Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com> wrote:
However, the problem seems to me that there is much more than simple
email abuse here. This format can be used for reporting spam messages.
What about open relays, hijacked computers, spam websites, false domain
registrations, etc.? All of these play a large part in the spam world
and SpamCop for example, reports URLs regularly. Some of this overlaps
with the workd of INCH and IDWG at the IETF.
If it's useful, I'm willing to either supply data, or forward parts
of the spam arriving at my domain.
Be warned, though, last time I checked, it was ~2 million messages a
day.
So the question to me is more of scope - what scope should this subgroup
have? Something that focuses solely on reporting spam messages
themselves can be easily done with some kind of DSN-like format. BUT, if
you want to report IPs, URLs, domains, and even perhaps include trace
information on the spammer's companies, that is something much bigger,
and requires different players.
For open proxies/relays/abused machines, a combination of src IP,
HELO/EHLO, and time is a reasonable start (i.e. basically information
used in greylisting). Content doesn't matter as much if you *know*
the network connection is being abused, as you'll always get the same
content in a message you didn't block. :)
For low-volume spam from non-abused machines, content filters are a
reasonable approach.
The problem I have with any kind of coordinated reporting mechanism
is that it's probably more expensive than coordinating a switch to a
different port, with additional restrictions.
Even ephemeral ports would be useful. A signed UDP packet could be
sent by an originator, saying "I've got X amount of data, with Y
charactestics for you, and whitelist W says I'm a good guy". The
recipient then responds with a port number specific to (originator,
time, etc.)
It would be a while to set up, but no less work than the ongoing
slog of content filtering email, and coordinating the reporting of
abuse. But because content filtering is the "status quo", people are
unwilling to change to another system, until the current one
collapses.
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg