Submit and receive abuse reports using the XARF (eXtended Abuse Reporting Format) v4 schema

Verified steps

1. Understand the XARF v4 structure: reports are JSON objects with a shared envelope (schema_version, report_id, reporter object, reported_at timestamp in ISO 8601 UTC) and a category-specific payload from one of seven categories (Spam, Phishing, Malware, NetworkAbuse, ContentAbuse, Fraud, or Other) covering 32 defined types.
2. To file an abuse report, construct a JSON object matching the appropriate XARF v4 schema; validate against the official JSON Schema files published in the xarf/xarf-spec GitHub repository before sending.
3. Locate the abuse contact for the reported IP or domain: query RIPE Whois (whois.ripe.net), ARIN, or APNIC for the abuse-c handle; use the Abusix Contact DB API for automated lookups that aggregate abuse contacts across all five RIRs into a single query.
4. Deliver the XARF report to the abuse contact's registered email address as a JSON attachment with Content-Type application/json, or via an HTTPS POST if the receiving organisation publishes an abuse API endpoint; include a human-readable summary in the email body.
5. To receive XARF reports, publish an abuse contact in your WHOIS record and optionally expose an HTTPS endpoint that accepts POST requests with Content-Type application/json; validate incoming JSON against the xarf/xarf-spec schemas and acknowledge receipt with an HTTP 200 response.
6. Automate report triage: parse report_type to route to the correct team (Spam to anti-spam, NetworkAbuse to NOC, Phishing to security); use reported_at and evidence fields to correlate with your own logs; close reports with a follow-up notification to the reporter.