[feedback-report] FW: Another ARF expansion request

[Yakov Shafranovich]

On Fri, Sep 18, 2009 at 1:20 PM, Murray S. Kucherawy <msk at cloudmark.com> wrote:
>> These are all entirely reasonable things to report in automated or
>> semi-automated ways, but I'd rather not try and shoehorn them all into
>> a
>> format designed to report single e-mail messages.
>>
>> I'd suggest that people look at the various INCH documments, since they
>> have already addressed a lot of these same issues.  There may turn out
>> to
>> be some fatal problem with INCH that makes it unsuitable, but since it
>> represents quite a few years' work by smart people thinking about very
>> similar problems to ours, we should at least make an informed decision
>> whether or not to use it.
>>
>> See http://www.cert.org/ietf/inch/inch.html
>
> +1 to all of that.  I was simply encouraging discussion. :)
>

I agree with both of you. I would also like to add that ARF is a "son
of" RFC 3462 which is a MIME type for "Reporting of Mail System
Administrative Messages". While spam botnets fit within the definition
(barely), things like FTP attacks are way out of scope.

> Is anyone on this list using INCH?  Or if anyone has made a conscious decision not to pursue INCH, can you share your reasons with the group?
>

I would also like to add that if anyone feels that INCH is too
complex, they can consider making an ARF-like format for INCH (I guess
INCH-lite or Incident Reporting Format / IRF?). But that again would
be out of scope for this group and is something that INCH WG or the
security AD would need to look into.

ARF works because it is simple. Making it more complicated would
dissuade people from using it.

Yakov