On Thu, Jan 15, 2009 at 06:39:54PM -0500, Seth wrote:
It would be better to create a new protocol for the ARF responses
(even if it's just email on a new port, though I'd include some
extensions to allow for "Report of virus emitter on <IP>" "I already
know" "QUIT")
This is a good point (as are others you made, which I've elided).
But I'll argue that before we set about the difficult work of inventing
and implementing another protocol, we should use the ones we have.
SMTP rejects of malware-laden mail messages are one way of signalling
emitters that they have problem, without allowing the problem to cause
the external system to generate more outbound traffic. Should we be
doing HTTP rejects? FTP rejects? And so on?
And if we do, what are the benefits and risks? Can we make the FP rate
low enough that we don't end up creating a secondary problem that's worse
the one we're trying to solve? Can we avoid attempts to game the system
and thus conduct DoS-by-proxy attacks? And so on.
---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg