On 11/Sep/11 07:25, Murray S. Kucherawy wrote: >> -----Original Message----- >> From: ietf.org On Behalf Of SM >> Sent: Saturday, September 10, 2011 3:31 PM >> To: [email protected] >> Subject: Re: [marf] Revisiting reporting addresses >> >> At 10:12 10-09-2011, John Levine wrote: >>> The simplest fix would be to require that the reporting address is in >>> the same domain. If someone has so little control over their domain >> >> A similar problem was discussed a few years back and that was the >> conclusion. > > The DKIM reporting document has been updated accordingly. > (Fortunately, I didn't have to change my implementation at all, > since it already truncated at the "@" if any was found.)
IMHO, that -03 change makes perfectly sense for dkim-reporting, since we can assume the feedback generator is willing to report a technical shortcoming to whoever is applying those signatures. For /abuse/ reporting, however, the domain-part of the discovered address could make a difference when a feedback generator is about to choose among this and, say, abuse POCs found in whois databases. If the discovered domain is well known, feedback generators may trust it. Hence, allowing for a different domain makes sense in this case, and could open up new avenues of abuse reporting practices. Consider _report.myunknowndomain.name. TXT "[email protected]" Confirming that the original domain has indeed outsourced abuse reporting to a renown organization is similar to vouching for that domain, but limited to abuse reporting. Also the syntax can be similar to VBR's: myunknowndomain.name._report.abuse.net. TXT "[email protected]" _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
