Re: [marf] Including Mail fields in IODEF
"Moriarty, Kathleen" <kathleen.moriarty@emc.com> Wed, 06 March 2013 04:58 UTC
Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: marf@ietfa.amsl.com
Delivered-To: marf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07D1211E8129; Tue, 5 Mar 2013 20:58:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UuHaC4oZzyJ7; Tue, 5 Mar 2013 20:58:13 -0800 (PST)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 9C3C811E80ED; Tue, 5 Mar 2013 20:58:13 -0800 (PST)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r264w91e008637 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 5 Mar 2013 23:58:10 -0500
Received: from mailhub.lss.emc.com (mailhubhoprd04.lss.emc.com [10.254.222.226]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Tue, 5 Mar 2013 23:57:58 -0500
Received: from mxhub05.corp.emc.com (mxhub05.corp.emc.com [128.222.70.202]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r264vwnk026878; Tue, 5 Mar 2013 23:57:58 -0500
Received: from mx15a.corp.emc.com ([169.254.1.118]) by mxhub05.corp.emc.com ([128.222.70.202]) with mapi; Tue, 5 Mar 2013 23:57:57 -0500
From: "Moriarty, Kathleen" <kathleen.moriarty@emc.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
Date: Tue, 05 Mar 2013 23:57:56 -0500
Thread-Topic: [marf] Including Mail fields in IODEF
Thread-Index: Ac4YiuliWLnw6jWnTXaEzQRNpzN0ogBmlGpQ
Message-ID: <F5063677821E3B4F81ACFB7905573F24D796ACC6@MX15A.corp.emc.com>
References: <F5063677821E3B4F81ACFB7905573F24D6253D43@MX15A.corp.emc.com> <B14C10CA81885B4AAE1954F18457F2AB057004DB6D@MX36A.corp.emc.com> <F5063677821E3B4F81ACFB7905573F24D6253D5D@MX15A.corp.emc.com> <1C9F17D1873AFA47A969C4DD98F98A75187684@xmb-rcd-x10.cisco.com> <CAL0qLwZxwkcJi7Ej0fU5s8k-xZ=n_4fa0cvVVF05YtQPc3Ndag@mail.gmail.com> <1C9F17D1873AFA47A969C4DD98F98A75187BDA@xmb-rcd-x10.cisco.com> <CAL0qLwaE1pS98kq8XSETMk-kKvCWZnErP3RdKO3CRa5jOXtTnw@mail.gmail.com>
In-Reply-To: <CAL0qLwaE1pS98kq8XSETMk-kKvCWZnErP3RdKO3CRa5jOXtTnw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_F5063677821E3B4F81ACFB7905573F24D796ACC6MX15Acorpemccom_"
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: "mile@ietf.org" <mile@ietf.org>, "marf@ietf.org" <marf@ietf.org>
Subject: Re: [marf] Including Mail fields in IODEF
X-BeenThere: marf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Message Abuse Report Format working group discussion list <marf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/marf>, <mailto:marf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/marf>
List-Post: <mailto:marf@ietf.org>
List-Help: <mailto:marf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/marf>, <mailto:marf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2013 04:58:19 -0000
Hi Murray, I may not have been clear enough in my first message. I was asking about including ARF to represent any/all mail fields useful in exchanges by including ARF. The option of using RFC5901 with the full mail message would work as well (as you pointed out). If ARF has wider adoption, it may make sense to use existing standards and tools to accomplish the task by embedding ARF in IODEF. The format covers some data type representations not in IODEF, but specific to mail (which makes sense to extend when you get that deep). Thanks, Kathleen From: Murray S. Kucherawy [mailto:superuser@gmail.com] Sent: Sunday, March 03, 2013 10:46 PM To: Panos Kampanakis (pkampana) Cc: Moriarty, Kathleen; mile@ietf.org; marf@ietf.org Subject: Re: [marf] Including Mail fields in IODEF Hi Panos, The "feedback-type" would be part of the ArfHeader object, I would imagine. It appears immediately before the portion of the example you cited. This might also be a viable way to add ARF capability to IODEF, though I don't think that was the original problem statement (which was only to include DKIM and SPF details). At any rate, I don't think you're reading it wrong. -MSK On Sun, Mar 3, 2013 at 2:37 PM, Panos Kampanakis (pkampana) <pkampana@cisco.com<mailto:pkampana@cisco.com>> wrote: Thank you Murray. The "<arf:EmailMessage> Received: from mailserver.example.net<http://mailserver.example.net> (mailserver.example.net<http://mailserver.example.net> [192.0.2.1]) by example.com<http://example.com> with