Extensions to the IODEF-Document
Class for Reporting Phishing, Fraud, and Other CrimewareThe Cooper-Cain Group, Inc.P.O. Box 400992CambridgeMAUSApcain@coopercain.comThe Anti-Phishing Working Group5150 El Camino Real, Suite A20Los AltosCA 94022USAdave.jevans@antiphishing.org
Security
RFCRequest For CommentsThis document extends the Incident Object Description Exchange Format
(IODEF) to support the reporting of phishing, fraud, other types of
electronic crime, and widespread spam incidents. These extensions are
flexible enough to support information gleaned from activities
throughout the entire electronic fraud cycle. Both simple reporting and
complete forensic reports are possible, as is consolidated reporting of
multiple phishing incidents.The extensions defined in this document are used to generate two
different types of reports: a fraud and phishing report and a
wide-spread spam report. Although similar in structure, each report has
different required objects and intents.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 .Deception activities, such as receiving an email purportedly from a
bank requesting you to confirm your account information, are an
expanding attack type on the Internet. The terms phishing and fraud are
used interchangeably in this document to characterize broadly-launched
social engineering attacks in which an electronic identity is
misrepresented in an attempt to trick individuals into revealing their
personal credentials ( e.g., passwords, account numbers, personal
information, ATM PINs, etc.). A successful phishing attack on an
individual allows the phisher (i.e., the attacker) to exploit the
individual's credentials for financial or other gain. Phishing attacks
have morphed from directed email messages from alleged financial
institutions to more sophisticated lures that may also include
malware.This document defines a data format extension to the Incident Object
Description Exchange Format (IODEF) that can
be used to describe information about a phishing incident or wide-spread
spam incident. Sections 2 and 3 of this document introduce the
high-level report format and how to use it. Sections 4 and 5 describe
the data elements of the fraud extensions. This document includes an XML
schema for the extensions and a few example fraud reports.The extensions defined in this document may be used to report
targeted ('spear') phishing, broad multi-recipient phishing, wide-spread
spam events, the distribution of malware, and evolving Internet-based
fraud attempts. Receipt of single spam message MUST NOT be reported via
these extensions as these formats are for more general, widespread
events. The rise in phishing and fraud activities via e-mail, instant
message, DNS corruption, and malicious code insertion has driven
corporations, Internet Service Providers, consumer agencies, and
financial institutions to begin to collect and correlate phishing
attack information. The collected data allows them to better
coordinate mitigation activities and support in the pursuit and
prosecution of the attacker.By using a common format, it becomes easier for an organization to
engage in this coordination as well as correlation of information from
multiple data sources or products into a cohesive view. As the number
of data sources increases, a common format becomes even more
important, since multiple tools would be needed to interpret the
different sources of data. The accumulation and correlation of information is also important
in resolving phishing incidents detected externally as the phished
organization may not even be aware of the attack. Third parties aware
of the attack may wish to notify the phished organization or a central
notification service so adequate responses could commence. The
targeted organization's internal monitoring systems may also detect
the attack and wish to take mitigation steps.While the intended use of this specification is to facilitate data
sharing between parties, the mechanics of this sharing process and its
related political challenges are out of scope for this document.Instead of defining a new report format, this draft defines an
extension to . The IODEF
defines a flexible and extensible format and supports a granular level
of specificity. This phishing extension reuses subsets of the IODEF
data model and, where appropriate, specifies new data elements.
