Jump to content

ARF


rconner

Recommended Posts

Posted

I reported a 419 e-mail address to Hotmail via the report_spam address and got the usual shuck-and-jive from MS, which included the following interesting bit:

Windows Live Hotmail processes complaints received in the Abuse Reporting Format (ARF) format. ARF is the industry standard for reporting spam complaints. Using the ARF format helps us ensure that someone can only report complaints about mail actually generated by a Windows Live Hotmail user. A valid ARF formatted complaint is a message containing the entire original spam or abusive message (including all message headers) as an attachment. To learn more about ARF, review the draft RFC at:

http://www.mipassoc.org/arf/specs/draft-sh...k-report-05.txt.

Examining the link, I find that the ARF is a rather complicated multipart MIME affair that of course end users are ill-equipped to generate.

Is this really an "industry standard?" Can an unnumbered RFC really be leaned upon as an "industry standard?"

Has anyone heard of this ARF stuff? Is anyone actually using it to create reports, or to process reports that are received in this form? If they going to become more widely used, it might be beneficial to have some sort of tool to create them.

-- rick

Posted
Examining the link, I find that the ARF is a rather complicated multipart MIME affair that of course end users are ill-equipped to generate.

The link provided points to an expired draft document, dead as of December 18, 2008. However, I will also note that there is a pb]current draft[/b] version at An Extensible Format for Email Feedback Reports .... further noting that the term/description of "ARF" is actually used to describe only one possible use of this 'format' ....

Is this really an "industry standard?" Can an unnumbered RFC really be leaned upon as an "industry standard?"

Absolutely not. As described within the header section of this very document, Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

Has anyone heard of this ARF stuff? Is anyone actually using it to create reports, or to process reports that are received in this form? If they going to become more widely used, it might be beneficial to have some sort of tool to create them.

Actually, the way I read this, the 'goal' is to basically end up at some point with " end-user e-mail clients" having the capability of generating one of these type of formated reports. Personally, I wouldn't hold my breath expecting this type of crap showing up anytime soon. Actually, sme of the background thoughts leave me laughing a bit, as I have run into so many "report addresses" that are already set up to not allow 'e-mails with attachments' to begin with. (Can't help but think that it seems to me that several of the MSN/HotMail addresses [still] do this as a matter of fact ..???) Some heavy duty software at the ISP/Host level might incorporate something like this, but I'd think it would take quite a while for 'end-user client' software to add tis kinf of complecity into their code (never mind the issues of users making the right ddecision on the 'type of report' to send out to some place -and even there, wondering where the target addresses might end up being determined)

Although I recognise a name or two in the mailing-list, I'm sure not overwhelmed by the support/traffic in the discussions seen in the archives at http://www.mipassoc.org/arf/

Posted

I, too, found the more up-to-date draft (no thanks to MS). I also found and joined a public mailing list at the site, and sent them a message inquiring for their thoughts about the problem of reporting drop-boxes.

This RFC defines what it calls "feedback types" that include classic categories like "spam" and "fraud" but nothing specifically about drop-box issues. One poor soul posted a couple of years ago to ask that drop boxes be elevated to the status of a feedback type, he got very little sympathy ("The Reply-To is already in the message packet MIME part, we don't have to repeat it elsewhere").

Seems that the ARF messages are intended for exchanges between mail operators, but there is some mention of end-users being able to send them as well. This would be damn near impossible, however, without some sort of tool for collecting the information and constructing the MIME body. I'm not aware of any e-mail clients that support any sort of specialized MIME types other than for standard e-mail messages.

One begins to suspect that MS regards this ARF business simply as a way to shut out any but the very most determined reporters of abuse. Looks like if you need a drop-box for your next 419 campaign, Hotmail/live.com would be a good bet.

-- rick

Posted
...One begins to suspect that MS regards this ARF business simply as a way to shut out any but the very most determined reporters of abuse. Looks like if you need a drop-box for your next 419 campaign, Hotmail/live.com would be a good bet.
I suspect Windows Live Hotmail is operating on a totally different wavelength - from a viewpoint that the entire universe should be using their service and, due to their their undoubtedly efficient (and invisible) 'filter and silently drop' process for spam (and other suspect e-mail), the 'average' users will never need to bother their pretty little heads about reporting spam. Ѕpam never happened. Like Tienamen Square. If, at the same time, the service provides effectively bulletproof drop-boxes for spam sent from other services to other services, then all the more reason why the universe should be using Windows Live Hotmail. Exclusively. Pretty neat, eh? The effective use of uselessness. 'Supercity' (suPERcity), in a word (reference Brian W Aldiss). There's more of it around than we might think. I love it when hominids get devious and disingenuous.
Posted

I don't read the automatic responses generally, but I have received several replies from hotmail saying that a drop box has been closed. They came fairly recently, but not recently enough to still be in my deleted items.

I just sent one to live.com so we will see if I get a reply.

Miss Betsy

Posted

This is the reply:

".... the e-mail you received is a Phishing message. "Phishing"

is a term that is used to describe fraudulent e-mail that is designed to

acquire your identity by stealing your personal information. These

misleading e-mail messages may appear to come from MSN or from another

reputable company but are actually from persons masquerading as

legitimate businesses. These e-mail messages will prompt you to disclose

personal information, such as your bank account information or Social

Security number to a fraudulent Web site. The sender of the e-mail can

use this personal information to damage your credit status, access your

personal accounts, open new accounts in your name, steal your funds, or

commit fraudulent transactions in your name.

