XARF URL defanging

[rommelfs]

I apologise if I didn't spot it, but is XARF supporting defanged URLs in one of other way? I just want to be sure that an XARF attachment is not being blocked by some smart mail filter rule because of malicious indicators.

[Maximilian-Staab]

The schema currently doesn't allow for defanged URLs in any way, and I don't think it's something we will support in the future.

Here's the reasoning behind that:

1. Defanged urls often used to prevent accidental clicks from abuse-desk workers. This should be a non issue for XARF, because the schema is intended to be processed automatically.
2. Spam filters on abuse addresses are never a good Idea[^1] and should't be a reason for adding defanged urls. We even made a video about this issue a while ago: https://www.youtube.com/watch?v=1xeLcHIkTMo
3. Someone who runs a spam filter on their abuse address probably won't be diligent about the incoming messages anyway.

[^1]: A spam filter could dislike many things about XARF reports and trying to circumvent them won't increase the quality of such reports.

I know this won't help you, but I hope this clarifies a few things.