ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] ARF traffic, was Spam button scenarios

2010-02-10 03:38:38
from [Alessandro Vesely] [Permanent Link] 
On 09/Feb/10 20:25, Steve Atkins wrote:

You (and others) are obsessing about the MIME format of inbound email, which is 
something of a scarlet fish.

What you need to be able to identify is who sent it to you, for what purpose, 
under what agreement and what you need to do with the data in it.
Correct. I just implied that the "To" header field may not be the most convenient data item for identifying the processing that a report deserves. IMHO, until we have a handful of FBLs it may be a good practice to cleverly partition each one using different addresses as labels. However, if they become several dozens, we'd probably better off classifying them by type rather than by agreement.
Let me try and fantasize about possible actions our handler may take, besides assessing filters and adjusting reputations, which are always possible.
Stratum 0 reports come from TiS buttons. We feed FBLs, including our internal FBL --i.e. check if we host the sender.
Stratum 1 reports come from subscribed FBLs. We check whether the original message had been sent through our MSA, in this case we apply relevant policies. However, we might have just forwarded the original message, or be anyhow involved in some trust chain. We can drop those reports, or we can generate stratum 2 ones.
It seems that in any case we should check whether our MSAs can be blamed for the original message. In case, we apply policies; that is, we implicitly acknowledge the report. IMHO, it may be worth to provide for error checking here, unless there is an overwhelming number of unanimous reports: if the author appeals claiming that the TiS button had been pushed by mistake, and her reputation is good, possibly ask the recipient(s) to double check it. Only when sender and recipient(s) (definitively) disagree, the relevant abuse teams will have to manually inspect the original message (and punish the guilty.)
If our MSAs are not responsible for having injected the original message into the mail system, we should check if we have a trust relationship leading to the Reported-Domain. Perhaps it is convenient to use the stratum data, or other agreement characteristics, as weights for finding a minimum spanning tree. At any rate, the problem of reaching a trusted domain through a trust chain can be stated independently of how trust relationships are established.
If the Reported-Domain is not trusted, the report should be delivered to the relevant connection provider, à la Abusix. It is an isolated MTA or a bot. 
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] RFC5451 Re: who gets the report, was We really don't need, Alessandro Vesely
Next by Date:  Re: [Asrg] ARF traffic, was Spam button scenarios, Alessandro Vesely
Previous by Thread:  Re: [Asrg] ARF traffic, was Spam button scenarios, Steve Atkins
Next by Thread:  Re: [Asrg] ARF traffic, was Spam button scenarios, Chris Lewis
Indexes:  [Date] [Thread] [Top] [All Lists]