>> If we do, I think this warrants text in Security Considerations >> acknowledging the attacks this enables, and talking about why we >> think that’s okay.
I have to say I don't think it's OK either. This sort of thing is only worth standardizing if we think people are likely to use it, and if they're likely to use it, the reverse DDoS attack is an obvious one. The simplest fix would be to require that the reporting address is in the same domain. If someone has so little control over their domain that they can't set up an abuse address, I have limited sympathy. R's, John _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
