IETF Logo Mail Archive

RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard

"Murray S. Kucherawy" <msk@cloudmark.com> Wed, 09 May 2012 03:14 UTC

Return-Path: <msk@cloudmark.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8766B11E8079 for <ietf@ietfa.amsl.com>; Tue, 8 May 2012 20:14:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.623
X-Spam-Level:
X-Spam-Status: No, score=-102.623 tagged_above=-999 required=5 tests=[AWL=-0.024, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-TRMJQCvBv5 for <ietf@ietfa.amsl.com>; Tue, 8 May 2012 20:14:20 -0700 (PDT)
Received: from mail.cloudmark.com (cmgw1.cloudmark.com [208.83.136.25]) by ietfa.amsl.com (Postfix) with ESMTP id E230C11E8074 for <ietf@ietf.org>; Tue, 8 May 2012 20:14:20 -0700 (PDT)
Received: from ht1-outbound.cloudmark.com ([72.5.239.26]) by mail.cloudmark.com with bizsmtp id 7fE91j0010as01C01fE9VW; Tue, 08 May 2012 20:14:09 -0700
X-CMAE-Match: 0
X-CMAE-Score: 0.00
X-CMAE-Analysis: v=2.0 cv=R/iB6KtX c=1 sm=1 a=QMZKka45TBd+hNGtXG2bIg==:17 a=ldJM1g7oyCcA:10 a=YfYFAX1pRpwA:10 a=zutiEJmiVI4A:10 a=kj9zAlcOel0A:10 a=xqWC_Br6kY4A:10 a=48vgC7mUAAAA:8 a=OlMI6XHdcPpTm43xq40A:9 a=yG1VNaFF4NKdj6terSsA:7 a=CjuIK1q_8ugA:10 a=lZB815dzVvQA:10 a=QMZKka45TBd+hNGtXG2bIg==:117
Received: from EXCH-MBX901.corp.cloudmark.com ([fe80::addf:849a:f71c:4a82]) by exch-htcas902.corp.cloudmark.com ([fe80::54de:dc60:5f3e:334%10]) with mapi id 14.01.0355.002; Tue, 8 May 2012 20:14:09 -0700
From: "Murray S. Kucherawy" <msk@cloudmark.com>
To: Scott Kitterman <scott@kitterman.com>, "ietf@ietf.org" <ietf@ietf.org>
Subject: RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
Thread-Topic: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
Thread-Index: AQHNLKHAkXDvdhJ2jUSCN0WTYs7sLZa/SMQAgACP5ID//5MiMIABwG4A//+c6MA=
Date: Wed, 09 May 2012 03:14:08 +0000
Message-ID: <9452079D1A51524AA5749AD23E00392811A51A@exch-mbx901.corp.cloudmark.com>
References: <20120507195025.19948.3410.idtracker@ietfa.amsl.com> <a80ed582-27a1-4669-acf5-782b4f342b04@email.android.com> <9452079D1A51524AA5749AD23E003928118D24@exch-mbx901.corp.cloudmark.com> <7750789.HxqQGoXypG@scott-latitude-e6320>
In-Reply-To: <7750789.HxqQGoXypG@scott-latitude-e6320>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [67.160.203.60]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudmark.com; s=default; t=1336533249; bh=G90L6b/yfqzEQbOTwYoZPbxvvm+Mf8LQ/ASrP8v0Ws0=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=wDsC4ZhVa0n5g3fygTvAzW5T+SpfUiU16ExPOVXMDxQQ0JVWCmKMfopkPWEXzK+72 UOvvz9g52H9H/W/LiGEaDEOv/V5WNwE8J7XWaDVsQ3bkfq6AN+EZSZKJyRFyl8NG0P Nl3EVeU2Iqfzssozes91evUve1fkPDzLY7lmZTdY=
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 03:14:21 -0000

> -----Original Message-----
> From: ietf-bounces@ietf.org [mailto:ietf-bounces@ietf.org] On Behalf Of Scott Kitterman
> Sent: Tuesday, May 08, 2012 7:05 PM
> To: ietf@ietf.org
> Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt>
> (Source Ports in ARF Reports) to Proposed Standard
> 
> > In the absence of that capability, isn't it better to give the
> > investigating user as much information as possible to use in
> > correlation of logs and such?
> 
> Personally, in the forensic work I've done I've found things like mail
> queue IDs a lot more important than source port.  There is lots of
> information that would be useful for an investigation.  On this basis,
> I could see MAY include source port on auth failure reports, but I
> think making it RECOMMENDED on the basis of it may be useful is
> justified.

If a spam bot connects to your MTA and sends a message in, the only queue ID you have is the one your own MTA generated.  How will that be useful tracing the spam back to the very machine that generated it?

RFC6302 talks about why this is important a lot more than this document does.

-MSK

v2.23.0 | Report a Bug | By Email