IETF Logo Mail Archive

Re: [marf] I-D Action: draft-ietf-marf-dkim-reporting-08, was -07

Alessandro Vesely <vesely@tana.it> Thu, 02 February 2012 12:16 UTC

Return-Path: <vesely@tana.it>
X-Original-To: marf@ietfa.amsl.com
Delivered-To: marf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2F9A21F8AB5 for <marf@ietfa.amsl.com>; Thu, 2 Feb 2012 04:16:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.633
X-Spam-Level:
X-Spam-Status: No, score=-4.633 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TuE3sO-O5Sao for <marf@ietfa.amsl.com>; Thu, 2 Feb 2012 04:16:25 -0800 (PST)
Received: from wmail.tana.it (www.tana.it [62.94.243.226]) by ietfa.amsl.com (Postfix) with ESMTP id 7675D21F8AB4 for <marf@ietf.org>; Thu, 2 Feb 2012 04:16:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=test; t=1328184984; bh=kB5/oIECBx5PeuKKYpv+t3DpeQl4rGXE6qX0nBIB2JM=; l=6178; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Content-Transfer-Encoding; b=cWtCbvuB6gzLZyGgBxzbmc9qjxXS5KK87UzQ1apdgXhrTOQJWr4XLraxRGUD0eDA+ faeAUSIdJzmj8oNee1wSIF4KCi72VIdha7o9deobVrrgzjKInJSNo6qHJdkoQj+vHC uedY+8jhFaVM648exMJsyGWx4/AIYYUYqtbEvO1Y=
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 515, TLS: TLS1.0,256bits,RSA_AES_256_CBC_SHA1) by wmail.tana.it with ESMTPSA; Thu, 02 Feb 2012 13:16:24 +0100 id 00000000005DC039.000000004F2A7E98.000004DD
Message-ID: <4F2A7E8F.9010901@tana.it>
Date: Thu, 02 Feb 2012 13:16:15 +0100
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: marf@ietf.org
References: <20120130193649.24837.53481.idtracker@ietfa.amsl.com> <F5833273385BB34F99288B3648C4F06F19C9A7DA70@EXCH-C2.corp.cloudmark.com> <4F283C32.7070206@tana.it> <F5833273385BB34F99288B3648C4F06F19C9A7DAB9@EXCH-C2.corp.cloudmark.com> <4F291852.8020807@tana.it> <F5833273385BB34F99288B3648C4F06F19C9A7DAF4@EXCH-C2.corp.cloudmark.com>
In-Reply-To: <F5833273385BB34F99288B3648C4F06F19C9A7DAF4@EXCH-C2.corp.cloudmark.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: [marf] I-D Action: draft-ietf-marf-dkim-reporting-08, was -07
X-BeenThere: marf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Message Abuse Report Format working group discussion list <marf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/marf>, <mailto:marf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/marf>
List-Post: <mailto:marf@ietf.org>
List-Help: <mailto:marf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/marf>, <mailto:marf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2012 12:16:26 -0000

On 01/Feb/12 19:41, Murray S. Kucherawy wrote:
>> From: ietf.org On Behalf Of Alessandro Vesely
>
>>>> 8.5. *Automatic Generation*
>>>
>>> What this section is trying to say is that people should not implement
>>> systems that do this kind of reporting work by default.
>>
>> (I understand "reporting of message authentication failures in an
>> on-demand fashion" as I-set-record=you-send-report.)
> 
> I don't agree.  The I-D is meant to present the mechanisms for
> requesting and providing these reports.  That is, "If you're going
> to do this, here's how we think you should go about it."  There are
> some obvious concerns with doing so across-the-board without any
> checking or thought to it, though one certainly could do that.

What's that "could"?!  There's nothing I can conceivably do besides
setting the RR properly.  If that is not enough for getting reports
from whoever will happen to get a broken signature, then this I-D is
completely useless --I can well receive occasional failure notices
from friends based on authfailure-report only.

Differently from abuse reports, authentication failures may affect
personal messages and confidential content.  Concern over divulging
that is due.  If I were to report to unknown people, I would probably
want to redact most header fields and omit the body.

> It seems very appropriate to me to call that out in Security 
> Considerations.