Leveraging an existing specification allows for more rapid adoption
and reuse of existing tools in organizations. For clarity, and in
order to eliminate duplication, only the additional structures
necessary for describing the exchange of phishing and e-crime activity
are provided.Fraudulent events are reported in a Fraud Activity Report which
is an instance of an XML IODEF-Document Incident element with added
EventData and AdditionalData elements. The additional fields in the
EventData specific to phishing and fraud are enclosed into a
PhraudReport XML element. Fraudulent activity may include multiple
emails, instant messages, or network messages, scattered over
various times, locations, and methodologies. The PhraudReport within
an EventData may include information about the email header and
body, details of the actual phishing lure, correlation to other
attacks, and details of the removal of the web server or credential
collector. As a phishing attack may generate multiple reports to an
incident team, multiple PhraudReports may be combined into one
EventData structure and multiple EventData structures may be
combined into one Incident Report. One IODEF Incident report may
record one or more individual phishing events and may include
multiple EventData elements.This document defines new extension elements for the EventData
and Record Item IODEF XML elements and identifies those required in
a PhraudReport. The Appendices contain sample Fraud Activity Reports
and a complete Schema.The IODEF Extensions defined in this document comply with section
4, "Extending the IODEF Format" in .Internet-based Phishing and Fraud activities are normally comprised
of at least four components:1. The Phisher, Fraudster, or party perpetrating the fraudulent
activity. Most times this party is not readily identifiable.2. The Attack Source, the source of the phishing email, virus,
trojan, or other attack is masked in an enticing manner.3. The User, Victim, or intended target of the fraud/phish.4. The collection point, where the victim sends their credentials
or personal data if they have been duped by the phisher.If we take a holistic view of the attack, there are some additional
components:5. The sensor, the means by which the phish is detected. This
element may be an intrusion detection system, firewall, filter,
email gateway, or human analyst.6. A forensic or archive site (not pictured) where an
investigator has copied or otherwise retained the data used for the
fraud attempt or credential collection.A Fraud Activity Report is an instance of an XML IODEF-Document with
additional extensions and usage guidance as specified in Section 4 of
this document. These additional extensions are implemented through the
PhraudReport XML element.As described in the following sections, reporting Fraud Activity has
three primary components: choosing a report type; a format for the data;
and how to check correctness of the format.There are three actions relating to reporting phishing events.
First, a reporter may *create* and exchange a new report on a new
event. Secondly, a reporter may *update* a previously exchanged report
to indicate new collection sites, site take down information, or
related activities. Lastly, a reporter may have realized that the
report is in error or contain significant incorrect data and the
prudent reaction is to *delete* the report.The three types of reports are denoted through the use of the
ext-pupose attribute of an Incident element. A new report contains an
empty or a "create" ext-purpose value; an updated report contains a
ext-value value of "update"; a request for deletion contains a
"delete" ext-purpose value. Note that this is actually an advisory
marking for the report originator or recipient as operating procedures
in a report lifecycle is very environment specific.The IODEF Incident element [RFC5070, Section 3.2] is summarized
below. It and the rest of the data model presented in Section 4 is
expressed in Unified Modeling Language (UML) syntax as used in the
IODEF specification. The UML representations is for illustrative
purposes only; elements are specified in XML as defined in A Fraud Activity Report is composed of one iodef:Incident element
that contains one or more related PhraudReport elements embedded in
iodef:AdditionalData element of iodef:EventData. The PhraudReport
element is added to the IODEF using its defined extension procedure
documented in Section 5 of [RFC5070].One IODEF-Document may contain information on multiple incidents
with information for each incident contained within an iodef:Incident
element [RFC5070], Section 3.12].The Fraud Activity Report MUST pass XML validation using the schema
defined in and the extensions defined in of this document.A PhraudReport consists of an extension to the
Incident.EventData.AdditionalData element with a dtype of "xml". The
elements of the PhraudReport will specify information about the six
components of fraud activity identified in Section 2. Additional
forensic information and commentary can be added by the reporter as
