On 24/07/2011 23:53, Murray S. Kucherawy wrote:
<co-chair>
Barry and I received the following feedback about the ARF base document from
someone who does not wish to join the mailing list and does not wish to
participate in the working group directly. We've agreed to forward these
comments to the working group for its consideration, but also agree that one
person's concerns (especially when that person doesn't want to do the work of
advancing them through the working group) are not sufficient to spin up an
update effort.
So, if the working group wants to do something with some or all of this
material, great, we can talk about starting that effort. If not, then that's
fine too.
Some of this stuff also applies to a couple of our open documents, so the
various authors (JD mostly, I think) could consider them there.
</co-chair>
<participant>
As far as the base stuff goes, some of this stuff looks reasonable, but none of it looks
critical to me. Thus, if there's no critical mass to create an RFC5965bis effort, they
could just be logged as errata or something like that so they fall in the "deal with
this someday" bucket.
</participant>
<feedback>
I am just working through the most recent version to update our filters to
use the latest proposal, and am in the process of also converting our virus
reporting to the ARF. In that process I found a number of concerns with ARF
and aborted that conversion:
1) I consider it extremely rude and dangerous to transmit malware across the
Internet even in the form of an ARF, apart from the fact that virus filters
at the ISP level and/or the recipient's level may well catch the malware,
create a report of that malware (thus creating a loop), and at the same time
firewall the offending IP (our mail server). Hence the proposal to return the
complete message in case of reporting a virus is a very bad idea. Instead,
only the header of the offending message should be returned.
The proposal should therefore prohibit the return of the full message in case
of feedback type virus and instead require the return of the mail header
only.
This also requires to change the content type of the last ARF section from
message/RFC822 to text/RFC822-Headers (or whatever else is deemed suitable).
2) Because with just returning the header the recipient is no longer able to
determine which malware was being sent, an according reporting field is
needed in the ARF. I'd propose to use:
Reported-Description:
or
Reported-Malware:
the first of which can be used not only for virus reporting, but should be
required for feedback type virus and should contain the full name of the
virus as reported by the virus scanner.
IMHO This is too simplistic...
The above makes sense for vendor names such as Foobarv1.2
but I would add an optional
Reported-CVE-Id: 2010 0042
with the CVE numbers for any known infections seperated by comma's.
This should be in format as used by http://cve.mitre.org/
Jacqui
_______________________________________________
marf mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/marf
