Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
Scott Kitterman <scott@kitterman.com> Wed, 09 May 2012 02:04 UTC
Return-Path: <scott@kitterman.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA08311E8080 for <ietf@ietfa.amsl.com>; Tue, 8 May 2012 19:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8f2-xK+g0LPa for <ietf@ietfa.amsl.com>; Tue, 8 May 2012 19:04:46 -0700 (PDT)
Received: from mailout02.controlledmail.com (mailout02.controlledmail.com [72.81.252.18]) by ietfa.amsl.com (Postfix) with ESMTP id 9941911E8074 for <ietf@ietf.org>; Tue, 8 May 2012 19:04:45 -0700 (PDT)
Received: from mailout02.controlledmail.com (localhost [127.0.0.1]) by mailout02.controlledmail.com (Postfix) with ESMTP id 1FC5420E40D0; Tue, 8 May 2012 22:04:44 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1336529084; bh=i5hAHIyomzTHpy4rVvmypcPY3df2Q4p4BTVsJaEkE04=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding:Content-Type; b=Znx149ZqjWyALjN83yKVVuFdFhAPDK0vOW46Fcob8g0A9VnkzbT9wFGzz9VgUenKV b41TA0sWdcuVr4iDbP3l2StNXaHyv+pMm40ZASAD2htcqNd0hE5mbk/J9rgGnOBtqK SBQi208OPDYPXGD+bauprqGVLe9sERYFMPVJar1k=
Received: from scott-latitude-e6320.localnet (unknown [12.50.158.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout02.controlledmail.com (Postfix) with ESMTPSA id 3199320E40B9; Tue, 8 May 2012 22:04:42 -0400 (EDT)
From: Scott Kitterman <scott@kitterman.com>
To: "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
Date: Tue, 08 May 2012 22:04:30 -0400
Message-ID: <7750789.HxqQGoXypG@scott-latitude-e6320>
User-Agent: KMail/4.8.2 (Linux/3.2.0-24-generic-pae; KDE/4.8.2; i686; ; )
In-Reply-To: <9452079D1A51524AA5749AD23E003928118D24@exch-mbx901.corp.cloudmark.com>
References: <20120507195025.19948.3410.idtracker@ietfa.amsl.com> <a80ed582-27a1-4669-acf5-782b4f342b04@email.android.com> <9452079D1A51524AA5749AD23E003928118D24@exch-mbx901.corp.cloudmark.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-AV-Checked: ClamAV using ClamSMTP
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 02:04:47 -0000
On Tuesday, May 08, 2012 06:23:46 AM Murray S. Kucherawy wrote: > > -----Original Message----- > > From: ietf-bounces@ietf.org [mailto:ietf-bounces@ietf.org] On Behalf Of > > Scott Kitterman Sent: Monday, May 07, 2012 10:49 PM > > To: ietf@ietf.org > > Subject: RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source > > Ports in ARF Reports) to Proposed Standard > > > > >If all one is doing is figuring out why something like a DKIM signature > > >failed on an otherwise legitimate message, then I agree the source port > > >isn't a useful input to that work. In fact, as far as DKIM goes, the > > >source IP address is probably not useful either. > > > > > >If, however, one is trying to track down the transmission of fraudulent > > >email such as phishing attacks, source ports can be used to identify > > >the perpetrator more precisely when compared to logs. Support for this > > >latter use case is why I believe RECOMMENDED is appropriate. > > > > > > Which is exactly the case (abuse report) the second to last paragraph > > takes care of. I agree RECOMMENDED is appropriate there and you have > > it there. > > > > For auth failure analysis I read you as agreeing it's not needed. > > There are some authorization methods that use IP address, so I don't > > think that for auth failure reports inclusion of IP address and source > > port are comparable. > > > > Based on your response, I don't understand your objection to dropping > > the RECOMMENDS for auth failure reports and keeping it for abuse > > reports? > > > I don't think it's possible for software to identify correctly a case of an > accidental authentication failure versus detected fraud. If it were, then > I'd agree that for the simple authentication failure case the source port > isn't useful. Then why did we bother with a separate type or report for authentication failure? Presumably we believe systems can have criteria for "I'm sending this because the message is abusive" versus "I'm sending this because it failed $authentication_type". > In the absence of that capability, isn't it better to give the investigating > user as much information as possible to use in correlation of logs and > such? Personally, in the forensic work I've done I've found things like mail queue IDs a lot more important than source port. There is lots of information that would be useful for an investigation. On this basis, I could see MAY include source port on auth failure reports, but I think making it RECOMMENDED on the basis of it may be useful is justified. Scott K
- Re: Last Call: <draft-kucherawy-marf-source-ports… Scott Kitterman
- Re: Last Call: <draft-kucherawy-marf-source-ports… Douglas Otis
- RE: Last Call: <draft-kucherawy-marf-source-ports… Murray S. Kucherawy
- RE: Last Call: <draft-kucherawy-marf-source-ports… Scott Kitterman
- RE: Last Call: <draft-kucherawy-marf-source-ports… Murray S. Kucherawy
- Re: Last Call: <draft-kucherawy-marf-source-ports… Douglas Otis
- Re: Last Call: <draft-kucherawy-marf-source-ports… Scott Kitterman
- RE: Last Call: <draft-kucherawy-marf-source-ports… Murray S. Kucherawy