> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of Steve > Atkins > Sent: Monday, January 23, 2012 2:45 PM > To: Message Abuse Report Format working group > Subject: Re: [marf] draft-ietf-marf-as Section 5 Solicited and Unsolicited > Reports > > It's all heuristics. However, ARIN and RIPE at least have some > structure in their responses, including explicitly recorded abuse > contacts. When they exist (which they usually do) that does give you an > IP address to abuse address mapping - and while the contact is often > too far up the delegation tree to be the right contact, it's seldom an > actively bad contact: > > OrgAbuseHandle: ABUSE1036-ARIN > OrgAbuseName: Abuse Department > OrgAbusePhone: +1-510-580-4100 > OrgAbuseEmail: [email protected] > OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE1036-ARIN
As long as there's some place we can point people to read a document that defines the syntax they use, I'm less apprehensive about doing so. Otherwise, saying "extract an abuse reporting address from this blob somehow" feels too heuristic to be in a standards document, IMO. > >> If there is a PTR for that address, would an associated abuse address > >> be a reasonable candidate for receiving feedback? If so, would it > >> only be reasonable for FCrDNS? > > > > I don't think so. I don't think we want to start encouraging people > > to try to find any domain to which to prepend "abuse@" to start sending > > reports. DKIM is the exception, because a valid DKIM signature makes a > > strong statement the likes of "Yes, we handled this message." A PTR > > record, for example, does not. > > DKIM states that the owner of the d= hostname signed[1] the message. > That could mean anything between them being the spammer, to them being > the ISP of a end user with a compromised box. Whether that's an > appropriate entity to contact requires applying some heuristics, and > mapping that d= value to an appropriate email address requires some > more. True, but DKIM makes a stronger statement than any other identifier extracted directly from the message. That's why I hold it, and maybe a domain verified by SPF, as tolerable exceptions. Basically, I can't think of a case where it's actually inappropriate to try, though it certainly could be the case that it's pointless to try. -MSK _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
