are not near a stable version. But if you want to start reporting in X-ARF send us an email to info@x-arf.org and we will discuss the things you need like containers and will publish them on this webpage.

<Reported-From:> [mandatory][only once]

This fields need to be filled with the sending e-mail address.
Example:
Reported-From: whatever@example.com

<Category:> [mandatory][only once]

This field will be filled with one of the following Categories:

abuse	technical abusive behavior like any kinds of attacks, spam, ..... virus or malware
fraud	financial abuse like creditcard, ...
auth	missuse or failure of authentification methods, DKIM, SSL, SSH, Pop3, ...
info	all kinds of pure informational reports like blacklistings, delistings
private	all kinds of closed information exchange between 2 or more parties

Usually this field will be defined by x-arf.org and the reporting party.
Example:
Category: abuse

<Report-Type:> [mandatory][only once]

This field will be filled with the type of report. For example login-attack, phishing-website, spamvertized, ...
Usually this field will be defined by x-arf.org and the reporting party to make sure it is unique.
Example:
Report-Type: login-attack

<User Agent:> [mandatory][only once]

Please put here the name and version of your software responsible for the report.
Example:
User-Agent: X-ARF Reporting Toolset V.:0.9.5(beta)

<Report-Id:> [mandatory][only once]

[UNIXTIMESTAMP|randomnumber(4)]@domain.tld
Example:
Report-Id: 12679288729564@domain.tld

<Date:> [mandatory][only once]

This field contains the date of the incident itself or date when you have recognized or found the incident. The date must be in the format described in RFC3339.
Example:
Date: Mon, 24 Aug 2009 16:19:15 -0000

<Source:> [mandatory][only once]

The source contains the source of abusive behavior. It is described by <Source.Type:>
Example:
Source: 192.168.1.134
Source: 2001:898:2000:c:213:206:89:190
Source: https://www.domain.tld/folder/file.xxx
Source: domain.tld
Source: localpart@domain.tld

<Source-Type:> [mandatory][only once]

The Source-Type describes to Type of Source. At the moment the following Types are allowed:
IPv4 RFC 791 compliant ip-address
IPv6 RFC 2460 compliant ip-address
URI   RFC 2396 compliant URI
DOMAIN
EMAIL
More Types will be defined as soon as they are needed.

<Attachment:> [mandatory][only once]

This field defines if a attachment with further information exists or not. If no such attachments exists, this filed has to be set to "NO". If an attachment exists, this field must describe the mime type of the following attachment.

<Schema-URL:> [mandatory][only once]

This field contains the URI to the JSON Schema that has to be described to validate the incoming report.


We are starting to develop some containers with people that are already able to report information and use this format. That way we will be able to publish already existing and already used containers soon. If you have ideas for optional fields in existing containers or ideas for completely new containers let us know.

But please be aware that is a draft in a very early stage. If you have questions, feel free to contact us via email at info@x-arf.org

Thank You

Your X-ARF Team

Copyright (C) 2010 X-ARF.ORG COMMUNITY
This document and translations of it and the provided schema files may
be used to implement X-ARF, this document may be copied and furnished to
others, and derivative works that comment on or otherwise explain X-ARF
or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included
on all such copies and derivative works. However, this document itself
may not be modified in any way.

THIS DOCUMENT AND THE INFORMATION CONTAINED HEREIN IS PROVIDED ON AN "AS
IS" BASIS AND X-ARF.ORG DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.