[feedback-report] Feedback types & e-mail drop boxes

Tobias Knecht knut at knutix.de
Sun Jul 26 13:48:20 PDT 2009 

Hi again,

short answer, long mail later ;-)

>>> In our opinion ARF itself has one big problem and it's kind of the
>>> problem Richard Connor is talking about. ARF is called the "Abuse
>>> Reporting Format" but at the moment it's not possible to report all
>>> kinds of abuse with it. Dropboxes, Phishing, DoS, ...
>> I'm happy to have that discussion take place here.  This isn't the  
>> first time I've heard of all of those as possible ARF extensions,  
>> and really given the standards activity around it, now's the time to  
>> have those conversations.
>>
>> So, do you have proposed text changes to the draft that cover these  
>> cases?  Or can someone make such a proposal?
> 
> I think that the email related ones are already covered. Dropbox ==  
> Reported-URI:mailto:. Phishing == Feedback-Type:fraud.

Right. But we also have phishing data, that is not mail related.

> ARF is not an appropriate format, really, for DoS as it's intended to  
> encapsulate a reported message (typically email, but somewhat  
> extensible to other messaging systems, I'd guess).

I think a little bit different. We have seen a really big effort by only
reporting spam messages to the ISPs. Lots of huge ISPs already use our
data and lock customers very very fast. Some do that within seconds,
'cause they trust our data. If an attacked ISP could be able to reports
information about bad behaving IP addresses to the network owner, they
would be able to lock customers very fast. That way DoS attack would
stop earlier or loose power faster than they do at the moment.

I know, that this is not working perfectly at the moment, 'cause lot's
of ISPs do not care about abuse handling, but I bet they will one time.
The more ISPs handle their abuse faster the better this works.

> There are other standards for reporting packet or log based issues, I  
> believe (IDMEF aka RFC 4765 might be one. There are others, I think.).

Unfortunately not always the best standard is adopted by the mass. I
think we have seen that several times. ARF is in my opinion the most
used reporting format, and to be honest, it's hard enough to force ISPs
getting their abuse handling up and running, and it is hard to get them
to ARF. It's not the right way to offer them 5 different formats.

>> Also, doesn't ARF already cover phishing, as "fraud"?

Phishing emails yes. But no information from different sources.


Tobias

-- 
abusix.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
Url : http://mipassoc.org/pipermail/abuse-feedback-report/attachments/20090726/aa73dd68/attachment.bin

More information about the abuse-feedback-report mailing list