Moving forward, I have closed the xxxx[at]live.com

account you reported in accordance with

our Terms of Use (TOU)."

No mention of ARF.

Miss Betsy

Posted
Moving forward, I have closed the xxxx[at]live.com

account you reported in accordance with

our Terms of Use (TOU)."

Good for you! Exactly what abuse address at live.com did you use for reporting? And, if you don't mind, can you post the text of your report? You can leave out the actual scam mail and any identifying info -- I just want to see if there were some magic words I didn't use. And, did you report as a live.com/hotmail user? Maybe this carries more clout.

Meanwhile, I have been in touch on the ARF mailing list. I got back a number of good answers to my query, including one from one of the RFC authors and one from a Famous Internet Personality .

  • As one might suspect, when you send an abuse report to some big ISPs, they will process them with scripts that will grep out the relevant information and (presumably) present it to the abuse person in a standardized form. If you use ARF, this presumably makes the parsing job easier.
  • From there, the response seems to be variable, and may depend upon which abuse minion gets your address in his or her in-tray. In my case, I got slam-dunked. In Miss Besty's, she got a sensible answer and a successful outcome. This for two similar complaints to the same provider (live.com).
  • I concluded from my chat with the ARF people that there'd be no particular point in my making extra effort to put messages into an ARF format; whether or not the report is acted upon depends mainly upon the whim of the analyst, and less upon the particular format of the report (assuming all info is present and correct).

-- rick

Posted

Yes, I keep it short the way spamcop does.

"Subject: drop box xxxx[at]live.com

Body:

This phish wants you to reply to xxxx[at]live.com

Betsy"

followed by copy of Message Source (and sent by plain text; I have to check to be sure I have that option selected because sometimes I do use HTML).

I sent it to report_spam[at]live.com.

I am not quite sure what to put in the subject line - some abuse desks want the subject line of the spam and so I vary the subject sometimes.

For the ones I report manually to the source (like Hotmail since I am a Hotmail user), I say "The following appears to come from hotmail.com." followed by a copy of the entire spam. Sometimes, if I am on a roll, after reporting the drop box, I report to the source abuse desk. Then I say, "This appears to come from xxx.xxx.xx.xx (or xxx.edu - depending on my mood)"

Miss Betsy

Posted

Good work Miss Betsy! Seems I shall have to revise my darkened view of Windows Live Hotmail and its practices/mindset. Well, that's a good thing.

Posted

It might be that they are so helpful because I am using a hotmail account to report from. They might not be as helpful if my email address was not hotmail.

However, I also get replies from yahoo, though they just say the account has been dealt with appropriately or words to that effect.

And, occasionally from server admins of the source.

Miss Betsy

Posted
Meanwhile, I have been in touch on the ARF mailing list. I got back a number of good answers to my query, including one from one of the RFC authors and one from a Famous Internet Personality ™.

Some could lower the bar a bit and state that you've heard from a few <g> For instance, the other Steve was one who was going to write up a tool (a number of years back) that would actually work, unlike SpamCop.net Noting that I still use his SamSpade tool-set, it hasn't been updated since those times of the word-wars either.

[*]From there, the response seems to be variable, and may depend upon which abuse minion gets your address in his or her in-tray. In my case, I got slam-dunked. In Miss Besty's, she got a sensible answer and a successful outcome. This for two similar complaints to the same provider (live.com).

[*]I concluded from my chat with the ARF people that there'd be no particular point in my making extra effort to put messages into an ARF format; whether or not the report is acted upon depends mainly upon the whim of the analyst, and less upon the particular format of the report (assuming all info is present and correct).

For those that haven't looked at those archives, Levine described the current status quo pretty well with;

Now and then I get "the message didn't have full headers" because their ticketing system or their MUA smashed the message, but for the most part I get responses at least as good as I got with plain text.

Godoy's comment 2. if no acknologment is received, send ARF with a header only attachment (some ISP rejects the report because the attached evidence scores too high! I realized this because one of them was kind enough to reject the message in the SMTP conversation, instead of devnulling it). had me laughing a bit ... the last ISP I tried to notify about out mafia spammer rejected all my e-mails to the role accounts and the listed contact addresses because they were filtering all incoming ... the rejections were base on my including the history of this spammer and I chose to include the Domain involved of where the spammer was hosting his pages .. and that Domain was in their blacklist. (and this action totally ignored the great response I was getting from the staff there at lnocking down sites as fast as they could.) It took me a while to figure out what their rejection notice was actually complaiing about.

In general, I'm still of the thought that this is no where near ready for the all-too-typical end-user. The selection of taget contact addresses is still in limbo, noting that at least one commenter noted that some of the ISPs using this have set up 'special' addresses. On the other hand, it's also a bit hard to ignore that at least some of this approach was set up by Julian way back when .. a standardized Report Format with a "type identifier" describing just what the Report was complaining about. Both Levine and Atkins are aware of SpamCop.net and have been for years.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...