[feedback-report] The limits of ARF, and INCH

Richard Conner duofold at bellatlantic.net
Sun Jul 26 13:42:31 PDT 2009 

On Jul 26, 2009, at 3:00 PM, John R. Levine wrote:

> There's been a lot of work on "Incident Handling", where an incident
> consists of multiple events.

To some of us, a single abusive e-mail message can be an "incident"  
all by itself according to this definition, because of the  
multiplicity of ruses and dodges used by the sender. For example, I  
have a message in my inbox today that has the following taints of  
network abuse all over it:

	1. Message sent to my provider's MX from a dynamic pool host with a  
forged HELO, so probably a botnet mailing. Probably some federal law  
violations there, in any case it is theft of service from the provider  
and from the bot's owner (not to mention malicious vandalism to the  
bot computer).
	2. Message contains a URL whose host resolves simultaneously to 10 or  
more IP addresses in widely differing blocks, each with TTL on the  
order of a couple of minutes. Again, more botnet activity (fast flux),  
both for public HTTP service and for authoritative DNS (which is also  
hosted on some of these same addresses). More theft of service, more  
possible violations of the law.
	3. Using domain-WHOIS to look into the domain in the URL, I find that  
the registrant data is incomplete and demonstrably inaccurate. This is  
a violation of ICANN policy regarding the accuracy and reliability of  
registrant info.
	4. The domain of the authNS for the URL is different, and has its own  
hosting rotation and forged registrant info.  More theft, more crime,  
yadda yadda ...

What I gather from the previous discussions is that ARF is intended to  
handle mainly cases like #1 above. If it is useful for these, then I  
take my hat off to it. However, I personally have ways to report  
message sources that are far easier for me to use as an end-user of e- 
mail. ARF seems not to be so useful for pointing out peripheral  
technical problems (like drop boxes) related to mail abuse.

Also, as always, it seems that the outcome of an abuse report will  
depend at least as much upon the responsiveness of the report  
recipient than the form in which the report is sent (assuming, of  
course, that the report's details are accurate and pertinent). Good  
providers will act even on humble plain-text reports like mine, other  
providers, well ...

-- rick

More information about the abuse-feedback-report mailing list