On 10/Feb/12 13:06, Scott Kitterman wrote: > Alessandro Vesely <[email protected]> wrote: >> >> The amount of support that ISPs may want to give to abuse reporting is >> unknown at this time. Requiring them to proactively policing abusive >> use of domain names in outgoing mail is probably not an option, also >> because that might interfere with contractual habits (more than >> explicit complaints from third parties.) > > This would only be relevant for their own domain, some other domain > would be a different case. What I suggest isn't nearly so broad as > you infer. > >> That the domain part of abuse-mailboxes should not be >> SPF-protected would be a new, somewhat obscure requirement, that >> is not going to improve SPF adoption. > > I don't agree. I don't see such a requirement.
If some leased addresses can get (soft)fail for ISP.example, the ISP needs to scan outgoing SMTP transactions --if they are not cyphered-- in order to avoid non-reportable cases. Otherwise a bot-master could MAIL FROM:<[email protected]> from those addresses and get away with it. (And that assuming that ISPs don't publish abuse-mailboxes for the sole purpose of keeping admin and technical contacts clear of spam complaints.) >> We mention how to derive a destination address from >> >> * WHOIS, >> * rDNS, and >> * "pass" for SPF/DKIM domain. >> >> Any other destination is dicey, and SHOULD NOT be used. IOW, an >> address derived from WHOIS, rDNS, or DKIM does not need to be doubly >> checked against SPF none/neutral. And let me stress this once more: >> we are talking _only_ of addresses derived in one of those three ways. >> >> Yes, it is more complicated. For example, if I get DKIM pass and SPF >> fail for the same domain, I should hypothesize a replay attack which >> might be better reported as an authentication failure. But that's >> well beyond what this I-D is going to specify/state. > > I think the DKIM pass with the same domain is a reasonable case. I > can imagine a rouge ESP scenario where notifying the domain owner > is a good idea. Author's domain should be the preferred reporting path, for example for newcomers or naive spammers, in order to have them admonished by their own postmasters. However, DKIM signatures can break for other reasons. In that case, a broken signature gives no hints about deriving the same reporting target from some other heuristics. > I'll go back and modify my answer to Murray. I hope he won't get down to convoluted scenarios. Examples belong to appendixes, and one or few actual cases would be clearer than lengthy discussions, IMHO. _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
