Spam reporting

Spam reporting, more properly called abuse reporting, is the process of identifying electronic messages as abusive and reporting them to an authority (e.g., an email administrator) for resolution. Reported messages can be email messages, blog comments, or any kind of spam.

Abuse reports are a type of feedback where users can flag others' posts as abusive content. Most websites that allow user-generated content either apply a moderation based on abuse reports, such as hiding or deleting offending content at a defined threshold, or implement various user roles that allow users to cooperatively govern the site's content.

Spammers' behavior ranges from forcing users to opt in to cooperatively offering opt-out options, and even hiding the sender's identity (including phishing). The most intractable cases can be addressed by reporting the abusive message to hash-sharing systems such as Vipul's Razor, which benefits other potential victims. In some cases, senders may cooperate by using spam reports to fix or mitigate the problem at its origin. For example, they may use reports to detect botnets, educate the sender, or simply unsubscribe the reporting user. Email spam legislation varies, forbidding abusive behavior to some extent. In some cases, prosecuting spammers and claiming damages may be possible.

RFC 6650 recommends that recipients report abusive messages to their mailbox providers. The provider's abuse-team should determine the best course of action, possibly considering hash-sharing and legal steps. If the sender has subscribed to a Feedback loop (email), the mailbox provider will forward the complaint as a feedback report according to the existing FBL agreement. Otherwise, mailbox providers should determine who is responsible for the abuse and forward the complaint to them. Recipients of unsolicited abuse reports are effectively potential FBL subscribers, as the mailbox provider needs to offer them a way to manage the report stream. On the other hand, mailbox providers can prevent further messages from non-cooperative senders of abusive content.

Abuse reports are sent by email using the Abuse Reporting Format (ARF), except for initial notification by the recipient in cases where an mailbox implementation provides more direct means. The target address for an abuse report depends on the authority to which the abusive message is reported. Choices include the following:

1. A public reporting hub, or global reputation tracker, such as SpamCop or Abusix's blackhole.mx. Different degrees of skill are required to properly interact with different hubs.
2. The domain-specific reporting hub is the recommended choice for end users. If provided, it should be accessible by a visible button or menu item in the mail client.
3. A feedback loop subscriber can be selected as a target by a mailbox provider after receiving an end-user report. Users should be aware of their provider's policy.
4. The abuse POC for an authenticated domain that handled the reported message. DomainKeys Identified Mail (DKIM) is the usual authentication protocol, but Sender Policy Framework (SPF) can be used in the same way. A mailbox provider choice.
5. The abuse POC for the IP address of the last relay. Some skill is required to properly locate such data. This is the default choice for a mailbox provider whose server received the abusive message (before the recipient reported it) and annotated the relevant IP address. Various sites maintain POC databases, such as Network Abuse Clearinghouse (by name), Abusix (by IP address), and others. There is also a hierarchy of delegations at the relevant Regional Internet registry (RIR), and each corresponding Whois record may include a POC, either as a remark or as a more specific database object, e.g. an Incident response team.

The first three methods provide for full email addresses to send reports to. Otherwise, target abuse mailboxes can be assumed to be in the form defined by RFC 2142 (abuse@example.com), or determined by querying either the RIR's whois databases (which may have query result limits) or other databases created specifically for this purpose. There is a tendency to mandate the publication of exact abuse POCs.

Abused recipients can automate spam reporting to different degrees: they can push a button when they see the message, or run a tool that automatically quarantines and reports messages it recognizes as spam. When no specific tools are available, recipients must report abuse by hand; that is, they forward the message as an attachment (so as to include the full header) to the chosen authority. Mailbox providers can also use tools to automatically process incident notifications.

• Abuse Reporting Format
• Feedback loop (email)