ARF reports parsing/handling - DMARC reports

[Apologies - double posting from rt-users group to correct]

Greetings,

Have recently set up capability to receive DMARC aggregate reports
from email providers and I believe they are delivered as zip’d ARF XML
documents. Noticed the following blurb on RTIR features:

“we’ve written custom parsers to handle DMCA complaints and feedback
loop emails conforming to the Abuse Reporting Format (ARF).”

Wanted to see if there’s any of this code in public distribution at
this point, or if anyone that has implemented this in a satisfactory
way had anything they could share about their approach.

Not sure what the possibilities are for handling reports with
automation and finesse, but at the very least I thought it’d be
interesting to automate Incident Report creation on receipt.

Darren Spruell
phatbuckett@gmail.com

Have recently set up capability to receive DMARC aggregate reports
from email providers and I believe they are delivered as zip’d ARF XML
documents. Noticed the following blurb on RTIR features:

“we’ve written custom parsers to handle DMCA complaints and feedback
loop emails conforming to the Abuse Reporting Format (ARF).”

Wanted to see if there’s any of this code in public distribution at
this point, or if anyone that has implemented this in a satisfactory
way had anything they could share about their approach.

I’m not aware of the ARF specific code being public. It’s been
cleaned up, but was still quite customer specific (and I’m not sure it
dealt with zipped attachments from a quick perusal, although that
isn’t terribly hard).

Basically, when we can, we ship things like:


which handles a different set of formats, but in the case of this
particular client, we couldn’t extract their ARF code into a public
extension.

Not sure what the possibilities are for handling reports with
automation and finesse, but at the very least I thought it’d be
interesting to automate Incident Report creation on receipt.

If you look at the capabilities of RT::Extension::ACNS it’s pretty
common to set a bunch of specific Custom Fields upon receipt, and as I
understand it, the client who sponsored RT::Extension::ACNS uses it to
auto-create the Incident and Investigations when they can (when
there’s enough info in the report and their external system to do so).

-kevin