Re: [Asrg] Adding a spam button to MUAs

"Chris Lewis" <clewis@nortel.com> Wed, 03 February 2010 16:45 UTC

Return-Path: <CLEWIS@nortel.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3DD0528C188 for <asrg@core3.amsl.com>; Wed, 3 Feb 2010 08:45:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.482
X-Spam-Level:
X-Spam-Status: No, score=-6.482 tagged_above=-999 required=5 tests=[AWL=-0.039, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MN7dQkLAxBRn for <asrg@core3.amsl.com>; Wed, 3 Feb 2010 08:45:52 -0800 (PST)
Received: from zrtps0kp.nortel.com (zrtps0kp.nortel.com [47.140.192.56]) by core3.amsl.com (Postfix) with ESMTP id B620528C0DE for <asrg@irtf.org>; Wed, 3 Feb 2010 08:45:51 -0800 (PST)
Received: from zrtphxs1.corp.nortel.com (zrtphxs1.corp.nortel.com [47.140.202.46]) by zrtps0kp.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id o13GkE128640 for <asrg@irtf.org>; Wed, 3 Feb 2010 16:46:17 GMT
Received: from zrtphx5h0.corp.nortel.com ([47.140.202.65]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 3 Feb 2010 11:45:43 -0500
Received: from [47.129.150.21] (47.129.150.21) by zrtphx5h0.corp.nortel.com (47.140.202.65) with Microsoft SMTP Server (TLS) id 8.1.340.0; Wed, 3 Feb 2010 11:45:43 -0500
Message-ID: <4B69A82F.3030603@nortel.com>
Date: Wed, 3 Feb 2010 11:45:35 -0500
From: "Chris Lewis" <clewis@nortel.com>
Organization: Nortel
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090812 Lightning/0.9 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <20100201145903.30670.qmail@simone.iecc.com> <3741B85B916D847C703F2724@lewes.staff.uscs.susx.ac.uk> <A50C736E-EE14-4213-B99D-DD58C669FDAC@blighty.com> <100201092326.ZM5487@torch.brasslantern.com> <4B67ADC2.4080204@nortel.com> <4B68133A.6040104@tana.it> <4B686886.6010402@nortel.com> <4B6947EA.60505@tana.it>
In-Reply-To: <4B6947EA.60505@tana.it>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 03 Feb 2010 16:45:43.0457 (UTC) FILETIME=[53909110:01CAA4F0]
Subject: Re: [Asrg] Adding a spam button to MUAs
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 16:45:58 -0000

Alessandro Vesely wrote:
> On 02/Feb/10 19:01, Chris Lewis wrote:

>> I was referring on the _client_ trusting the header its front end would
>> have inserted to indicate where/how to send a report. If we only add
>> these headers at the receiving end, the receiving end zaps all prior
>> instances of the TiS header and inserts its own, and the client knows
>> that the receiving end inserts this header, then there's only the issue
>> of the client roaming somewhere else and getting a forward.
> 
> The receiving end does not /have/ to zap prior instances of the same 
> field.

No, it doesn't technically have to, but it _will_ have to give the 
client a hand in making sure the client doesn't trust bogus/malicious 
ones or ones outside of the receiving site's policies.

Removing the ones it doesn't want the client to respect and/or rewriting 
the ones it does want the client to respect, or simply replacing them 
all with its own is the best way of doing that.

> It filters off any maliciously forged Authentication-Results 
> bearing its own authserv-id, but they wouldn't have provided a 
> different target anyway.

Why not?  Why wouldn't a scammer attempt to divert the recipient's TiS 
buttons to /dev/null, DDOS someone else, or divert complaints away from 
their provider who might zap them?

> In general, a (trusted) report from a client should reach the 
> originating domain, whose operators can make the best use of it, 
> assuming they're honest.

And assuming that meets the recipient server's policies.  As a 
corporate, for example, we must have the final word on what reporting 
our users do and to where.  That will often _not_ be where the sender or 
forwarder is trying to tell the client.

For simplicity, you may well want to have the core specification require 
that the receiving MTA makes all the choices at transit time, and 
removes all forwarding instructions that it doesn't agree with.

That means that the client, assuming that the client knows that the 
receiver is doing all the work, doesn't have to do any cryptographic 
verification, and the receiver may not need to either.

> It seems advisable that clients delegate such 
> routing decisions to their servers. The servers, in turn, delegate 
> that to some other trusted operator, unless they have specific 
> arrangements with the reported domain. I tend to consider this 
> indirection a consequence of the MSA/MX design.

The indirection may well be desirable, but you have to ensure that it is 
convenient to do so (in other words, make sure that the client's 
provider's AR handling _know_ what routing decisions they're being asked 
to assess and implement).

> As for tying an MTA to abuse reports handling, I think it is the most 
> convenient choice. The kind of spam that we may be able to control by 
> properly routing ARs does not require the immediateness of HTTP.

The MTA is only essential to abuse report handling insofar as the abuse 
reports may adjust the filters.  It'll be convenient to do the AR 
handling on the MTA in some instances, but in many it will be not a good 
choice.  An specificiationd esign that makes AR handling independent of 
the MTA is a better one.  You can run it co-resident if you wish.  But 
you don't have to.  Making the spec require too much of the MTA function 
would be a mistake in that regard.