[feedback-report] ARF working group interest?

Todd Herr therr at security.rr.com
Thu Sep 3 09:51:35 PDT 2009 

On Thu, Sep 03, 2009 at 12:20:49PM -0400, John R. Levine wrote:
> > What, I don't count anymore? ;)
> 
> Hey, this is the IETF where anecdotes about something that happened to 
> some guy with a Sun3 in 1998 count for more than the experience of global 
> mail providers.
> 
> > The vast majority of our FBLs also go to addresses other than abuse at .
> > Keeping all of those channels straight gets to be a cumbersome task on
> > both sides, especially as more and more mailbox providers become fbl
> > providers. I would be interested in a standard way to discover where to
> > route automated reports that I don't expect a response to, whether they
> > trust me as a report sender or not. I should be able to authenticate the
> > reports as coming from my system and let the report recipients decide
> > whether to process it or not based on that authentication, instead of
> > relying on shared secrets established when the channel was created.
> 
> Let's see if we can pick that apart a little.
> 
> For senders of reports:
> 
> * Where do you send them if you're trusted, or if you're untrusted

In my experience, we only send FBL reports to those who've asked
for them (and been approved for enrollment in our FBL), and then to 
the address that the requester has specified at the time of signup.

I have found that sending untrusted ARF reports to abuse@ results in 
responses ranging the gamut of:

- Reply asking to please stop sending mail with attachments to abuse@
- Reply asking to change format to something other than ARF
- Reply asking to please send FBL to other address
- Silence

I'd also add that when we speak of untrusted senders, we must divide
them into at least three categories:

- Mail providers (i.e., actual ISP mail operations staff)
- Mailbox holders who are clued enough to read headers and make a
  reasonable guess at the right place to which to complain
- Mailbox holders who aren't clued enough to read headers

For the latter two classes, providing them with a method to generate
an ARF report is a large hurdle, because it's going to have be something
done inside the mail client, with one click of the mouse/one keystroke.
Mail providers alone cannot shoulder that burden if they don't provide
their customers with a uniform client and a uniform method of accessing
their mail.

I *heart* ARF, but I believe it's only effective at this time when 
there's a trust relationship involved.  

-- 
Todd Herr
Principal Engineer and Postmaster              V: 703.345.2447
Road Runner Email Operations                   M: 571.287.0366
therr at security.rr.com                        AIM: RRMailToddHerr

More information about the abuse-feedback-report mailing list