Re: [Asrg] ARF traffic, was Spam button scenarios

"Chris Lewis" <clewis@nortel.com> Tue, 09 February 2010 22:51 UTC

Return-Path: <CLEWIS@nortel.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE0A53A7633 for <asrg@core3.amsl.com>; Tue, 9 Feb 2010 14:51:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.46
X-Spam-Level:
X-Spam-Status: No, score=-6.46 tagged_above=-999 required=5 tests=[AWL=-0.017, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U7RAK+wAsvJt for <asrg@core3.amsl.com>; Tue, 9 Feb 2010 14:51:00 -0800 (PST)
Received: from zcars04e.nortel.com (zcars04e.nortel.com [47.129.242.56]) by core3.amsl.com (Postfix) with ESMTP id C284C3A7631 for <asrg@irtf.org>; Tue, 9 Feb 2010 14:50:59 -0800 (PST)
Received: from zrtphxs1.corp.nortel.com (casmtp.ca.nortel.com [47.140.202.46]) by zcars04e.nortel.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id o19Mq4I05619 for <asrg@irtf.org>; Tue, 9 Feb 2010 22:52:04 GMT
Received: from zrtphx5h0.corp.nortel.com ([47.140.202.65]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 9 Feb 2010 17:52:03 -0500
Received: from [47.130.80.167] (47.130.80.167) by zrtphx5h0.corp.nortel.com (47.140.202.65) with Microsoft SMTP Server (TLS) id 8.1.340.0; Tue, 9 Feb 2010 17:52:03 -0500
Message-ID: <4B71E6FC.4080400@nortel.com>
Date: Tue, 9 Feb 2010 17:51:40 -0500
From: "Chris Lewis" <clewis@nortel.com>
Organization: Nortel
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090812 Lightning/0.9 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <20100208150513.49394.qmail@simone.iecc.com> <0BF553ABE600903AE55F0E89@lewes.staff.uscs.susx.ac.uk> <4B718E2A.5070304@tana.it> <D0AC3DDE-3995-4EE9-9914-30E2831BAE22@blighty.com> <4B71A3D8.40401@tana.it> <4B71A96D.8060909@nortel.com> <4B71B575.7050107@tana.it>
In-Reply-To: <4B71B575.7050107@tana.it>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 09 Feb 2010 22:52:03.0781 (UTC) FILETIME=[7F565750:01CAA9DA]
Subject: Re: [Asrg] ARF traffic, was Spam button scenarios
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2010 22:51:00 -0000

Alessandro Vesely wrote:
> On 09/Feb/10 19:29, Chris Lewis wrote:
>> Alessandro Vesely wrote:
>>> form abuse@domain is standardized by rfc 2142. Some people (e.g.
>>> Abusix) may plan to send machine generated complaints at such addresses.
>> And they'll learn very very soon that that doesn't work.
>>
>> Been there/done that in a limited fashion, and even in that limited
>> fashion, it don't work.
> 
> Why not, _what_ goes wrong?

The extant methods for determining where abuse reports are (a) usually 
wrong or missing and we're not going to bail that ocean, (b) 
insufficiently granular (both report types, but worse, breakdowns of 
space to responsible parties, ie resellers) and (c) without aggregation, 
too high volume even for automation.

Abuse@example.com is for reports of abuse originating _at_ 
abuse@example.com, not for reports of abuse (eg: spam) originating 
elsewhere that example.com's users want to report.

In other words, our TiS should _not_ go to abuse@nortel.com.  It goes 
elsewhere.  If I changed my mind for convenience, I wouldn't change the 
TiS to go to abuse@nortel.com, I'd change the mail system to alias it.

I did some experimentation with automatic aggregation and 
hand-configured destinations for a small fraction of reports.  That 
worked somewhat, but not worth the effort to keep touching the config.

> It seems to me that a simple filter could determine ARF/non-ARF 
> quality of a message in a fraction of the time that spamassassing 
> would take to process it, assuming abuse@ boxes are whitelisted.

A single bot run could fill up the abuse box so quickly that a "simple 
filter" can't do anything about it.

For the rare occasion that you want your TiS button goes to abuse@<you>,
a simple forwarding alias is far easier than the more common 
circumstance of having to construct some sort of content filter to split 
ARFs from non-ARFs.  And less likely to completely break down during a 
flood.