necessary to show relation to other events, to show the output of an
investigation, or for archival purposes.A PhraudReport element is structured as follows. The components of
a PhraudReport are introduced in functional grouping as some
parameters are related and some elements may not make sense
individually.Relevant information about a phishing or fraud event can be encoded
by encoding the six components as follows:The PhishNameRef and PhishNameLocalRef elements identify the
fraud or class of fraud.The LureSource element describes the source of the attack or
phishing lure, including host information and any included
malware.The DCSite describes the technical details of the credential
collection point.The Originating Sensor element describes the means of
detection.The RelatedData, ArchivedData, and TakeDownInfo fields allow
optional forensics and history data to be included.A specific phish/fraud activity can be identified using a
combination of the FraudType, FraudParameter, FraudedBrandName,
LureSource, and PhishNameRef elements.Elements, attributes, and parameters defined in the base IODEF
specification were used whenever possible in the definition of the
PhraudReport XML element. This specification does not introduce any
new variable types or encodings to the IODEF data model, but extends
the IODEF Contact and System elements. Note: Elements that are imported from the base IODEF specification
are prefaced with an "iodef" XML namespace and are noted with the
section defining that element in . Each
element in a PhraudReport is used as described in the following
sections.The following sections describe the components of a PhraudReport
XML element. Each description is structured as follows.1. A terse XML-type identifier for the element or
attribute.2. An indication of whether the element or attribute is
REQUIRED or optional. Mandatory items are noted as REQUIRED. If
not specified, elements are optional. Note that when optional
elements are included, they may REQUIRE specific sub-elements.3. A description of the element or attribute and its intended
use.Elements that contain sub-elements or enumerated values are
further sub-sectioned. Note that there is no 'trickle-up' effect in
elements. That is, the required elements of a sub-element are only
populated if the sub-element is used. REQUIRED. STRING. The version shall be the value 0.04 to be
compliant with this document. [This value will be changed to "1.0"
when this document progresses.]REQUIRED. One ENUM. The FraudType attribute describes the type of
fraudulent activity described in this PhraudReport and contains one of
the following values:phishemail. The FraudParameter should be the email subject line
of the phishing email. This type is a standard email phish,
usually sent as spam, and is intended to derive financial loss to
the recipient.recruitemail. The FraudParameter is the email subject line of
the phishing email. This type of email phish does not pose a
potential financial loss to the recipient, but covers other cases
of the phish and fraud lifecycle.malwareemail. The FraudParameter is the email subject line of
the phishing email. This type of email phish does not pose a
potential financial loss to the recipient, but lures the recipient
to an infected site.fraudsite. This identifies a known fraudulent site that does
not necessarily send spam but is used for lures. The
FraudParameter may be used to identify the website.dnsspoof. This choice does not have a related FraudParameter.
This is used for a spoofed DNS (e.g., malware changes localhost
file so visits to www.example.com go to another IP address chosen
by the fraudster).keylogger. This choice does not have a FraudParameter and
specifies a keylogger downloaded with the lure.ole. There is no FraudParameter. This identifies background
Microsoft Object Linking and Embedding (OLE) information that
comes as part of a lure.im. The FraudParameter should be the malicious instant message
(IM) link supplied to the user.cve. This choice identifies CVE-known malware, with the Common
Vulnerability and Exposures project (CVE) number as the
FraudParameter.archive. There is no required FraudParameter for this choice,
although the FraudParameter of the original phish could be
entered. The data archived from the phishing server is placed in
the ArchiveInfo element.spamreport. This type is used when the PhraudReport is
reporting a large-scale spam activity. The FraudParameter should
be the spam email subject line.voip. The lure was received via a voice-over-IP connection
identified by the information in the FraudParameter field.other. This is used to identify not-yet-enumerated fraud
types.unknown. This choice may have an associated FraudParameter. It
is used to cover confused cases.REQUIRED. One value of iodef:MLStringType. This is the lure used
to attract victims. It may be an email subject line, VoIP lure, link
in an IM message, the CVE or malware identifier, or a web URL. Note
that some phishers add a number of random characters onto the end of
a phish email subject line for uniqueness; reporters should delete
