On Jan 23, 2012, at 2:18 PM, Murray S. Kucherawy wrote: >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf Of >> Shmuel Metz >> Sent: Monday, January 23, 2012 10:50 AM >> To: Message Abuse Report Format working group >> Subject: [marf] draft-ietf-marf-as Section 5 Solicited and Unsolicited >> Reports >> >> I believe that 5. Solicited and Unsolicited Reports should list the >> abuse address from the whois record of the source IP as a reasonable >> candidate for receiving feedback. > > I have some concerns about doing this, since the reply from a WHOIS query is > non-standard. Do we really want to say "apply some unspecified heuristic to > the WHOIS reply to get that address"?
It's all heuristics. However, ARIN and RIPE at least have some structure in their responses, including explicitly recorded abuse contacts. When they exist (which they usually do) that does give you an IP address to abuse address mapping - and while the contact is often too far up the delegation tree to be the right contact, it's seldom an actively bad contact: OrgAbuseHandle: ABUSE1036-ARIN OrgAbuseName: Abuse Department OrgAbusePhone: +1-510-580-4100 OrgAbuseEmail: [email protected] OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE1036-ARIN > >> If there is a PTR for that address, would an associated abuse address >> be a reasonable candidate for receiving feedback? If so, would it only >> be reasonable for FCrDNS? > > I don't think so. I don't think we want to start encouraging people to try > to find any domain to which to prepend "abuse@" to start sending reports. > DKIM is the exception, because a valid DKIM signature makes a strong > statement the likes of "Yes, we handled this message." A PTR record, for > example, does not. DKIM states that the owner of the d= hostname signed[1] the message. That could mean anything between them being the spammer, to them being the ISP of a end user with a compromised box. Whether that's an appropriate entity to contact requires applying some heuristics, and mapping that d= value to an appropriate email address requires some more. In the case where an ESP is signing the mail sent by their customers with a d= value inside the customers domain then there may not be an abuse@X address for any given d=X or d=Y.X, and even when there is it's unlikely to be the right address to contact for abuse issues. Simple heuristics based on ARIN or RIPE registry data are likely to be much more accurate in that case. Cheers, Steve [1] Or delegated signing responsibility to, or... _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
