[mailop] Best practices: Categorizing domains without an abuse@ mailbox

Wed, 19 Feb 2020 01:50:10 -0800 

Hi  all,

Whenever an abusive message lands in our inboxes, some of us report it to the
relevant abuse team.  Large mailbox providers deploy <spam> buttons or folders
to automate such reporting.  Smaller ones often don't have such equipment, and
send reports manually, if at all.

Besides feedback loops, RFC 6650 provides for sending unsolicited abuse
reports.  The problem of where to send them is tackled like so:

   Deciding where to send an unsolicited report will typically rely on
   heuristics.  Abuse addresses in WHOIS [RFC3912] records of the IP
   address relaying the subject message and/or of the domain name found
   in the results of a PTR ("reverse lookup") query on that address are
   likely reasonable candidates, as is the abuse@domain role address
   (see [RFC2142]) of related domains.  Unsolicited reports SHOULD NOT
   be sent to email addresses that are not clearly intended to handle
   abuse reports.  Legitimate candidates include those found in WHOIS
   records or on a web site that either are explicitly described as an
   abuse contact or are of the form "abuse@domain".
               https://www.rfc-editor.org/rfc/rfc6650.html#section-5.3

Nowadays, abuse mailboxes by IP number can be automatically retrieved via RDAP,
and in most cases they work.

By-domain abuse mailboxes are more difficult.  Of course, it is inadvisable to
send complaints to abuse@domain if domain is not SPF- or DKIM- (or DNSWL-)
authenticated.  Then, there are (authenticated) domains who miss an abuse@ 
mailbox.

Since sending DMARC aggregate reports already implies saving some domain
information, it may make sense to also store whether an abuse mailbox for a
given domain exists.  So I'd put a few questions:


Is it a more or less common practice to store sending domain information?

If yes, is the existence of abuse@ part of that information?  Are domains
without such feature considered less trustworthy in general?  (I note that
providing fur an abuse@domain mailbox is not part of Hans-Martin' Ideas for
possible content for FAQ: "Best Practices for running a mail server".)

If yes, when is that datum determined:
   At domain insertion, via callout verification?
   On receiving a bounce from an attempt to send a complaint?
   Other?


Best
Ale
-- 


























_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to