those characters before insertion into the FraudParameter field.Zero or one value of STRING. The PhishNameRef element is the common
name used to identify this fraud event. It is often the name agreed
upon by involved parties or vendors. Using this name can be a
convenient way to reference the activity collaborating with other
parties, the media, or engaging in public education.Zero or one value of STRING. The PhishNameLocalRef element
describes a local name or Unique-IDentifier (UID) that is used by
various parties before a commonly agreed term is adopted. This field
allows a cross-reference from the submitting organization's system to
a central repository.Zero or more values of STRING. This is the identifier of the
recognized brand name or company name used in the phishing activity
(e.g., XYZ Semiconductor Corp).REQUIRED. One value. The LureSource element describes the source of
the PhraudReport lure. It allows the specification of IP Addresses,
DNS names, domain registry information, and rudimentary support for
the files that might be downloaded or registry keys modified by the
crimeware.REQUIRED. One or more values of the iodef:System [RFC5070,
Section 3.15]. The system element describes a particular host
involved in the phishing activity. If the real IP Address can be
ascertained, it should be populated. A spoofed address may also be
entered and the spoofed attribute SHALL be set.Zero or more element values. The DomainData element describes the
registration, delegation, and control of a domain used to source the
lure. Capturing the domain data is very useful when investigating or
correlating events.The structure of a DomainData element is as follows:REQUIRED. One value of iodef:MLStringType [RFC5070], Section
2.4]. The Name element is the domain name used in this event.Zero or One value of DATETIME. This element includes the
timestamp of when this domain data was checked and entered into
this report as many phishers modify their domain data at various
stages of a phishing event.Zero or one value of DATETIME. The RegistrationDate element
shows the date of registration for a domain.Zero or one value of DATETIME. The ExpirationDate element shows
the date the domain will expire.Zero or more values. These fields hold nameservers identified
for this domain. Each entry is a sequence of DNSNameType and
iodef:Address pairs as specified below.The use of one Server value and one Address value, followed by
multiple empty Server values with Address values is allowable to
note multiple IPAddreses associated with one DNS entry for the
domain nameserver.Zero or more values of iodef:MLStringType. This field
contains the DNS name of the domain nameserver.REQUIRED. One Value of Address. This field contains the IP
address of the domain nameserver.Zero or more values. This element allows the reporter to
duplicate the DNS record data as defined by , and returned by the DNS. Including this
information allows for tracking, trending, and identification of
the very transient DNS mapping and structure of crimeware
domains.REQUIRED. One String Value. This element identifies the
superior node in the DNS hierarchy.REQUIRED. One String Value. This field contains one value
from the IANA DNS Resource Record Type Registry.Zero or one value of a STRING. This field contains one value
from the IANA DNS Domain System Class Registry. The value will
be the two character representation of class, instead of a
decimal number to ease data entry from standard DNS tools. The
default value for this field is "IN" to note the Internet.Zero or one value of INTEGER. This value represents the
time-to-live (TTL) value for this record.REQUIRED. One string value. The resource data for the record
is contained within this field.REQUIRED. Choice of either a SameDomainContact or one or more
DomainContact elements. The DomainContacts element allows the
reporter to enter contact information supplied by the registrar or
returned by Whois. For efficiency of the reporting party, the
domain contact information may be marked to be the same as another
domain already reported using the SameDomainContact element.REQUIRED. One iodef:DNSNAME. The SameDomainContact element is
populated with a domain name if the contact information for this
domain is identical to that name in this or another report.
Implementors are cautioned to only use this element when the
domain contact data returned by the registrar is identical.REQUIRED. One or more iodef:Contact elements. This element
reuses and extends the iodef:Contact elements for its
components. Each component may have zero or more values. If only
the role attribute and the ContactName component are populated,
the same (identical) information is listed for multiple
roles.Each Contact has three attributes to capture the sensitivity,
confidence, and role for which the contact is listed.REQUIRED. ENUM. The role attribute is extended from the
iodef:role-ext attribute with values identified in . The role-ext value of the role attribute
should be used, with the role-ext attribute value chosen from
