ietf
[Top] [All Lists]

RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard

2012-05-07 23:20:36
-----Original Message-----
From: ietf-bounces(_at_)ietf(_dot_)org 
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of Scott Kitterman
Sent: Monday, May 07, 2012 3:35 PM
To: ietf(_at_)ietf(_dot_)org
Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source 
Ports in ARF Reports) to Proposed Standard

My suggestion would be to change the last part of section three to
read:

   When any authentication failure report [AUTHFAILURE-REPORT] is generated
   that includes the "Source-IP" reporting field (see Section 3.1 of
   [AUTHFAILURE-REPORT]]), this field MAY also be included.

Other than that, I think it's ready to go.

If all one is doing is figuring out why something like a DKIM signature failed 
on an otherwise legitimate message, then I agree the source port isn't a useful 
input to that work.  In fact, as far as DKIM goes, the source IP address is 
probably not useful either.

If, however, one is trying to track down the transmission of fraudulent email 
such as phishing attacks, source ports can be used to identify the perpetrator 
more precisely when compared to logs.  Support for this latter use case is why 
I believe RECOMMENDED is appropriate.

-MSK