Re: [marf] Including Mail fields in IODEF
"Murray S. Kucherawy" <superuser@gmail.com> Mon, 04 March 2013 03:46 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: marf@ietfa.amsl.com
Delivered-To: marf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0472021F886D; Sun, 3 Mar 2013 19:46:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qCkQnp-KJpXf; Sun, 3 Mar 2013 19:46:33 -0800 (PST)
Received: from mail-we0-x234.google.com (mail-we0-x234.google.com [IPv6:2a00:1450:400c:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id 0B3F121F8717; Sun, 3 Mar 2013 19:46:26 -0800 (PST)
Received: by mail-we0-f180.google.com with SMTP id k14so4011522wer.39 for <multiple recipients>; Sun, 03 Mar 2013 19:46:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=naGsKMv8T5swkmprE0gZB7mUzsafJiEzxvyQha/2nEg=; b=eNDXEtGN4UkbiXMaqRTCZPMRouNLGS2ObLOrCLbhQshcyrwdWRGnRbUTkMhIbEli7x bP7azDzNiknfF7OnojUpRnGpIlFgwYZRnp/ZUMfEM+0bYYivnVumxXcekJNB6zqEnu7q BGcxdDjOBQgJv4uDSdf7s5Gj4JKI3IQWe/fJnFJ7C6+0YrK07VtV8mH6Q/1/TgtSjJD3 NUxcR68GK+KOqkMmkZJFdDEFeIMfmCPv6EEolKT8NcmWhpez1VG9IFI8lYykAwJo2t/r Y12gJKHzZi0HjCn7AAjFl7PRcFil3beFam6bSyU0606XQ8Q1ik2NckcAJh3J4NHar/55 1DQA==
MIME-Version: 1.0
X-Received: by 10.180.185.44 with SMTP id ez12mr8295760wic.33.1362368786189; Sun, 03 Mar 2013 19:46:26 -0800 (PST)
Received: by 10.180.189.6 with HTTP; Sun, 3 Mar 2013 19:46:26 -0800 (PST)
In-Reply-To: <1C9F17D1873AFA47A969C4DD98F98A75187BDA@xmb-rcd-x10.cisco.com>
References: <F5063677821E3B4F81ACFB7905573F24D6253D43@MX15A.corp.emc.com> <B14C10CA81885B4AAE1954F18457F2AB057004DB6D@MX36A.corp.emc.com> <F5063677821E3B4F81ACFB7905573F24D6253D5D@MX15A.corp.emc.com> <1C9F17D1873AFA47A969C4DD98F98A75187684@xmb-rcd-x10.cisco.com> <CAL0qLwZxwkcJi7Ej0fU5s8k-xZ=n_4fa0cvVVF05YtQPc3Ndag@mail.gmail.com> <1C9F17D1873AFA47A969C4DD98F98A75187BDA@xmb-rcd-x10.cisco.com>
Date: Sun, 03 Mar 2013 19:46:26 -0800
Message-ID: <CAL0qLwaE1pS98kq8XSETMk-kKvCWZnErP3RdKO3CRa5jOXtTnw@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
Content-Type: multipart/alternative; boundary="001a11c225748dd5dd04d71133ce"
Cc: "mile@ietf.org" <mile@ietf.org>, "marf@ietf.org" <marf@ietf.org>
Subject: Re: [marf] Including Mail fields in IODEF
X-BeenThere: marf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Message Abuse Report Format working group discussion list <marf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/marf>, <mailto:marf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/marf>
List-Post: <mailto:marf@ietf.org>
List-Help: <mailto:marf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/marf>, <mailto:marf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2013 03:46:38 -0000
Hi Panos, The "feedback-type" would be part of the ArfHeader object, I would imagine. It appears immediately before the portion of the example you cited. This might also be a viable way to add ARF capability to IODEF, though I don't think that was the original problem statement (which was only to include DKIM and SPF details). At any rate, I don't think you're reading it wrong. -MSK On Sun, Mar 3, 2013 at 2:37 PM, Panos Kampanakis (pkampana) < pkampana@cisco.com> wrote: > Thank you Murray.**** > > ** ** > > The “<arf:EmailMessage>**** > > Received: from mailserver.example.net**** > > (mailserver.example.net [192.0.2.1])**** > > by example.com with ESMTP id M63d4137594e46;**** > > Thu, 08 Mar 2005 14:00:00 -0400**** > > From: <somespammer@example.net>**** > > To: <Undisclosed Recipients>**** > > Subject: Earn money**** > > MIME-Version: 1.0**** > > Content-type: text/plain**** > > Message-ID: 8787KJKJ3K4J3K4J3K4J3.mail@example.net**** > > Date: Thu, 02 Sep 2004 12:31:03 -0500**** > > ** ** > > Spam Spam Spam**** > > Spam Spam Spam**** > > Spam Spam Spam**** > > Spam Spam Spam**** > > </arf:EmailMessage>”**** > > that I see in http://bgp.potaroo.net/ietf/all-ids/draft-vesely-mile-mail-abuse-00.txt looks like just an email message. I don’t see “feedback-type" or other ARF fields for example that would make it a ARF.**** > > ** ** > > draft-vesely-mile-mail-abuse-00.txt seems to define a header and then have the option for the actual message (EmailMessage). Am I reading it wrong?**** > > ** ** > > Panos**** > > ** ** > > ** ** > > ** ** > > *From:* Murray S. Kucherawy [mailto:superuser@gmail.com] > *Sent:* Sunday, March 03, 2013 4:10 AM > *To:* Panos Kampanakis (pkampana) > *Cc:* Moriarty, Kathleen; mile@ietf.org; marf@ietf.org > *Subject:* Re: [marf] Including Mail fields in IODEF**** > > ** ** > > The issue with MARF inside IODEF is that the receiver needs to know that > the payload being provided inside an EmailMessage element is itself an ARF > report, and not the message that caused the report in the first place. You > certainly could crack open the EmailMessage content and see if conforms to > the ARF specification to tell which kind of report you've gotten, but that > seems inelegant.