one of the following values:registrant. This identified Contact is the domain
registrant.registrar. This contact identifies the registrar of
this domain.billing. This entry is the billing or financial
contact.technical. This contact deals with technical
issues.administrative. This contact handles administrative
matters for this domain.legal. This entry deals with legal issues for this
domain.zone. This entry controls the DNS zone information.abuse. This entry accepts abuse issues.security. This entry accepts security issues.domainOwner. This lists the owner of the domain.ipAddressOwner. This entry identifies the assignee of
the IP address space.hostingProvider. This contact is the hosting provider
of this domain.other. This entry does not meet an enumerated
value.REQUIRED. ENUM. The Confidence attribute describes a
qualitative assessment of the veracity of the contact
information. This attribute is an extension to the
iodef:Contact element and is defined in this document. There
are five possible confidence values as follows.known-fraudulent. This contact information has been
previously determined to be fraudulent, either as
non-existent physical information or containing real
information not associated with this domain
registration.looks-fraudulent. The contact information has
suspicious information included.known-real. The contact information has been previously
investigated or determined to be correct.looks-real. The contact information does not arouse
suspicion but has not been previously validated.unknown. The reporter cannot make a value judgment on
the contact data.Zero or one iodef:restriction attribute [RFC5070, as part
of Section 3.2]. The restriction attribute is used to label
the sensitivity of included information.REQUIRED. ENUM. The SystemStatus attribute assesses a domain's
involvement in this event.spoofed. This domain or system did not participate in this
event, but its address space or DNS name was forged.fraudulent. The system is fraudulently operated.innocent-hacked. The system was compromised and used in this
event to source the lure.innocent-hijacked. The IP Address or domain name was hijacked
and used in this event to source of the lure.unknown. No conclusions are inferred from this event.ENUM. The DomainStatus attribute describes the registry status of
a domain at the time of the report. The below enumerated list is
taken verbose from the 'domainStatusType' of the Extensible
Provisioning Protocol and "Domain Registry
Version 2 for the Internet Registry Information Service"
internet-draft .reservedDelegation - permanently inactiveassignedAndActive - normal stateassignedAndInactive - registration assigned but delegation
inactiveassignedAndOnHold - disputerevoked - database purge pendingtransferPending - change of authority pendingregistryLock - on hold by registryregistrarLock - on hold by registrarZero or One Value. The IncludedMalware element allows for the
identification and optional inclusion of the actual malware that was
part of the lure. The goal of this element is not to detail the
characteristics of the malware but rather to allow for a convenient
element to link malware to a phishing campaign.REQUIRED. One or more value of iodef:MLStringType. This
optional field is used to identify the lure malware.Zero or one value of STRING. This optional field is used to
hold the value of a hash computed over the malware executable.REQUIRED ENUM. This field from the following list identifies
the algorithm used to create this hashvalue.SHA1. Hashvalue as defined in.Zero or one value. Choice of two elements, below. The optional
Data element is used to describe the lure malware.The lure malware is encoded as a String value.The lure malware is encoded as a hexBinary encoded value, as
defined by the XML standard.Zero or One value of STRING. The Data Element includes an
optional 16 hexadecimal character XORPattern attribute to
support disabling the included malware to bypass anti-virus
filters. The default value is 0x55AA55AA55AA55BB which would be
XOR-ed with the malware datastring to recover the actual
malware.Zero or One value of STRING. The FileDownloaded element is a
comma-separated list where each entry is the name of a file
downloaded by this lure. Although this element could be implemented
as a sequence of individual XML entries, the extra XML overhead was
perceived to not add any value, so the files are listed in one
element.One value of the Keys sequence.The contents of the RegistryKeysModified element are sets of Key
elements.One or more Sequences. The key element is a sequence of Name
and Value pairs representing an operating system registry key and
its valueOne STRING, representing the WINDOWS Operating System
Registry Key Name.One STRING, representing the value of the associated KeyREQUIRED. The OriginatingSensor element contains the identification
and cognizant data of the network element that detected this fraud
activity. Note that the network element does not have to be on the
Internet itself (i.e., it may be a local IDS system) nor is it
