Add your abuse mailbox

Introduction

Configuring your team's abuse mailbox in Sublime allows you to remediate reported phish faster and automate the busywork of abuse mailboxes, including retrieving the original message reported by the user and taking action like trashing messages from real attacks. Sublime automatically groups messages in the same attack, so you can quickly remediate all messages in an attack based on a single user report.

📘

For clarity, throughout this documentation we call the suspected malicious message forwarded by the user the reported message and the message the abuse mailbox receives when a user sends the reported message the reporting message, which contains the reported message in the body or as an attachment.

Configuration

Your abuse mailbox can be an actual user mailbox or a mailing list, such as a Microsoft 365 contact group (also known as a "distribution list") or a Google Group.

If you use a mailing list as your abuse mailbox, you must have an active mailbox subscribed to the mailing list such that it receives every message sent to the mailing list. Sublime will fetch messages sent to the abuse address from the subscribed mailbox.

To configure your abuse mailbox, go to Admin > Account in the Sublime interface, enter your abuse mailbox address in the Abuse mailbox section, and click Save.

📘

The Abuse mailbox must be set to 'Active' for User Reports to flow into Sublime. To confirm its status, head to Admin > Mailboxes in the Sublime interface, search for your abuse mailbox address, and check the dot in the Status column. Active mailboxes will have a green dot!

How Sublime processes abuse mailbox messages

When Sublime processes a reporting message sent to the abuse mailbox, it fetches the reported message by either:

  1. Extracting the In-Reply-To header from the reporting message and using that identifier to look up the reported message.
  2. If the reporting message does not include an In-Reply-To header (usually meaning it wasn't sent using an email client's forwarding feature), or if Sublime cannot find a message matching the In-Reply-To header, Sublime will look for one or more attachments to the reporting message with an .eml extension and use the Message-ID header of each such attachment to look up the reported message or messages.
  3. If neither In-Reply-To or a valid EML attachment is present, the last value from References header is used. The identifier is again used to look up the reported message.

For security reasons, user reports must be recognized as internal messages by default. If you have an SPF, DKIM, or DMARC misconfiguration where messages sent by your users fail sender authentication, you can permit unauthenticated user reports from your users in your Account settings.

🚧

Only messages received by active Sublime mailboxes can be reported

Today, user reported messages must have first been ingested in Sublime in order to be processed as a User Report. This means that only messages from Sublime mailboxes can be reported.

Support for non-Sublime mailbox user report ingestion is on the roadmap and will be supported in the near future. If you'd like support for this, drop us a message and we'll let you know once it's released.

Processing of the reporting message

In most cases, Sublime will store the reporting message, including its MDM, so that it can be searched for and inspected, but Sublime will not run any rules on the reporting message, both so that you don't end up with additional flagged messages that are redundant with the reported message and so that the reporting message is not modified or removed from either the abuse mailbox or subscribers' mailboxes (typically members of the security team), which can interfere with investigations.

📘

The exception, however, is when an external sender sends a message to the abuse mailbox. Sublime will still run rules on such messages to ensure attackers can't bypass Sublime rules by including the abuse mailbox as a recipient.

Viewing user reports

To view user reports in the Sublime interface, go to Messages > User Reported. This message list view will show all unreviewed reported message groups, regardless of whether the messages were flagged by any rules. You can modify any message filters from this view.


What’s Next