On Mon, 2010-02-01 at 23:44 -0500, Chris Lewis wrote:
Bart Schaefer wrote:
On Feb 1, 9:11am, Steve Atkins wrote:
}
} On Feb 1, 2010, at 8:57 AM, Ian Eiloart wrote:
}
} > Does ARF allow richer expression than ANNOTATE?
}
} Probably - it's basically a container format.
}
} More importantly, perhaps, it would be easy to roll out on existing
} installations with a trivial configuration change, rather than
} requiring functionality in the mailstore that may not be there.
Anything that's going to be added as metadata to the message header
needs to be carefully specified so that a client that understands the
format can reside behind a server that does not. E.g., depending on
where this metadata is added, one option might be to require a DKIM
signature to cover it.
Consider the following off-the-cuff implementation possibility:
A header that has:
Name of server (or administrative unit (domain)) inserting the header.
What to send in report:
ARF copy, or forward or selected header[s] or?
How to send report:
email (including address), or some other protocol and
destination.
I think thinking of a non-mail protocol to send abuse reports is an
excellent idea.
Sending ARF's via email need not be the only option. Why not use the
header
eg X-Abuse-to: <http://mailserver.isp.com/cgi-bin/fbl>
<mailto:feedbackloop(_at_)isp(_dot_)com>
Obvioulsy the MUA must verify if the mail is authenticated , DKIM seems
a good way to do this.
Sending abuse reports via http (POST?) should be standardized.
If http is not available ( possibly some corporates block http access )
then you can fallback to email.
The MUA must also have proper time outs so as to cut-off malicious fbl
urls
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg