Re: [dmarc-ietf] Report bombing is a prolem, Forensic report loops are not

John Levine <johnl@taugh.com> Sun, 31 January 2021 20:02 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8D153A1205 for <dmarc@ietfa.amsl.com>; Sun, 31 Jan 2021 12:02:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=YSfb9oFj; dkim=pass (2048-bit key) header.d=taugh.com header.b=IKCd5lEx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLAJD_wmsSYQ for <dmarc@ietfa.amsl.com>; Sun, 31 Jan 2021 12:02:43 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22D693A10E4 for <dmarc@ietf.org>; Sun, 31 Jan 2021 12:02:42 -0800 (PST)
Received: (qmail 19004 invoked from network); 31 Jan 2021 20:02:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=4a38.60170cdf.k2101; bh=Nh0a+Kr2qC6dC7LaEVfKsRqVNgyTg1T7HBhzRv/S3Og=; b=YSfb9oFjvb0CEJoHWAB0p5fVPQF5S6sg2wJYY4ach4AJZAX0m5pXI7iT49e1YaUzlZPdOcgs4v7pca4CohTfJ7DLJrOoVgcp3RKFWaxTcNwpVFCUb10X6BOX6M9ZNbS6GyY1nQ1ihR7s+qCzfy4WbVrArxz9jDGtBQhFG9wV42+VKC3FlQfavQs/kSSvh14o5/RUai/Fk56zkXEm/QyhiJ+XGG5Vr4Pi7H2SsOFWFk4OYBQCU1x/qwvrUHbz5yOjJkM0B6XJufrpq52kmcl0ywMcCasHna9ZkUUcHn1WrGBMYFR2qfh+7DMFm8D2UQ+Pa3XGkRfWU6t+KFUG1lVLTA==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=4a38.60170cdf.k2101; bh=Nh0a+Kr2qC6dC7LaEVfKsRqVNgyTg1T7HBhzRv/S3Og=; b=IKCd5lEx+luUMwQugOOSGiuM8o+33pqf8hSRQverZeG3pw8+LSIaGZ5z8jt9H/5hlRHE7xY/3J9+QjSBNitOhEev1aYc9L71sX0FkpdrIhkMU3hX/gTzOFJRX8n3qxBkkKS5a5blgDsrBV0Y7SNfLLGmEUFl6S0pawX/gqhwCJnhILRaGsV4ejWmTpTasjkL5cgy2R3IhiILjtoVzr+CZYkYnxfDsjNF2+qLakgF6eN2xSg1WKx2KKkk5GZ6Xrmc71I2I7g+UhSRtEHNuPGg5/CFYoLTn0pIXdP9vB/jp1WrKpcnp0o+w/2kJH7KM4zz6f7CvVbGHC8E6pa9wWvJag==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 31 Jan 2021 20:02:39 -0000
Received: by ary.qy (Postfix, from userid 501) id 931356D11D79; Sun, 31 Jan 2021 15:02:38 -0500 (EST)
Date: 31 Jan 2021 15:02:38 -0500
Message-Id: <20210131200238.931356D11D79@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dmarc@ietf.org
Cc: vesely@tana.it
In-Reply-To: <49b248dc-91a7-7f2d-ba28-72fe8d6d356a@tana.it>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/O_BqKx56WMwMP-lLUKp9mjgigKk>
Subject: Re: [dmarc-ietf] Report bombing is a prolem, Forensic report loops are not
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jan 2021 20:02:45 -0000

In article <49b248dc-91a7-7f2d-ba28-72fe8d6d356a@tana.it> you write:
>Rate limiting usually implies a number of buckets.  They are managed by 
>imposing limits per time periods, which can be either server-global or per 
>bucket.  Normally, for MSA usage, one has one bucket per user.  I have never 
>implemented failure reporting, but I'd guess buckets may vary.  Besides the 
>signing domain (which determines the report consumer), the receiving address, 
>the sender and the spam flag may deserve their own buckets.

The only one that matters for DMARC reporting is the recipient
address, since the purpose of rate limiting is to avoid overloading
the recipient mail system. I wouldn't worry about trying to send a
"representative" set of reports.

Keep in mind that very few people send failure reports at all. In my
experience few of them are useful. Most of mine are ordinary mailing
list messages where the failure is not surprising and does not mean
that anything needs to be fixed.

R's,
John