[feedback-report] The limits of ARF, and INCH
duofold at bellatlantic.net
Sun Jul 26 13:42:31 PDT 2009
On Jul 26, 2009, at 3:00 PM, John R. Levine wrote:
> There's been a lot of work on "Incident Handling", where an incident
> consists of multiple events.
To some of us, a single abusive e-mail message can be an "incident"
all by itself according to this definition, because of the
multiplicity of ruses and dodges used by the sender. For example, I
have a message in my inbox today that has the following taints of
network abuse all over it:
1. Message sent to my provider's MX from a dynamic pool host with a
forged HELO, so probably a botnet mailing. Probably some federal law
violations there, in any case it is theft of service from the provider
and from the bot's owner (not to mention malicious vandalism to the
2. Message contains a URL whose host resolves simultaneously to 10 or
more IP addresses in widely differing blocks, each with TTL on the
order of a couple of minutes. Again, more botnet activity (fast flux),
both for public HTTP service and for authoritative DNS (which is also
hosted on some of these same addresses). More theft of service, more
possible violations of the law.
3. Using domain-WHOIS to look into the domain in the URL, I find that
the registrant data is incomplete and demonstrably inaccurate. This is
a violation of ICANN policy regarding the accuracy and reliability of
4. The domain of the authNS for the URL is different, and has its own
hosting rotation and forged registrant info. More theft, more crime,
yadda yadda ...
What I gather from the previous discussions is that ARF is intended to
handle mainly cases like #1 above. If it is useful for these, then I
take my hat off to it. However, I personally have ways to report
message sources that are far easier for me to use as an end-user of e-
mail. ARF seems not to be so useful for pointing out peripheral
technical problems (like drop boxes) related to mail abuse.
Also, as always, it seems that the outcome of an abuse report will
depend at least as much upon the responsiveness of the report
recipient than the form in which the report is sent (assuming, of
course, that the report's details are accurate and pertinent). Good
providers will act even on humble plain-text reports like mine, other
providers, well ...
More information about the abuse-feedback-report