You mention email, do you suggest 1 email per incident

[PeterPann23]

Hi,

The items are per incident, how would one send the email? You have samples?

[FrederikP]

As stated in our README, if you want to use email/smtp to transport xarf, then the email looks like described in this section: https://github.com/abusix/xarf#xarf-via-smtp

Currently you'll need to send one email per xarf report. I gave some of the reasons for the decision in the other issue https://github.com/abusix/xarf/issues/23

Still, we are open to any discussion regarding requirements for abuse reporting and want to make sure that organizations can start using xarf for reporting abuse whereever it makes sense.

[IByte]

I'm not sure whether to ask my question here or in a newly created issue. I'm just going to ask it here, as it is also about e-mail.

My question: Does requiring a Content-Type header of "multipart/report; report-type=feedback-report" mean that XARF reports cannot be generated using a standard end-user e-mail client (e.g. Gmail)?

[FrederikP]

I guess so, for now most users of xarf report automatically and not via an email client, but it's actually a pretty good point.

The reason for the header is that people who are receiving tons of abuse reports in different formats need a quick way of finding out whether something contains an xarf report or not. In the best case this is possible without looking into the attachment itself. Do you have an idea to solve both problems at once?

Side note:

At abusix we also have plans to provide user friendly reporting tools that take care of generating xarf and sending it to the responsible abuse contact automatically.

[IByte]

Do I have an idea... Well, off the top of my head, instead of requiring custom headers, you could require that the subject line starts with a signal word like "[XARF-REPORT] "...

Thanks for your quick response, and I am looking forward to seeing your new ideas for making abuse reports easier (and not just for SSH, but for e.g. web server probing as well).

[Artoria2e5]

I'm using fail2ban with an elevated (I say that to pretend to be responsible) fail threshold, with the builtin xarf-login-attack.conf action. I find IByte's idea quite good and has accordingly modified it on my end. Would it be a good idea to PR them so more messages follow that signal word?

(Now Subject: [XARF-REPORT] Abuse $IP - $DATE, used to be Subject: abuse report about $IP - $DATE at https://github.com/fail2ban/fail2ban/blob/master/config/action.d/xarf-login-attack.conf)