required to be mechanical (e.g., humans are allowed).Multiple OriginatingSensor Elements are allowed to support
detection at mutiple locations.The OriginatingSensor requires a type value and identification of
the entity that detected this fraudulent event.REQUIRED. ENUM. The value is chosen from the following list,
categorizing the function of this sensor:1. Web. A web server or service detected this event.2. WebGateway. A proxy, firewall, or other network gateway
detected this event.3. MailGateway. The event was detected via a mail gateway or
filter4. Browser. The event was detected at the user web interface
or browser-type element..5. ISPsensor. The event was detected by an automated system
in the network such as IDS, IPS, or ISP device.6. Human. A non-automated system (e.g., a human, manual
analysis, etc) detected this event.7. Honeypot. The event was detected by receipt at a decoy
device.8. Other. The detection was performed via a non-listed
method.REQUIRED. DATETIME. This is the date and time that this
sensor first saw this phishing activity.REQUIRED. One iodef:System. This is the IPVersion, IPAddress,
and optionally, port number of the entity that generated this
report.Zero or more DCSite elements. The DCSite captures the type,
identifier, collection location, and other pertinent information about
the credential gathering process, or data collection site, used in the
phishing incident. The data collection site is identified by four
elements: the type of collector site, the network location,
information about its DNS Domain, and a confidence factor. Further
details about the domain, system, or owner of the DCSite can be
inserted into the DomainData sub-element.If the DCSite element is present, a value is required. Multiple
DCSite elements are allowed to indicate multiple collection sites for
a single collector. Multiple URLs pointing to the same DNS entry can
be identified with multiple SiteURL elements.REQUIRED. ENUM. The DCType attribute identifies the method of
data collection as determined through the analysis of the victim
computer, lure, or malware. This attribute coupled with the DCSite
content identifies the data collection site.web. The user is redirected to a website to collect the
data.email. The victim sends an email with credentials
enclosed.keylogger. Some form of keylogger is downloaded to the
victim.automation. Other forms of automatic data collection, such as
background OLE automation, are used to capture information.unspecified.REQUIRED. The DCSite element contains the IPAddress, URL,
emailsite, or other identifier of the data collection site. The
Domain choice may be used to identify entire 'phishy' domains like
those used for the RockPhish and related malware. Each DCSite
element also includes a confidence element to convey the reporter's
assessment of their confidence that this DCSite element is valid,
and involved with this event. The confidence value is a per-DCSite
value as multiple-site data collectors may have different confidence
values.The DCSite element is a choice of:SiteURL. STRING. This choice supports URIs.Domain. STRING. This choice allows the entry of a DNS Domain
name.EmailSite. STRING. This choice captures either the email
address of the data collection site.iodef:System element [RFC5070, Section 3.15]. This choice is
filled it to capture the IP Address of a site.Unknown. STRING. The unknown entry is used for exception to
the preceding choices.Zero or One value of DomainData. This element allows for the
identification of data associated with the data collection
site.Zero or One value of iodef:Assessment. This element is used to
designate different confidence levels of multiple-site data
collectors.Zero or more TakeDownInfo element. This element identifies the
agent or agency that performed the removal, DNS domain disablement, or
ISP-blockage of the phish or fraud collector site. A PhraudReport may
have multiple TakeDownInfo elements to support activities where
multiple take down activities are involved on different dates. Note
that the term "Agency" is used to identify any party performing the
blocking or removal such as ISPs or private parties, not just
government entities.The TakeDownInfo element allows one date element with multiple
TakeDownAgency and Comment elements to support operations using
multiple agencies.Zero or one DATETIME. This is the date and time that take down of
the collector site occurred.Zero or more STRING. This is a free form string identifying the
agency, corporation, or cooperative that performed the take
down.Zero or more STRING. A free form field to add any additional
details of this take down effort or to identify parties that
assisted in the effort at an ISP, CERT, or DNS Registry.Zero or more values of the ArchivedData element are allowed.The ArchivedData element is populated with a pointer to the
contents of a data collection site, base camp (i.e., development
site), or other site used by a phisher. The ArchivedDataInfo may also
include a copy of the archived data recovered from a phishing system.