**** > > I suppose then another option is an extension element that indicates > you've received an ARF payload rather than the actual offending message. > > Also of note: An ARF can contain the offending message or only the > offending message's header, and still be compliant. If your application > needs the whole message, you'll have to add some additional stipulations > someplace.**** > > -MSK**** > > ** ** > > On Fri, Mar 1, 2013 at 1:52 PM, Panos Kampanakis (pkampana) < > pkampana@cisco.com> wrote:**** > > I think MARF provides more functionality and should be leverage for emails > in IODEF. > I also think we need to resurrect > http://tools.ietf.org/html/draft-vesely-mile-mail-abuse-00 within MILE > since MARF was concluded.. > Panos**** > > > > -----Original Message----- > From: mile-bounces@ietf.org [mailto:mile-bounces@ietf.org] On Behalf Of > Moriarty, Kathleen**** > > Sent: Thursday, February 21, 2013 5:19 AM > To: mile@ietf.org; marf@ietf.org > Subject: [mile] Including Mail fields in IODEF > > Hello, > > Cross posting with MAIL and MARF - > > In MILE related work, I have come across use cases that would like to > include DKIM and SPF information in addition to specific mail fields (like > the ones Chris lists below). We would like some help to figure out the > best approach. Should we embed ARF and MARF RFC extensions to accommodate > this need or should we look at updating RFC5901? Both take the approach of > including an email message as opposed to using XML to tag each field and > allow for this in the data model (in my opinion, that is fine and reduces > bloat, but there may be other opinions). > > There was a draft published last year (link included below) that includes > MARF in an IODE extension. > > Thanks, > Kathleen > ________________________________________ > From: Harrington, Christopher > Sent: Wednesday, February 20, 2013 2:57 PM > To: Moriarty, Kathleen; mile@ietf.org > Subject: RE: Mail fields > > I'm for the simplest solution as always. These are the indicator types > that we routinely share. I would use these as a base: > > Email address (denoting if it is to or from) Email Subject Email > attachment name Email attachment hash X-Mailer (from header) Hyperlink in > email > > It's also very common to share the whole header. Bad guys routinely forge > them and put extra header items that can be used as indicators. Although > not an indicator sharing the entire email as an .eml or .msg file is also > pretty common. > > Thanks, > > --Chris > > > -----Original Message----- > From: mile-bounces@ietf.org [mailto:mile-bounces@ietf.org] On Behalf Of > Moriarty, Kathleen > Sent: Wednesday, February 20, 2013 2:58 AM > To: mile@ietf.org > Subject: [mile] Mail fields > > Hi, > > In looking at the updated rfc5070bis and coming across some requests for > handling certain types of exchanges, I am curious to hear how others think > we should handle mail related indicators and incidents. A couple of > commonly exchanged fields were added into the Record class. You can still > extend out using RFC5901 and include a full mail message, but if you wanted > to include DKIM or Sender Policy Framework, you need something else. The > IETF group MARF already solved these issues. > > MARF uses the email tags rather than XML and there was a draft that > embedded MARF content into IODEF (contains an example), can be found here: > http://tools.ietf.org/html/draft-vesely-mile-mail-abuse-00 > > Since mail is already marked and can be parsed, would this be a better > option to use what MARF has already done to solve the question on how to > exchange this data? Other options would be to update RFC5901 or to extend > IODEF further. I prefer the use of MARF. It is already in use by mail > operators, so there is adoption. > > Thanks, > Kathleen > _______________________________________________ > mile mailing list > mile@ietf.org > https://www.ietf.org/mailman/listinfo/mile > _______________________________________________ > mile mailing list > mile@ietf.org > https://www.ietf.org/mailman/listinfo/mile > _______________________________________________ > marf mailing list > marf@ietf.org > https://www.ietf.org/mailman/listinfo/marf**** > > ** ** >
- [marf] Including Mail fields in IODEF Moriarty, Kathleen
- Re: [marf] Including Mail fields in IODEF Shmuel Metz (Seymour J.)
- Re: [marf] Including Mail fields in IODEF Alessandro Vesely
- Re: [marf] Including Mail fields in IODEF Murray S. Kucherawy
- Re: [marf] Including Mail fields in IODEF Panos Kampanakis (pkampana)
- Re: [marf] Including Mail fields in IODEF Murray S. Kucherawy
- Re: [marf] Including Mail fields in IODEF John Levine
- Re: [marf] Including Mail fields in IODEF Panos Kampanakis (pkampana)
- Re: [marf] Including Mail fields in IODEF Murray S. Kucherawy
- Re: [marf] Including Mail fields in IODEF Moriarty, Kathleen