IETF Logo Mail Archive

RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard

"Murray S. Kucherawy" <msk@cloudmark.com> Tue, 08 May 2012 06:23 UTC

Return-Path: <msk@cloudmark.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD4B121F84BF for <ietf@ietfa.amsl.com>; Mon, 7 May 2012 23:23:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.624
X-Spam-Level:
X-Spam-Status: No, score=-102.624 tagged_above=-999 required=5 tests=[AWL=-0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id esPHS-xajdI1 for <ietf@ietfa.amsl.com>; Mon, 7 May 2012 23:23:48 -0700 (PDT)
Received: from mail.cloudmark.com (cmgw1.cloudmark.com [208.83.136.25]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6D921F84B9 for <ietf@ietf.org>; Mon, 7 May 2012 23:23:47 -0700 (PDT)
Received: from ht1-outbound.cloudmark.com ([72.5.239.25]) by mail.cloudmark.com with bizsmtp id 7JQF1j0010ZaKgw01JQFwZ; Mon, 07 May 2012 23:24:15 -0700
X-CMAE-Match: 0
X-CMAE-Score: 0.00
X-CMAE-Analysis: v=2.0 cv=Xth4yC59 c=1 sm=1 a=LdFkGDrDWH2mcjCZERnC4w==:17 a=ldJM1g7oyCcA:10 a=YfYFAX1pRpwA:10 a=zutiEJmiVI4A:10 a=IkcTkHD0fZMA:10 a=xqWC_Br6kY4A:10 a=48vgC7mUAAAA:8 a=OlMI6XHdcPpTm43xq40A:9 a=WRl78pWfFLQDaxsteXUA:7 a=QEXdDO2ut3YA:10 a=lZB815dzVvQA:10 a=yTKvJPHZ5YSD8RtJ:21 a=KU3NlbQ4F-xZLdqj:21 a=LdFkGDrDWH2mcjCZERnC4w==:117
Received: from EXCH-MBX901.corp.cloudmark.com ([fe80::addf:849a:f71c:4a82]) by exch-htcas901.corp.cloudmark.com ([fe80::2524:76b6:a865:539c%10]) with mapi id 14.01.0355.002; Mon, 7 May 2012 23:23:47 -0700
From: "Murray S. Kucherawy" <msk@cloudmark.com>
To: Scott Kitterman <scott@kitterman.com>, "ietf@ietf.org" <ietf@ietf.org>
Subject: RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
Thread-Topic: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
Thread-Index: AQHNLKHAkXDvdhJ2jUSCN0WTYs7sLZa/SMQAgACP5ID//5MiMA==
Date: Tue, 08 May 2012 06:23:46 +0000
Message-ID: <9452079D1A51524AA5749AD23E003928118D24@exch-mbx901.corp.cloudmark.com>
References: <20120507195025.19948.3410.idtracker@ietfa.amsl.com> <1755826.2gyQD9Uvee@scott-latitude-e6320> <9452079D1A51524AA5749AD23E003928118C04@exch-mbx901.corp.cloudmark.com> <a80ed582-27a1-4669-acf5-782b4f342b04@email.android.com>
In-Reply-To: <a80ed582-27a1-4669-acf5-782b4f342b04@email.android.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [67.160.203.60]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudmark.com; s=default; t=1336458255; bh=1r0RSVbPVrw4hVsEg0amcONWTmBTZZc88ML8KWPjGhc=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=uulDjtsa72105GsJmY+Igt85ZqYvQprEW9VOJgA+6AAkFB/u+8+6xGHj2nQEOnmg0 sJCyot1H0mAoZWZ1UTgWMgYTRG5lFoTvmzsJj3tAdv6XqsS36jpLamjaxzI7sOhAlA 5gqO+ezcrugDOIl1xZv2eptLrpi2Y0NxTAgz+mPU=
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2012 06:23:49 -0000

> -----Original Message-----
> From: ietf-bounces@ietf.org [mailto:ietf-bounces@ietf.org] On Behalf Of Scott Kitterman
> Sent: Monday, May 07, 2012 10:49 PM
> To: ietf@ietf.org
> Subject: RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
> 
> >If all one is doing is figuring out why something like a DKIM signature
> >failed on an otherwise legitimate message, then I agree the source port
> >isn't a useful input to that work.  In fact, as far as DKIM goes, the
> >source IP address is probably not useful either.
> >
> >If, however, one is trying to track down the transmission of fraudulent
> >email such as phishing attacks, source ports can be used to identify
> >the perpetrator more precisely when compared to logs.  Support for this
> >latter use case is why I believe RECOMMENDED is appropriate.
> 
> Which is exactly the case (abuse report) the second to last paragraph
> takes care of.  I agree RECOMMENDED is appropriate there and you have
> it there.
> 
> For auth failure analysis I read you as agreeing it's not needed.
> There are some authorization methods that use IP address, so I don't
> think that for auth failure reports inclusion of IP address and source
> port are comparable.
> 
> Based on your response, I don't understand your objection to dropping
> the RECOMMENDS for auth failure reports and keeping it  for abuse
> reports?

I don't think it's possible for software to identify correctly a case of an accidental authentication failure versus detected fraud.  If it were, then I'd agree that for the simple authentication failure case the source port isn't useful.

In the absence of that capability, isn't it better to give the investigating user as much information as possible to use in correlation of logs and such?

-MSK

v2.23.0 | Report a Bug | By Email