Re: [Asrg] ARF traffic, was Spam button scenarios

Alessandro Vesely <> Tue, 09 February 2010 18:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9216E3A6919 for <>; Tue, 9 Feb 2010 10:04:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.606
X-Spam-Status: No, score=-4.606 tagged_above=-999 required=5 tests=[AWL=-0.043, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4, SUBJECT_FUZZY_TION=0.156]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hlvdacDrDp+E for <>; Tue, 9 Feb 2010 10:04:06 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 733613A690D for <>; Tue, 9 Feb 2010 10:04:06 -0800 (PST)
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 515, TLS: TLS1.0,256bits,RSA_AES_256_CBC_SHA1) by with ESMTPSA; Tue, 09 Feb 2010 19:05:13 +0100 id 00000000005DC039.000000004B71A3D9.00003CBA
Message-ID: <>
Date: Tue, 09 Feb 2010 19:05:12 +0100
From: Alessandro Vesely <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] ARF traffic, was Spam button scenarios
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 09 Feb 2010 18:04:07 -0000

On 09/Feb/10 17:45, Steve Atkins wrote:
> On Feb 9, 2010, at 8:32 AM, Alessandro Vesely wrote:
>>  There's a whole theory of other ARF messages that may arrive at a domain's abuse@ mailbox. A domain's user, or someone writing to a forwarded address of that domain, writes a message that is reported as spam, either correctly or by mistake. As part of an FBL or other trust-chain, the message comes back wrapped in an ARF report at the apparently originating domain.
>>  The mailbox is abuse@domain in both cases. Although it may seem desirable to have different addresses for incoming and outgoing reports, I doubt such distinction will ever be effective. Indeed, the forwarded case is ambiguous.
> If you think that any part of this chain is involving mail sent to abuse@ anywhere your model of it is a long way from how I understand the situation.

The abuse-mailbox is an attribute in some whois db (e.g. RIPE). The 
form abuse@domain is standardized by rfc 2142. Some people (e.g. 
Abusix) may plan to send machine generated complaints at such addresses.

Besides that, I don't feel my model is much different than yours.

> Rather there's one part of the chain that involves an end users MUA reporting a TiS button hit to their mail provider in a machine readable manner. That may well be done via SMTP, but if so it'll be to a dedicated email address (or set of email addresses) used solely for that function.

I agree that's a possibility. I've proposed abuse@authserv-id, which 
may or may not be simpler. I don't think it makes a big difference.

> The other part of the chain involves feedback loops, which are sent in response to the TiS hit. Pretty much all current ones are sent via SMTP, but not typically to an abuse@ address (it's certainly not best practice to do it that way). Again, they're intended for entirely automated handling and so are machine readable.

Yes, but I've used for the FBL(s) I've subscribed to. 
Perhaps if I had a ponderous ARF traffic I'd be better off using a 
different address. However, that would be more of a nuisance if then 
I'd have to redirect there other ARF messages that somehow reach the 
abuse mailbox instead of my dedicated address.

> Both parts of the service involve solicited, machine readable messages sent under a contractual agreement. That's very different from an abuse@ alias, which is dominated by unsolicited messages that are not intended to be machine readable.

Again, splitting the traffic may be convenient for heavy loads. 
However, I just whitelisted my abuse@ address from spam filtering. The 
moment I'll get a lot of ARF reports, it will be easy to add a 
recipient-filter that processes incoming messages only if they are in 
ARF format and leaves them in the current folder otherwise.

P.S. apologies for using the term /theory/ improperly in

  There's a whole theory of other ARF messages[...]

above. I really meant "a whole lot of other ARF messages", but my 
English didn't support me. There is no full blown theory yet, AFAIK.