What is x-arf?

x-arf is network abuse reporting 2.0 - it is an email format to report different types of network abuse incidents to network owners.

Why x-arf?

The main intention of x-arf is to extend the so far known Abuse Reporting Format which is defined in RFC 5965 and itself is caught in its strict limitation to reporting abuse with messaging services only. Unfortunately, there is no possibility to report - for example - ssh attacks or phishing websites with it.

In order to stop the increasing number of homegrown and self-invented reporting formats and offer an easy way to handle incoming complaints more effectively the x-arf format was designed.

The x-arf design itself can be described with the following features:

To reach these specifications, x-arf is designed as a container format. That means: the format only defines the basic nature of a container, but not the container itself. The containers can later be defined by the community and will be offered to everybody in a representation of schema files to understand the structure of the specific report.

Where to send abuse reports?

RFC 6650 indicates where to transmit solicited and unsolicited network abuse reports:

Deciding where to send an unsolicited report will typically rely on heuristics. Abuse addresses in WHOIS [RFC3912] records of the IP address relaying the subject message and/or of the domain name found in the results of a PTR ("reverse lookup") query on that address are likely reasonable candidates, as is the abuse@domain role address (see [RFC2142]) of related domains

RIRs offer various options to identify the abuse@domain role address. The RIR websites offer information on how to query their whois databases to find the appropriate addresses. You might also consider using the Abuse Contact DB.