History

A draft describing a standard format for FBL reports was posted by Yakov Shafranovich in April 2005 and evolved to the current RFC 5965. AOL

AOL

AOL Inc. is an American global Internet services and media company. AOL is headquartered at 770 Broadway in New York. Founded in 1983 as Control Video Corporation, it has franchised its services to companies in several nations around the world or set up international versions of its services...

, who pioneered the field in 2003, initially used a different format, and converted to this de facto standard in 2008. Feedback loops don't have to use ARF, but most do.

In January of 2010, the IETF chartered a new working group working towards the goal of standardizing the ARF format. The new WG is called Messaging Abuse Reporting Format WG or MARF.

Purpose

The ARF format is designed to be extensible, providing for generic spam reporting, e.g. from users to some anti-spam center or help desk, or for opt-out

Opt in e-mail

Opt in email is a term used when someone is given the option to receive "bulk" email, that is, email that is sent to many people at the same time. Typically, this is some sort of mailing list, newsletter, or advertising...

 operations. The format defines a new MIME

MIME

Multipurpose Internet Mail Extensions is an Internet standard that extends the format of email to support:* Text in character sets other than ASCII* Non-text attachments* Message bodies with multiple parts...

 type to be included in a multipart/report attachment, and includes at least the headers of the offending message. Although the draft description acknowledges that some operators may choose to modify or redact that portion for privacy or legal reasons, it recommends that the entire original email message be attached, including the unmodified recipient address.

An ARF-encapsulated FBL report comes with the same subject as the offending message. Much like bounce message

Bounce message

In the Internet's standard e-mail protocol SMTP, a bounce message, also called a Non-Delivery Report/Receipt , a Delivery Status Notification message, a Non-Delivery Notification or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another...

s, an abuse report consists of a human readable part, followed by a machine readable part, and the original message. The machine readable part's type is message/feedback-report, whose definition is the core of the draft. Extensibility is achieved by including a Feedback-Type field that characterizes the report. Possible values of this field are

abuse	spam or some other kind of email abuse;
fraud	indicates some kind of fraud or phishing activity;
virus	report of a virus found in the originating message;
other	any other feedback that doesn't fit into other types;
not-spam	can be used to report an email message that was mistakenly marked as spam.

An IANA

Internet Assigned Numbers Authority

The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...

 registry is provided for the Feedback-Type, as well as for the other field names. Each field name may either be relevant for any type of feedback, or for a specified type only. Some fields may appear multiple times. For example, the Source-IP field, containing the IP address

IP address

An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...

from which the original message was received, may appear in any type of FBL report, but only once; the Removal-Recipient field, indicating email addresses to be removed, may only appear in opt-out reports, but one or more times. In addition, there is a DKIM-Failure subtype, with its own IANA registry.

An example report for email abuse is as follows. (Note that only the first three lines of the machine readable part are required.)

From: <abusedesk@example.com>
Date: Thu, 8 Mar 2005 17:40:36 EDT
Subject: FW: Earn money
To: <abuse@example.net>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=feedback-report;
boundary="part1_13d.2e68ed54_boundary"
 
--part1_13d.2e68ed54_boundary
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
 
This is an email abuse report for an email message received from IP
10.67.41.167 on Thu, 8 Mar 2005 14:00:00 EDT. For more information
about this format please see http://www.mipassoc.org/arf/.
 
--part1_13d.2e68ed54_boundary
Content-Type: message/feedback-report
 
Feedback-Type: abuse
User-Agent: SomeGenerator/1.0
Version: 0.1
Original-Mail-From: <somespammer@example.net>
Original-Rcpt-To: <user@example.com>
Received-Date: Thu, 8 Mar 2005 14:00:00 EDT
Source-IP: 10.67.41.167
Authentication-Results: mail.example.com
smtp.mail=somespammer@example.com;
spf=fail
Reported-Domain: example.net
Reported-Uri: http://example.net/earn_money.html
Reported-Uri: mailto:user@example.com
Removal-Recipient: user@example.com
 
--part1_13d.2e68ed54_boundary
Content-Type: message/rfc822
Content-Disposition: inline
 
From: <somespammer@example.net>
Received: from mailserver.example.net (mailserver.example.net
[10.67.41.167]) by example.com with ESMTP id M63d4137594e46;
Thu, 08 Mar 2005 14:00:00 -0400
To: <Undisclosed Recipients>
Subject: Earn money
MIME-Version: 1.0
Content-type: text/plain
Message-ID: 8787KJKJ3K4J3K4J3K4J3.mail@example.net
Date: Thu, 02 Sep 2004 12:31:03 -0500
 
Spam Spam Spam
Spam Spam Spam
Spam Spam Spam
Spam Spam Spam
--part1_13d.2e68ed54_boundary--