Re: [Asrg] Where to send the ARF report, was Adding a spam button to MUAs

I don't see how this inherently ties the ARF server and/or ARF delivery
protocol(s)
to the mail access protocol (e.g., IMAP, POP, ...).  

A flexible reporting flow could work more like this:

*  MUA/User receive spam
*  MUA/User decide Report Recipient(s) they wish to report spam to
{sending ESP/ISP, receiving domain ESP/ISP, 
   Spam filter provider, SpamCop, and/or ...}.  This may involve header
analysis, which should be supported by 
   including feedback solicitation headers in email.
	* Possibly as a discovery process to support this decision, MUA
may discover available 
        reporting services' protocols and addresses for each Report
Recipient, using DNS (SRV or TXT?) queries if needed
*  Reports are sent using an available ARF submission protocol.  

To whom to report abuse is a can of worms.  For a given message, there
will never be a universally accepted answer.  
I don't see how it's reasonable to do anything except try to support the
range of possibilities.  

BTW, I work mostly with multi-protocol messaging systems (SMTP, SMS,
SIP, IM, MMS, IMAP, POP, proprietary wireless 
protocols, ...), where the complexity is even higher due to multiple
message types in addition to 
multiple (even layer 5 and higher) transport and delivery protocols.  In
these cases it may be impractical or 
inadvisable to use the access protocol as the abuse-report submission
protocol.
Maybe the above is more general than needed for email today.  But this
problem will become more complex as gateways
(such as Blackberry's or CP/M's, ...) become increasingly used.  

Regards,

Alex

-----Original Message-----
From: asrg-bounces@irtf.org [mailto:asrg-bounces@irtf.org] On Behalf Of
John Levine
Sent: Friday, February 05, 2010 4:49 PM
To: asrg@irtf.org
Subject: Re: [Asrg] Where to send the ARF report,was Adding a spam
button to MUAs

>How does the MUA autodiscover "domain.com", though, so as to create
 "feedback@feedback.domain.com"?

>The only setting that the MUA is likely to have access to is the name
>of the IMAP or POP3 server. As IMAP and POP3 are not name-based, the
>entry there could easily be domain.com, mail.domain.com,
>imap.domain.com or pop.domain.com or smtp.domain.com or even
>www.domain.com.

You know, this is the sort of thing that SRV records were invented to
do.

If the name of the POP or IMAP server is www.domain.com, you do a SRV
lookup and find:

 _arf._tcp.www.domain.com SRV 0 0 25 collectreports.biz

So, using a fixed mailbox name, the address is
feedback@collectreports.biz.  If there's no SRV record, they aren't
prepared to accept reports.

I'm not thrilled about this, since this enshrines the false assumption
that the only ways to pick up mail are POP and IMAP, but at least it
doesn't break anything that works now.

The other reason I'm not thrilled about it is that it assumes that an
MUA remembers where it found each message.  It's not unusual for
people to have multiple POP accounts, and to dump everything into one
local inbox.  There's no need to remember the source of each message,
so I wouldn't want to assume the MUA does so.  That's why I still
prefer something like a note in the Auth-results: header to tell you
where to send the report.  Belt-and-suspenders types might want to add
a SRV lookup to that to deter random hostile misdirection.

R's,
John
_______________________________________________
Asrg mailing list
Asrg@irtf.org
http://www.irtf.org/mailman/listinfo/asrg