[Rtir] ARF reports parsing/handling - DMARC reports

Kevin Falcone falcone at bestpractical.com
Tue Mar 25 12:48:34 EDT 2014

On Tue, Mar 25, 2014 at 12:40:51AM -0700, Darren Spruell wrote:
> Have recently set up capability to receive DMARC aggregate reports
> from email providers and I believe they are delivered as zip'd ARF XML
> documents. Noticed the following blurb on RTIR features:
> "we've written custom parsers to handle DMCA complaints and feedback
> loop emails conforming to the Abuse Reporting Format (ARF)."
> Wanted to see if there's any of this code in public distribution at
> this point, or if anyone that has implemented this in a satisfactory
> way had anything they could share about their approach.

I'm not aware of the ARF specific code being public.  It's been
cleaned up, but was still quite customer specific (and I'm not sure it
dealt with zipped attachments from a quick perusal, although that
isn't terribly hard).

Basically, when we can, we ship things like:
which handles a different set of formats, but in the case of this
particular client, we couldn't extract their ARF code into a public

> Not sure what the possibilities are for handling reports with
> automation and finesse, but at the very least I thought it'd be
> interesting to automate Incident Report creation on receipt.

If you look at the capabilities of RT::Extension::ACNS it's pretty
common to set a bunch of specific Custom Fields upon receipt, and as I
understand it, the client who sponsored RT::Extension::ACNS uses it to
auto-create the Incident and Investigations when they can (when
there's enough info in the report and their external system to do so).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rtir/attachments/20140325/284f21f8/attachment.pgp>

More information about the rtir mailing list