[feedback-report] ARF working group interest?

Wed Sep 2 09:28:05 PDT 2009

Murray S. Kucherawy wrote:
> One of the main functions of creating the working group will be to take 
> on the technical work of considering whether ARF as it is currently 
> defined is necessary and sufficient.  That is, we should consider 
> dropping stuff that’s not actually useful or ambiguous, and adding what 
> appears to be missing.

Please let me state once more that ARF is not sufficient. What appears 
to be missing are the indications of when and how to use it, i.e. the 
role of a mail domain and its "abuse" mailbox. In the draft's words:

                           Determination of where these reports should
  be sent, how trust among report generators and report recipients is
  established, and reports related to more than one message are outside
  the scope of this document.

I consider that self-imposed limitation useful, as it will likely 
allow to standardize ARF more quickly, as others have also noted on 
this list. However, while those out-of-scope issues would hardly fit 
within a single RFC, a working group might/should take them into account.

Existing specifications are not sufficient: RFC 2142 dates back to 
1997. It defines abuse@, but does not mention automated processing. 
That concept is reinforced by RFC 3013 (BCP 46), and RFC 2635 (FYI 
35); the latter additionally suggests that users submit complaints to 
the local abuse desk, or to a global one (it mentions abuse.net).

Some drafts exist that consider the concepts of abuse reporting (e.g. 
[1]) and domain-based reputation (e.g. [2]). While they may look 
distant from format discussions, the alternatives of either not 
discussing them, or discussing them in different WGs/lists, are bound 
to result in rough and inconsistent interoperability. For example, 
consider anonymization, a.k.a. munging reports; or report forwarding. 
More coordination may eventually result in a more consistent overall 
picture that ESPs and MUAs may conform to.
[1] http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation
[2] http://tools.ietf.org/html/draft-vesely-vhlo

> The most recent version of the draft charter is attached. [...]
> Of course, everyone is invited to make suggestions and participate in 
> the discussion for any work to be done by the working group.

What I would suggest is to modify the name and the description of the 
WG so as to provide for further discussion on feedback loops, after 
the publication of the first RFC. Please note that this would be a 
completion, not an upset. Tentatively,

Name: from

  Abuse Reporting Format (ARF)

to, e.g.,

  Wide-range Abuse Reporting Format And Related Extents (WARFARE)

Description (1st paragraph only): from

  Messaging anti-abuse operations between independent services often
  requires sending reports on observed fraud, spam virus or other abuse
  activity.  A standardized report format enables automated processing.
  The Abuse Reporting Format (ARF) specification has gained sufficient
  popularity to warrant formal codification, to ensure future
  interoperability with new implementations. The primary function of
  this working group will be to solicit review and refinement of the
  existing specification.

to

  Messaging anti-abuse operations between independent services often
  require sending reports on observed fraud, spam virus or other abuse
  activity.  A standardized report format enables automated processing.
  The Abuse Reporting Format (ARF) specification has gained sufficient
  popularity to warrant formal codification, to ensure future
  interoperability with new implementations. The primary function of
  this working group will be to solicit review and refinement of the
  existing format specifications.  In addition, this working group may
  review current practices for forwarding abuse reports and subscribing
  to such feeds, possibly examining the security issues implied in
  migrating from IPv4-based subscriptions to domain-based ones.