Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M
2010-02-08 08:50:31
--On 8 February 2010 14:33:54 +0100 "Peter J. Holzer" <hjp-asrg(_at_)hjp(_dot_)at>
wrote:
On 2010-02-08 12:00:43 +0000, Ian Eiloart wrote:
--On 6 February 2010 15:38:04 -0500 John R Levine <johnl(_at_)iecc(_dot_)com>
wrote:
I really don't understand all the resistance to a header applied by the
MDA. Yes, this will require a one-time change to the MDA, but you get a
much more solid system that doesn't fail in mysterious ways when people
have legitimate mail setups that happen to differ from the one the
designer anticipated. It's not unlike the advantage of DKIM over SPF.
If I see a message that I think is spam, and it carries a
"report-abuse-to" header, how do I know that the header was added by the
MDA and not by the spammer?
In general you don't. But I don't see that as a particularly bad
problem: The worst a spammer can do is a DDoS attack on a small ESP by
adding a Report-Abuse-To header with the abuse address of that ESP.
That doesn't seem much worse to me than what they can already do by
simply using that address in the sender (which will cause bounces and
complaints to be sent to that address).
Except that that doesn't happen much these days. The number of bounces that
I see into my domain is very small compared with even a year ago. What
you're suggesting here would revive that problem in a new form.
Given that most domains won't immediately deploy this mechanism, my guess
is that the amount of abuse will exceed the amount of use. I'll be hoping
that clients won't deploy the mechanism at all.
Administrators will simply advise people to NOT use the junk mail button
for exactly the same reasons that we advise people NOT to reply to spam.
In fact, my first action will probably be to configure my mail server to
remove the abuse-report header on inbound, outbound, and forwarded email.
Will I add an abuse-report header of my own? Probably not, because that'll
mean (currently) creating a new email domain to collect the reports, trying
to work out a way of filtering the reports from the spam that reaches the
same address. And then doing something with the reports.
Probably I won't accept reports on my MX server - there won't be an MX
record for the domain for that reason. I might permit my SUBMIT server to
deliver the messages somewhere. But, really, I'd rather the MUA just set a
junk flag on the imap server.
If there is a Report-Abuse-To header, I would suggest that it is handled
like this:
A Report-Abuse-To header may be added by any MTA or MDA.
Rationale: This allows ESPs (especially big freemail providers like
gmail, yahoo, gmx) to tag outgoing mails with an abuse address.
Any MTA or MDA which adds Report-Abuse-To header MUST prepend it to the
message (just like a Received header).
Rationale: This provides ordering among Report-Abuse-To headers:
The first one is the newest and it was added by the MTA which added
the Received header immediately after it:
Received: by A from B
Report-Abuse-To: X
Received: by B from C
Received: by C from D
Report-Abuse-To: Y
Received: by D
Assuming that none of the lines was faked, Report-Abuse-To: X was
added by B, and Report-Abuse-To: Y was added by D. Anything outside
your MX is suspect (for example C may be a spammer) but may still be
useful.
A MUA SHOULD send an abuse report to the address of the first
Report-Abuse-To header it finds.
Rationale: This is the one which was added last, i.e., closest to
the recipient - it is therefore most likely to be relevant and least
likely to be failed.
A MUA MAY do some plausibility checks and warn against sending the
report.
Rationale: The Report-Abuse-To header may be faked. Analysis of the
Received headers may be able to detect the fake, but this is tricky
and error-prone, so the result of this analysis should only be
offered as advice.
If there is more than one Report-Abuse-To header, the MUA MAY offer to
send a report to each of them.
Rationale: If an ESP adds Report-Abuse-To to their outgoing mail,
they obviously want to be notified about abuse and they can even do
something about it (e.g., terminate the spammer's account). OTOH,
you don't know who added the the header, so this should also be
viewed with some suspicion.
A report handling agent may forward the report if it finds an "upstream"
Report-Abuse-To header.
Rationale: As above. The report handling agent may have better
information about the legitimacy of upstream Report-Abuse-To headers
than the MUA (or user).
It may be possible to use DKIM (or something similar) to prevent forged
Report-Abuse-To headers, but I haven't thought about this yet.
hp
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [Asrg] We don't need no stinkin IMAP or POP, was Adding a spam button to MUAs, (continued)
- Re: [Asrg] We don't need no stinkin IMAP or POP, was Adding a spam button to MUAs, Chris Lewis
- Re: [Asrg] We don't need no stinkin IMAP or POP, was Adding a spam button to MUAs, John Levine
- Re: [Asrg] We don't need no stinkin IMAP or POP, was Adding a spam button to MUAs, Dave CROCKER
- Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M, John R Levine
- Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M, Dave CROCKER
- Re: [Asrg] We really don't need no stinkin, was MUA spam button, John R. Levine
- Re: [Asrg] We really don't need no stinkin, was MUA spam button, Dave CROCKER
- Re: [Asrg] More reasons you can't overload POP and IMAP server names, John Levine
- Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M, Ian Eiloart
- Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M, Peter J. Holzer
- Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M,
Ian Eiloart <=
- Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M, John Levine
- Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M, Ian Eiloart
- Re: [Asrg] We really don't need no stinkin IMAP or POP foram button to M, Bart Schaefer
- Re: [Asrg] who gets the report, was We really don't need, John Levine
- Re: [Asrg] who gets the report, was We really don't need, Seth
- Re: [Asrg] who gets the report, was We really don't need, Alessandro Vesely
- [Asrg] RFC5451 Re: who gets the report, was We really don't need, Chris Lewis
- Re: [Asrg] RFC5451 Re: who gets the report, was We really don't need, Murray S. Kucherawy
- Re: [Asrg] RFC5451 Re: who gets the report, was We really don't need, Chris Lewis
- Re: [Asrg] RFC5451 Re: who gets the report, was We really don't need, Murray S. Kucherawy
|
|
|