IETF Logo Mail Archive

Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard

Scott Kitterman <scott@kitterman.com> Wed, 09 May 2012 02:04 UTC

Return-Path: <scott@kitterman.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA08311E8080 for <ietf@ietfa.amsl.com>; Tue, 8 May 2012 19:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8f2-xK+g0LPa for <ietf@ietfa.amsl.com>; Tue, 8 May 2012 19:04:46 -0700 (PDT)
Received: from mailout02.controlledmail.com (mailout02.controlledmail.com [72.81.252.18]) by ietfa.amsl.com (Postfix) with ESMTP id 9941911E8074 for <ietf@ietf.org>; Tue, 8 May 2012 19:04:45 -0700 (PDT)
Received: from mailout02.controlledmail.com (localhost [127.0.0.1]) by mailout02.controlledmail.com (Postfix) with ESMTP id 1FC5420E40D0; Tue, 8 May 2012 22:04:44 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1336529084; bh=i5hAHIyomzTHpy4rVvmypcPY3df2Q4p4BTVsJaEkE04=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding:Content-Type; b=Znx149ZqjWyALjN83yKVVuFdFhAPDK0vOW46Fcob8g0A9VnkzbT9wFGzz9VgUenKV b41TA0sWdcuVr4iDbP3l2StNXaHyv+pMm40ZASAD2htcqNd0hE5mbk/J9rgGnOBtqK SBQi208OPDYPXGD+bauprqGVLe9sERYFMPVJar1k=
Received: from scott-latitude-e6320.localnet (unknown [12.50.158.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout02.controlledmail.com (Postfix) with ESMTPSA id 3199320E40B9; Tue, 8 May 2012 22:04:42 -0400 (EDT)
From: Scott Kitterman <scott@kitterman.com>
To: "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
Date: Tue, 08 May 2012 22:04:30 -0400
Message-ID: <7750789.HxqQGoXypG@scott-latitude-e6320>
User-Agent: KMail/4.8.2 (Linux/3.2.0-24-generic-pae; KDE/4.8.2; i686; ; )
In-Reply-To: <9452079D1A51524AA5749AD23E003928118D24@exch-mbx901.corp.cloudmark.com>
References: <20120507195025.19948.3410.idtracker@ietfa.amsl.com> <a80ed582-27a1-4669-acf5-782b4f342b04@email.android.com> <9452079D1A51524AA5749AD23E003928118D24@exch-mbx901.corp.cloudmark.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-AV-Checked: ClamAV using ClamSMTP
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 02:04:47 -0000

On Tuesday, May 08, 2012 06:23:46 AM Murray S. Kucherawy wrote:
> > -----Original Message-----
> > From: ietf-bounces@ietf.org [mailto:ietf-bounces@ietf.org] On Behalf Of
> > Scott Kitterman
 Sent: Monday, May 07, 2012 10:49 PM
> > To: ietf@ietf.org
> > Subject: RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source
> > Ports in ARF Reports) to Proposed Standard
 
> > 
> > >If all one is doing is figuring out why something like a DKIM signature
> > >failed on an otherwise legitimate message, then I agree the source port
> > >isn't a useful input to that work.  In fact, as far as DKIM goes, the
> > >source IP address is probably not useful either.
> > >
> > >If, however, one is trying to track down the transmission of fraudulent
> > >email such as phishing attacks, source ports can be used to identify
> > >the perpetrator more precisely when compared to logs.  Support for this
> > >latter use case is why I believe RECOMMENDED is appropriate.
> > 
> > 
> > Which is exactly the case (abuse report) the second to last paragraph
> > takes care of.  I agree RECOMMENDED is appropriate there and you have
> > it there.
> > 
> > For auth failure analysis I read you as agreeing it's not needed.
> > There are some authorization methods that use IP address, so I don't
> > think that for auth failure reports inclusion of IP address and source
> > port are comparable.
> > 
> > Based on your response, I don't understand your objection to dropping
> > the RECOMMENDS for auth failure reports and keeping it  for abuse
> > reports?
> 
> 
> I don't think it's possible for software to identify correctly a case of an
> accidental authentication failure versus detected fraud.  If it were, then
> I'd agree that for the simple authentication failure case the source port
> isn't useful.
 
Then why did we bother with a separate type or report for authentication 
failure?  Presumably we believe systems can have criteria for "I'm sending 
this because the message is abusive" versus "I'm sending this because it 
failed $authentication_type".

> In the absence of that capability, isn't it better to give the investigating
> user as much information as possible to use in correlation of logs and
> such?

Personally, in the forensic work I've done I've found things like mail queue 
IDs a lot more important than source port.  There is lots of information that 
would be useful for an investigation.  On this basis, I could see MAY include 
source port on auth failure reports, but I think making it RECOMMENDED on the 
basis of it may be useful is justified.

Scott K

v2.23.0 | Report a Bug | By Email