IETF Logo Mail Archive

RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard

"Murray S. Kucherawy" <msk@cloudmark.com> Tue, 08 May 2012 04:20 UTC

Return-Path: <msk@cloudmark.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AA5B21F8557 for <ietf@ietfa.amsl.com>; Mon, 7 May 2012 21:20:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.624
X-Spam-Level:
X-Spam-Status: No, score=-102.624 tagged_above=-999 required=5 tests=[AWL=-0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJeuNldNMDzM for <ietf@ietfa.amsl.com>; Mon, 7 May 2012 21:20:12 -0700 (PDT)
Received: from mail.cloudmark.com (cmgw1.cloudmark.com [208.83.136.25]) by ietfa.amsl.com (Postfix) with ESMTP id 4400521F84A6 for <ietf@ietf.org>; Mon, 7 May 2012 21:20:12 -0700 (PDT)
Received: from ht1-outbound.cloudmark.com ([72.5.239.26]) by mail.cloudmark.com with bizsmtp id 7GLU1j0030as01C01GLUKH; Mon, 07 May 2012 21:20:28 -0700
X-CMAE-Match: 0
X-CMAE-Score: 0.00
X-CMAE-Analysis: v=2.0 cv=Xth4yC59 c=1 sm=1 a=QMZKka45TBd+hNGtXG2bIg==:17 a=ldJM1g7oyCcA:10 a=YfYFAX1pRpwA:10 a=zutiEJmiVI4A:10 a=kj9zAlcOel0A:10 a=xqWC_Br6kY4A:10 a=48vgC7mUAAAA:8 a=OlMI6XHdcPpTm43xq40A:9 a=CjuIK1q_8ugA:10 a=lZB815dzVvQA:10 a=O3L55zdx2w7MxNjT:21 a=qJ8e67autuJQ_2r0:21 a=QMZKka45TBd+hNGtXG2bIg==:117
Received: from EXCH-MBX901.corp.cloudmark.com ([fe80::addf:849a:f71c:4a82]) by exch-htcas902.corp.cloudmark.com ([fe80::54de:dc60:5f3e:334%10]) with mapi id 14.01.0355.002; Mon, 7 May 2012 21:20:00 -0700
From: "Murray S. Kucherawy" <msk@cloudmark.com>
To: Scott Kitterman <scott@kitterman.com>, "ietf@ietf.org" <ietf@ietf.org>
Subject: RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
Thread-Topic: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
Thread-Index: AQHNLKHAkXDvdhJ2jUSCN0WTYs7sLZa/SMQA
Date: Tue, 08 May 2012 04:20:00 +0000
Message-ID: <9452079D1A51524AA5749AD23E003928118C04@exch-mbx901.corp.cloudmark.com>
References: <20120507195025.19948.3410.idtracker@ietfa.amsl.com> <1755826.2gyQD9Uvee@scott-latitude-e6320>
In-Reply-To: <1755826.2gyQD9Uvee@scott-latitude-e6320>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [67.160.203.60]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudmark.com; s=default; t=1336450828; bh=vc7tIQ1tgbguaAO6ssqAbFI7qeWMRUV8yE2HtEpdGb4=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=AqAGewSqounayLoeoHyJJ6mQcFfQ1Uma3BH2gyMpNPsTJMwiloCe6PIiVd1Wr85Ap JZhTl//FzrDvOrSEzL3P4akxKJaou8BG3HgfvWZF2gYxF9tBoR7+SYYtESY/J//sP5 EHoBCGgYH/rFEE9xPQUVqGcKD+y9cShGEaR2E/30=
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2012 04:20:13 -0000

> -----Original Message-----
> From: ietf-bounces@ietf.org [mailto:ietf-bounces@ietf.org] On Behalf Of Scott Kitterman
> Sent: Monday, May 07, 2012 3:35 PM
> To: ietf@ietf.org
> Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
> 
> My suggestion would be to change the last part of section three to
> read:
> 
>    When any authentication failure report [AUTHFAILURE-REPORT] is generated
>    that includes the "Source-IP" reporting field (see Section 3.1 of
>    [AUTHFAILURE-REPORT]]), this field MAY also be included.
> 
> Other than that, I think it's ready to go.

If all one is doing is figuring out why something like a DKIM signature failed on an otherwise legitimate message, then I agree the source port isn't a useful input to that work.  In fact, as far as DKIM goes, the source IP address is probably not useful either.

If, however, one is trying to track down the transmission of fraudulent email such as phishing attacks, source ports can be used to identify the perpetrator more precisely when compared to logs.  Support for this latter use case is why I believe RECOMMENDED is appropriate.

-MSK

v2.23.0 | Report a Bug | By Email