[Asrg] ARF traffic, was Spam button scenarios

Alessandro Vesely <vesely@tana.it> Tue, 09 February 2010 16:31 UTC

Return-Path: <vesely@tana.it>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3714D3A737F for <asrg@core3.amsl.com>; Tue, 9 Feb 2010 08:31:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.607
X-Spam-Level:
X-Spam-Status: No, score=-4.607 tagged_above=-999 required=5 tests=[AWL=-0.044, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ineuitPNXnf8 for <asrg@core3.amsl.com>; Tue, 9 Feb 2010 08:31:36 -0800 (PST)
Received: from wmail.tana.it (mail.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id 305B33A7432 for <asrg@irtf.org>; Tue, 9 Feb 2010 08:31:36 -0800 (PST)
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 515, TLS: TLS1.0,256bits,RSA_AES_256_CBC_SHA1) by wmail.tana.it with ESMTPSA; Tue, 09 Feb 2010 17:32:42 +0100 id 00000000005DC038.000000004B718E2A.000009D8
Message-ID: <4B718E2A.5070304@tana.it>
Date: Tue, 09 Feb 2010 17:32:42 +0100
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: asrg@irtf.org
References: <20100208150513.49394.qmail@simone.iecc.com> <0BF553ABE600903AE55F0E89@lewes.staff.uscs.susx.ac.uk>
In-Reply-To: <0BF553ABE600903AE55F0E89@lewes.staff.uscs.susx.ac.uk>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [Asrg] ARF traffic, was Spam button scenarios
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2010 16:31:37 -0000

On 09/Feb/10 16:11, Ian Eiloart wrote:
> The user retrieves a message from our mailstore, and attempts to use an
> address in our domain to report it to us, but submitted through a third
> party MSA. We'll simply reject the message on the basis that we don't
> permit such traffic onto our MX servers. We won't even look at the
> message body.

There's a whole theory of other ARF messages that may arrive at a 
domain's abuse@ mailbox. A domain's user, or someone writing to a 
forwarded address of that domain, writes a message that is reported as 
spam, either correctly or by mistake. As part of an FBL or other 
trust-chain, the message comes back wrapped in an ARF report at the 
apparently originating domain.

The mailbox is abuse@domain in both cases. Although it may seem 
desirable to have different addresses for incoming and outgoing 
reports, I doubt such distinction will ever be effective. Indeed, the 
forwarded case is ambiguous.

A mail domain worth its salt should be able to recognize if the 
original message had been mailed out from its premises, and who is its 
blamed author or sender. Policies spell out sequent actions.