DOC: when to use xarf messages to network owner

config/action.d/xarf-login-attack.conf

@@ -1,10 +1,21 @@
 # Fail2Ban action for sending xarf Login-Attack messages to IP owner
 #
+# IMPORTANT: 
+# 
+# Emailing a IP owner of abuse is a serious complain. Make sure that it is
+# serious. Fail2ban developers and network owners recommend you only use this
+# action for:
+#   * The recidive where the IP has been banned multiple times
+#   * Where maxretry has been set quite high, beyond the normal user typing
+#     password incorrectly.
+#   * For filters that have a low likelyhood of receiving human errors
+#
+# DEPENDANCIES:
+#
 # This requires the dig command from bind-utils
 #
 # This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
 #
-#
 # XARF is a specification for sending a formatted response
 # for non-messaging based abuse including:
 #

config/jail.conf

@@ -151,6 +151,8 @@ action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protoc
 action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 
+# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
+#
 # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
 # to the destemail.
 action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]