[feedback-report] Abuse Report with no Spam

[Yakov Shafranovich]

Marc Perkel wrote:
> OK - Here's a question about abouse reports that don't fit the specs.
> I'm now geneating this report to report viruses. I'm able to detect the
> presence of viruses without actually receiving the email based only on
> the behavior of the virus. What I'm doing is every 6 hours I'm sending a
> list of infected computers to abuse. This is the form I'm using now. How
> would something like this fit into an ARF model?
> 

ARF is meant for reporting a single email message. For viruses, that
would mean sending back the headers of a specific infected message
without the body. The current spec lets you do that in section 4, part d.

HOWEVER, based on your example what you are describing is not the same
thing. First of all, ARF is not intended for aggregate reporting. We
have discussed aggregated reporting a while back when Hotmail begun to
do it, but decided to pick this problem apart first. Second, reporting
virus-like behavior without actual emails is for sure not ARF. What you
want to do is report security problems such as virus infected machines,
not virus infected emails. For that, there are other draft standards
like this one:

http://www.cert.org/ietf/inch/inch.html

Yakov