der Mouse <mouse(_at_)Rodents-Montreal(_dot_)ORG> wrote:
4) there _could_ be value in an automated way to tell Earthlink
about abuse;
5) any use of <abuse(_at_)earthlink(_dot_)com> cannot serve that purpose;
Why not? I can't think why an "automated way" such as (4) mentions
couldn't be carried on top of email to abuse(_at_)earthlink(_dot_)com(_dot_)
1) <abuse(_at_)anywhere> is spammed too heavily
2) <abuse(_at_)earthlink> necessarily has earthlink-specific processing
Neither is relevant, I believe.
(1) is irrelevant because random spam will not fit the format of these
automated reports;
Only true for _some_ formats...
if spamming fake reports becomes attractive enough for it to be a
problem,
That's not the point, really: even without _any_ email intending
to fool the report parser, the <abuse@> account would have to parse an
arbitrarily large amount of junk looking for things which _intend_
to be a report. I don't know what Earthlink's daily load of <abuse>
email is, but I wouldn't be surprised if it exceeded 1,000,000.
whatever other mechanism carries them will have exactly the same
problem.
Not "exactly", unless the design is foolish. It could, for example,
include a registration mechanism allowing packet filtering to regulate
the load...
(If the reports are crypto-signed to deal with report forgery, this
can be done over email just as much as it can over some other channel.)
There are other methods to deal with forgery; and crypto-signing
to validate email is a heavier load even than crypto-signing of most
other protocols.
(2) is necessarily true, since any abuse-report-recipient must
necessarily be doing some kind of recipient-specific processing.
But it's also irrelevant; there's no reason emailed automated
reports can't be shipped off to whatever processing the putative
other transport performs, rather than going into the main abuse@
queue.
If we were only ever implementing _one_ pairing of ISPs, this
is true enough. But for this to be useful to Earthlink, they must
be able to receive reports from more than one ISP.
OTOH, for this to be useful to World, they need to be able to
report to more than one origin ISP. Does Earthlink define the format,
or does World?
For a reporting procedure to be practical, we need to avoid the
N * M problem.
I don't see why carrying them over email produces an N*M problem
in any way that any other transport doesn't - that is, I don't
think this (regardless of how true or false it is) has anything
to do with using mail to abuse@ as the transport.
The N * M problem is much the same with or without email being
the transport, true; but there are rather too many ISPs that decline
all <abort(_at_)domain> email. I see no reason to add "solving" that
issue to the task...
But there's another issue entirely that makes <abuse(_at_)domain>
the wrong tool -- the Dictionary Attack comes from IP addresses,
not domains.
--
John Leslie <john(_at_)jlc(_dot_)net>
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg