ietf
[Top] [All Lists]

RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard

2012-05-08 22:14:41
-----Original Message-----
From: ietf-bounces(_at_)ietf(_dot_)org 
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of Scott Kitterman
Sent: Tuesday, May 08, 2012 7:05 PM
To: ietf(_at_)ietf(_dot_)org
Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt>
(Source Ports in ARF Reports) to Proposed Standard

In the absence of that capability, isn't it better to give the
investigating user as much information as possible to use in
correlation of logs and such?

Personally, in the forensic work I've done I've found things like mail
queue IDs a lot more important than source port.  There is lots of
information that would be useful for an investigation.  On this basis,
I could see MAY include source port on auth failure reports, but I
think making it RECOMMENDED on the basis of it may be useful is
justified.

If a spam bot connects to your MTA and sends a message in, the only queue ID 
you have is the one your own MTA generated.  How will that be useful tracing 
the spam back to the very machine that generated it?

RFC6302 talks about why this is important a lot more than this document does.

-MSK