Add your abuse mailbox
Introduction
Configuring your team's abuse mailbox in Sublime allows you to remediate reported phish faster and automate the busywork of abuse mailboxes, including retrieving the original message reported by the user and taking action like trashing messages from real attacks. Sublime automatically groups messages in the same attack, so you can quickly remediate all messages in an attack based on a single user report.
For clarity, throughout this documentation we call the suspected malicious message forwarded by the user the reported message and the message the abuse mailbox receives when a user sends the reported message the reporting message, which contains the reported message in the body or as an attachment.
Configuration
Your abuse mailbox can be an actual user mailbox or a mailing list, such as a Microsoft 365 contact group (also known as a "distribution list") or a Google Group.
To configure your abuse mailbox, go to Admin > Account in the Sublime interface, enter your abuse mailbox address in the Abuse mailbox section, and click Save.
If you use an actual user mailbox as your abuse mailbox, you just need to confirm that the mailbox is listed as Active in your instance. To confirm, head to Admin > Mailboxes in the Sublime interface, search for your abuse mailbox address, and check for a green dot in the Status column.
If you use a mailing list as your abuse mailbox, you need to configure a few details:
- At least 1 actual mailbox must subscribe to the mailing list.
- The subscribed actual mailbox must receive all emails sent to the mailing list.
- The subscribed actual mailbox must be listed as Active in your instance. To confirm, head to Admin > Mailboxes in the Sublime interface, search for your abuse mailbox address, and check for a green dot in the Status column.
How Sublime processes abuse mailbox messages
When Sublime processes a reporting message sent to the abuse mailbox, it fetches the reported message by either:
- Extracting the
In-Reply-To
header from the reporting message and using that identifier to look up the reported message. - If the reporting message does not include an
In-Reply-To
header (usually meaning it wasn't sent using an email client's forwarding feature), or if Sublime cannot find a message matching theIn-Reply-To
header, Sublime will look for one or more attachments to the reporting message with an.eml
extension and use theMessage-ID
header of each such attachment to look up the reported message or messages. - If neither
In-Reply-To
or a valid EML attachment is present, the last value fromReferences
header is used. The identifier is again used to look up the reported message.
For security reasons, user reports must be recognized as internal messages by default. If you have an SPF, DKIM, or DMARC misconfiguration where messages sent by your users fail sender authentication, you can permit unauthenticated user reports from your users in your Account settings.
Only messages received by active Sublime mailboxes can be reported
Today, user reported messages must have first been ingested in Sublime in order to be processed as a User Report. This means that only messages from Sublime mailboxes can be reported.
Support for non-Sublime mailbox user report ingestion is on the roadmap and will be supported in the near future. If you'd like support for this, drop us a message and we'll let you know once it's released.
Processing of the reporting message
In most cases, Sublime will store the reporting message, including its MDM, so that it can be searched for and inspected, but Sublime will not run any rules on the reporting message, both so that you don't end up with additional flagged messages that are redundant with the reported message and so that the reporting message is not modified or removed from either the abuse mailbox or subscribers' mailboxes (typically members of the security team), which can interfere with investigations.
The exception, however, is when an external sender sends a message to the abuse mailbox. Sublime will still run rules on such messages to ensure attackers can't bypass Sublime rules by including the abuse mailbox as a recipient.
Viewing user reports
To view user reports in the Sublime interface, go to Messages > User Reported. This message list view will show all unreviewed reported message groups, regardless of whether the messages were flagged by any rules. You can modify any message filters from this view.
Updated about 1 month ago