ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M

2010-02-08 08:50:31
from [Ian Eiloart] [Permanent Link]
--On 8 February 2010 14:33:54 +0100 "Peter J. Holzer" <hjp-asrg(_at_)hjp(_dot_)at> wrote: 


On 2010-02-08 12:00:43 +0000, Ian Eiloart wrote:



--On 6 February 2010 15:38:04 -0500 John R Levine <johnl(_at_)iecc(_dot_)com> 
wrote:



I really don't understand all the resistance to a header applied by the
MDA.  Yes, this will require a one-time change to the MDA, but you get a
much more solid system that doesn't fail in mysterious ways when people
have legitimate mail setups that happen to differ from the one the
designer anticipated.  It's not unlike the advantage of DKIM over SPF.


If I see a message that I think is spam, and it carries a
"report-abuse-to" header, how do I know that the header was added by the
MDA and not by the spammer?


In general you don't. But I don't see that as a particularly bad
problem: The worst a spammer can do is a DDoS attack on a small ESP by
adding a Report-Abuse-To header with the abuse address of that ESP.
That doesn't seem much worse to me than what they can already do by
simply using that address in the sender (which will cause bounces and
complaints to be sent to that address).
Except that that doesn't happen much these days. The number of bounces that I see into my domain is very small compared with even a year ago. What you're suggesting here would revive that problem in a new form.
Given that most domains won't immediately deploy this mechanism, my guess is that the amount of abuse will exceed the amount of use. I'll be hoping that clients won't deploy the mechanism at all.
Administrators will simply advise people to NOT use the junk mail button for exactly the same reasons that we advise people NOT to reply to spam.
In fact, my first action will probably be to configure my mail server to remove the abuse-report header on inbound, outbound, and forwarded email. Will I add an abuse-report header of my own? Probably not, because that'll mean (currently) creating a new email domain to collect the reports, trying to work out a way of filtering the reports from the spam that reaches the same address. And then doing something with the reports.
Probably I won't accept reports on my MX server - there won't be an MX record for the domain for that reason. I might permit my SUBMIT server to deliver the messages somewhere. But, really, I'd rather the MUA just set a junk flag on the imap server. 




If there is a Report-Abuse-To header, I would suggest that it is handled
like this:

A Report-Abuse-To header may be added by any MTA or MDA.

    Rationale: This allows ESPs (especially big freemail providers like
    gmail, yahoo, gmx) to tag outgoing mails with an abuse address.

Any MTA or MDA which adds Report-Abuse-To header MUST prepend it to the
message (just like a Received header).

    Rationale: This provides ordering among Report-Abuse-To headers:
    The first one is the newest and it was added by the MTA which added
    the Received header immediately after it:

        Received: by A from B
        Report-Abuse-To: X
        Received: by B from C
        Received: by C from D
        Report-Abuse-To: Y
        Received: by D

    Assuming that none of the lines was faked, Report-Abuse-To: X was
    added by B, and Report-Abuse-To: Y was added by D. Anything outside
    your MX is suspect (for example C may be a spammer) but may still be
    useful.

A MUA SHOULD send an abuse report to the address of the first
Report-Abuse-To header it finds.

    Rationale: This is the one which was added last, i.e., closest to
    the recipient - it is therefore most likely to be relevant and least
    likely to be failed.

A MUA MAY do some plausibility checks and warn against sending the
report.

    Rationale: The Report-Abuse-To header may be faked. Analysis of the
    Received headers may be able to detect the fake, but this is tricky
    and error-prone, so the result of this analysis should only be
    offered as advice.

If there is more than one Report-Abuse-To header, the MUA MAY offer to
send a report to each of them.

    Rationale: If an ESP adds Report-Abuse-To to their outgoing mail,
    they obviously want to be notified about abuse and they can even do
    something about it (e.g., terminate the spammer's account). OTOH,
    you don't know who added the the header, so this should also be
    viewed with some suspicion.

A report handling agent may forward the report if it finds an "upstream"
Report-Abuse-To header.

    Rationale: As above. The report handling agent may have better
    information about the legitimacy of upstream Report-Abuse-To headers
    than the MUA (or user).

It may be possible to use DKIM (or something similar) to prevent forged
Report-Abuse-To headers, but I haven't thought about this yet.

        hp




--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Adding a spam button to MUAs, Ian Eiloart
Next by Date:  Re: [Asrg] Spam button scenarios, Ian Eiloart
Previous by Thread:  Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M, Peter J. Holzer
Next by Thread:  Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M, John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]