This element will be populated when, for example, an ISP takes down a
phisher's web site and has copied the site data into an archive
file.There are four types of archives currently supported, as specified
in the type field.REQUIRED. This parameter specifies the type of site data pointed
to by the ArchivedDataURL, from the following list:collectionsite.basecamp.sendersite.credentialInfo.unspecified.Zero or one value of URL. As the archive of an entire site can be
quite large, the ArchivedURL element points to an Internet-based
server where the actual gzipped content of the site archive can be
retrieved. Note that this element just points out where the archive
is and does not include the entire archive in the report. This is
the URL where the gzipped archive file is located.Zero or one value of STRING. This field is a free form area for
comments on the archive and/or URL.Zero or one value of xs:Base64Binary. This field may contain a
base64 encoded version of the data described in the comment field
above.Zero or more value of anyURI. This element allows the listing of
other web or net sites that are related to this incident (e.g., victim
site, etc.).Zero or more value of STRING. Any information that correlates this
incident to other incidents can be entered here.Zero or one value of STRING. This field allows for any comments
specific to this PhraudReport that does not fit in any other
field.Extensions are also made to the iodef:Incident.EventData element to
include the actual email message received in phishing lure or
widespread spam emails. The ability to report spam is included within
a PhraudReport to support exchanging information about large-scale
spam activities related to phishing, not necessarily a single spam
message to a user. As such the spam reporting mechanism was not
designed to minimize overhead and processing, but to support other
widely-used spam reporting formats such as the MAAWG's Abuse Reporting
Format .Reporting of the actual mail message is supported by choosing one
of three methods. First, an ARF message may be included. Second, the
message may be included as one large string. Third, the header and
body components may be dissected and included as a series of
strings.REQUIRED. INTEGER. This field enumerates the number of email
messages identified in this record detected by the reporter.The actual wide-spread spam message may be included in a report
via one of three encodings: an ARF message, one big text blob, or a
separate header and body element.Zero of one value of iodef:MLStringType. The entire mail
message can be inserted as one large string.Zero or one value of STRING. The Messaging Anti-Abuse Working
Group (MAAWG) defined a format for sending abuse and list control
traffic to other parties. Since many of these reports will get
integrated into incident processes, the raw Abuse Reporting Format
may be inserted into this element.The ARF should be encoded as a character string.Sequence of Header. The headers of the phish email are
included in this element as a sequence of one-line text strings.
There SHALL be one EmailHeader element per EmailRecord.iodef:MLStringType. The header element contains a sequence
of email header lines, one line per header element.Zero or one value of iodef:MLStringType. This element
contains the body of the phish email. If present, there should
be at most one EmailBody element per EmailRecordiodef:MLStringType. The entire mail message can be inserted as
one large string.Zero or one value of STRING. This field contains comments or
relevant data not placed elsewhere about the phishing or spam
email.A report about fraud, spam, or phishing requires certain identifying
information which is contained within the standard IODEF Incident data
structure and the PhraudReport extensions. The following table
identifies attributes required to be present in a compliant PhraudReport
to report phishing or fraud or to report widespread spam. The required
attributes are a combination of those required by the base IODEF element
and those required by this document. Attributes identified as required
SHALL be populated in conforming phishing activity reports.The following table is a visual description of the IODEF-Document
required fields.A compliant IODEF PhraudReport is SHALL contain the following
element and attributes:<iodef:Incident><iodef:incident/@purpose><iodef:IncidentID><iodef:ReportTime><iodef:Assessment/iodef:Confidence><iodef:Contact/@Role><iodef:Contact/@Type><iodef:Contact/iodef:Name><iodef:EventData><iodef:DetectTime><iodef:AdditionalData><PhraudReport><PhraudReport/@Version><PhraudReport/@FraudType><FraudedBrandName><LureSource><OriginatingSensor>An IODEF PhraudReport compliant Spam Activity Report SHALL contain
the following elements and attributes:<iodef:Incdent><iodef:Incident/@purpose><iodef:IncidentID><iodef:ReportTime><iodef:Assessment/iodef:Confidence><iodef:Contact/@Role><iodef:Contact/@Type><iodef:Contact/iodef:Name><iodef:EventData><iodef:DetectTime><iodef:AdditionalData><PhraudReport><PhraudReport/@Version><PhraudReport/@FraudType> = spamreport<LureSource><OriginatingSensor><EmailRecord>It may be apparent that the mandatory attributes for a phishing
activity report make for a quite sparse report. As incident forensics
and data analysis require detailed information, the originator of a
PhraudReport SHOULD include any tidbit of information gleaned from the
attack analysis. Information that is considered sensitive can be
marked as such using the restriction parameter of each data
element.The reporting party is advised to supply as much information abut
the event as possible -- or even more -- as the information may be
volatile and not recoverable in the future to answer investigation
questions or to perform correlation with other events.This document specifies a format for encoding a particular class of
security incidents appropriate for exchange across organizations. As
merely a data representation, it does not directly introduce security
issues. However, it is guaranteed that parties exchanging instances of
this specification will have certain concerns. For this reason, the
underlying message format and transport protocol used MUST ensure the
appropriate degree of confidentiality, integrity, and authenticity for
the specific environment.Organizations that exchange data using this document are URGED to
develop operating procedures that document the following areas of
concern.The critical security concerns are that phishing activity reports
may be falsified or the PhraudReport may become corrupt during
transit. In areas where transmission security or secrecy is
questionable, the application of a digital signature and/or message
encryption on each report will counteract both of these concerns. We
expect that each exchanging organization will determine the need, and
mechanism, for transport protection..In some instances data values in particular elements may contain
data deemed sensitive by the reporter. Although there are no
general-purpose rules on when to mark certain values as "private" or
"need-to-know" via the iodef:restriction attribute, the reporter is
cautioned to not apply element-level sensitivity markings unless they
believe the receiving party (i.e., the party they are exchanging the
event report data with) has a mechanism to adequately safeguard and
process the data as marked. For example, if the PhraudReport element
is marked private and contains a phishing collector URL in the
DCSite/SiteURL element, can that URL be included within a block list
distributed to other parties? No guidance is provided here except to
urge exchanging parties to review the IODEF and PhraudReport documents
to decide on common marking rules.This document uses URNs to describe XML namespaces and XML schemas
conforming to a registry mechanism described in Registration request for the IODEF phishing namespace:URI: urn:ietf:params:xml:ns:iodef-phish-1.0Registrant Contact: See the "Author's Address" section of this
document.XML: None.Registration request for the IODEF phishing extension XML schema:
URI: urn:ietf:params:xml:schema:iodef-phish-1.0Registrant Contact: See the "Author's Address" section of this
document.XML: See the "Phishing Extensions Schema Definition" in the section of this document.The extensions are an outgrowth of the Anti-Phishing Working Group
(APWG) activities in data collection and sharing of phishing and other
ecrime-ware.This document has received significant assistance from two groups
addressing the phishing problem: members of the Anti-Phishing Working
Group and participants in the Financial Services Technology Consortium's
Counter-Phishing project.The Incident Object Description Exchange FormatThe Incident Object Description Exchange Format (IODEF) defines
a data representation that provides a framework for sharing
information commonly exchanged by Computer Security Incident
Response Teams (CSIRTs) about computer security incidents. This
document describes the information model for the IODEF and
provides an associated data model specified with XML Schema.
[STANDARDS TRACK]Key words for use in RFCs to Indicate
Requirement LevelsHarvard University1350 Mass. Ave.CambridgeMA 02138- +1 617 495 3864sob@harvard.eduSecure Hash StandardNational Institute of Standards and Technology, U.S.
Department of CommerceThe IETF XML RegistryDomain names -
concepts and facilitiesInformation Sciences Institute (ISI)Extensible Provisioning Protocol (EPP) Contact
MappingThis document describes an Extensible Provisioning Protocol
(EPP) mapping for the provisioning and management of individual or
organizational social information identifiers (known as
"contacts") stored in a shared central repository. Specified in
Extensible Markup Language (XML), the mapping defines EPP command
syntax and semantics as applied to contacts. This document
obsoletes RFC 3733. [STANDARDS TRACK]Domain Registry Version 2 for the Internet Registry
Information ServiceAbuse Reporting FormatThe Messaging Anti-Abuse Working Group
(MAAWG)This section shows a received electronic mail message that included a
virus in a zipped attachment and a report that was generated for that
message.NOTE: Some wrapping and folding liberties have been applied to fit
it into the margins.A sample report generated from a received electronic mail phishing
message in shown in this section.