On Jul 24, 2011, at 3:53 PM, Murray S. Kucherawy forwarded an anonymous non-participant's feedback:
> 1) I consider it extremely rude and dangerous to transmit malware across the > Internet even in the form of an ARF, apart from the fact that virus filters > at the ISP level and/or the recipient's level may well catch the malware, > create a report of that malware (thus creating a loop), and at the same time > firewall the offending IP (our mail server). Hence the proposal to return the > complete message in case of reporting a virus is a very bad idea. Instead, > only the header of the offending message should be returned. There's some validity to these arguments, but what they're convincing me of is that the "virus" type should be removed entirely. It's never really been tested at scale, and we didn't have much input from the malware reporting/research community. Is anyone aware of any implementations that do anything special with Feedback-Type: virus? Is anyone aware of serious malware reporting/research institutions using ARF? > Another comment regarding the _report.domain DNS TXT entry ... > > In principle that seems to be a reasonable idea, however, there's a duplicate > created that way. Right now abuse addresses are mandatory for the IP address > entries in ARIN, RIPE, ... The problem there, the databases are not really > consistent, but consistent enough that parsing of the entries for abuse > addresses is possible indeed. We talked about this earlier. The published abuse@ address is intended for communication from humans; it would be rude to assume abuse@ is set up for ARF. By publishing a separate record, the domain owner is saying "I know about ARF, and I process ARF at this address." It's a shame that this person is not willing to participate in the conversation. -- J.D. Falk the leading purveyor of industry counter-rhetoric solutions _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