Yes.

>> This I-D is not specifying blind-to- witting transitions, and I'm
>> not suggesting it should, but maybe it can still suggest some
>> details of such activity.
> 
> I think to do so we would wander into the realm of speculation, not
> specification.

Let me describe a possible case, just to make sure we're talking about
the same thing:

Alice writes to Bob, DKIM-Signature breaks, ISP-B (Bob's ISP) start
reporting to ISP-A.  ISP-A receive the first reports, check that they
are good and confirm, possibly on
http://postmaster.ISP-B.example/acknowledge?key=ISP-A_beenhere, that
they would like to continue receiving them.  That doesn't lower the
amount of redaction applied to reports.  Yet, ISP-A can collect
reports and form a statistic picture of how their configuration goes.
 Useful work already, isn't it?

After some months, ISP-A write to ISP-B to arrange for a debugging
session:

   Hi ISP-B,

    I have some statistical evidence that messages from our user Alice
   to your user Bob tend to break much more often than normal.  Would
   it be possible to check that more closely?  Alice says she can
   resend the messages listed below (see attachment).  Bob agrees, but
   please check his consent for your records.

   Regards
    ISP-A
   ---
   (attachment omitted)

ISP-B answer affirmatively and manually forward unredacted reports of
the relevant failures to ISP-A.  ISP-A find the bug and they lived
happily ever after.

> I don't think that's a good idea for something that's asking for
> Proposed Standard status as a protocol document.

The idea is just to note that there are data items about ISP-A, such
as acknowledgment, contacts, responsiveness, and involvement, that is
worth being stored on a per-domain database.  We don't need to say
that such data may turn out to be useful for looking into spam
(reporting) issues, as that is indeed speculation.

>>>> 8.6. *Reporting Multiple Incidents*
>>>>
>>>> To suspend report generation for some time after an RCPT rejection of
>>>> the reporting address
>>>
>>> It's just a suggestion for handling large volumes of reports.
>> 
>> Yes, such specification should belong to some other I-D (reporting-
>> discovery? :-)
> 
> If we're going to talk about handling of large report volumes,
> given our current document set, the AS is the right place to do it.
> If you think that's important, now's the time to make such a
> proposal, before WGLC closes.

Both dkim-reporting and spf-reporting have a section on "Envelope
Sender Selection".  Reporting-discovery would need one too.  The
question of flow control (see below) is a related problem, also common
to all those specs.  I agree it is good to factor them.

Are you saying the AS is the right place for both flow control and
loop avoidance?

What do everybody else think?

>> While [temporary failure] may be semantically correct, there is
>> the practical problem that 4xx reply codes are not reported
>> timely.  It is necessary to query the mail queue in order to know
>> whether there are outstanding temporary failures.  In case the
>> boundary box where the report generator lives does not send mail
>> out directly, it is not practical to determine that condition.
>> 
>> On the other hand, 5xx reply codes should cause the current
>> message to be discarded.  On resuming reporting, new reports are
>> transmitted, rather than the queued flood initiators.  However,
>> in order to ensure immediate notification of rejections in all
>> cases, one would have to use purposely configured variable
>> envelope senders.
>> 
>> What do you think?
> 
> I think if the advice that's been added about observing the
> behavior of the report recipient as input to a throttling mechanism
> is actually impractical, we should remove it rather than expanding
> on it and complicating the document further.  We risk confusing the
> reader.

Hm...  I don't think that a non-empty envelope sender may cause
reporting loops, as reporting does not actually use it.  Hence, we
could use it for flow control.

For some unsorted details, we may recommend 552 after RCPT for
momentarily stop reporting, but had better not rely on it.  Rather, I
propose we encourage getting acknowledgments and recording them along
with per-domain reporting history.  Report generators should use VERP,
and suspend reporting to rejecting domains for an amount of time
inversely proportional to the confidence, e.g.:

  0.5T      for an acknowledged domain,
  T         for a first-time first-failure,
  2T,
  4T,
  ... ,
  one year  for dorks.

where T is the TTL of the relevant _report's RR if retrieved with the
AA flag, or some other time constant either agreed with the domain or
set by default.

v2.23.0 | Report a Bug | By Email