ESMTP id M63d4137594e46; Thu, 08 Mar 2005 14:00:00 -0400 From: <somespammer@example.net<mailto:lt%3Bsomespammer@example.net>> To: <Undisclosed Recipients> Subject: Earn money MIME-Version: 1.0 Content-type: text/plain Message-ID: 8787KJKJ3K4J3K4J3K4J3.mail@example.net<mailto:8787KJKJ3K4J3K4J3K4J3.mail@example.net> Date: Thu, 02 Sep 2004 12:31:03 -0500 Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam </arf:EmailMessage>" that I see in http://bgp.potaroo.net/ietf/all-ids/draft-vesely-mile-mail-abuse-00.txt looks like just an email message. I don't see "feedback-type" or other ARF fields for example that would make it a ARF. draft-vesely-mile-mail-abuse-00.txt seems to define a header and then have the option for the actual message (EmailMessage). Am I reading it wrong? Panos From: Murray S. Kucherawy [mailto:superuser@gmail.com<mailto:superuser@gmail.com>] Sent: Sunday, March 03, 2013 4:10 AM To: Panos Kampanakis (pkampana) Cc: Moriarty, Kathleen; mile@ietf.org<mailto:mile@ietf.org>; marf@ietf.org<mailto:marf@ietf.org> Subject: Re: [marf] Including Mail fields in IODEF The issue with MARF inside IODEF is that the receiver needs to know that the payload being provided inside an EmailMessage element is itself an ARF report, and not the message that caused the report in the first place. You certainly could crack open the EmailMessage content and see if conforms to the ARF specification to tell which kind of report you've gotten, but that seems inelegant. I suppose then another option is an extension element that indicates you've received an ARF payload rather than the actual offending message. Also of note: An ARF can contain the offending message or only the offending message's header, and still be compliant. If your application needs the whole message, you'll have to add some additional stipulations someplace. -MSK On Fri, Mar 1, 2013 at 1:52 PM, Panos Kampanakis (pkampana) <pkampana@cisco.com<mailto:pkampana@cisco.com>> wrote: I think MARF provides more functionality and should be leverage for emails in IODEF. I also think we need to resurrect http://tools.ietf.org/html/draft-vesely-mile-mail-abuse-00 within MILE since MARF was concluded.. Panos -----Original Message----- From: mile-bounces@ietf.org<mailto:mile-bounces@ietf.org> [mailto:mile-bounces@ietf.org<mailto:mile-bounces@ietf.org>] On Behalf Of Moriarty, Kathleen Sent: Thursday, February 21, 2013 5:19 AM To: mile@ietf.org<mailto:mile@ietf.org>; marf@ietf.org<mailto:marf@ietf.org> Subject: [mile] Including Mail fields in IODEF Hello, Cross posting with MAIL and MARF - In MILE related work, I have come across use cases that would like to include DKIM and SPF information in addition to specific mail fields (like the ones Chris lists below). We would like some help to figure out the best approach. Should we embed ARF and MARF RFC extensions to accommodate this need or should we look at updating RFC5901? Both take the approach of including an email message as opposed to using XML to tag each field and allow for this in the data model (in my opinion, that is fine and reduces bloat, but there may be other opinions). There was a draft published last year (link included below) that includes MARF in an IODE extension. Thanks, Kathleen ________________________________________ From: Harrington, Christopher Sent: Wednesday, February 20, 2013 2:57 PM To: Moriarty, Kathleen; mile@ietf.org<mailto:mile@ietf.org> Subject: RE: Mail fields I'm for the simplest solution as always. These are the indicator types that we routinely share. I would use these as a base: Email address (denoting if it is to or from) Email Subject Email attachment name Email attachment hash X-Mailer (from header) Hyperlink in email It's also very common to share the whole header. Bad guys routinely forge them and put extra header items that can be used as indicators. Although not an indicator sharing the entire email as an .eml or .msg file is also pretty common. Thanks, --Chris -----Original Message----- From: mile-bounces@ietf.org<mailto:mile-bounces@ietf.org> [mailto:mile-bounces@ietf.org<mailto:mile-bounces@ietf.org>] On Behalf Of Moriarty, Kathleen Sent: Wednesday, February 20, 2013 2:58 AM To: mile@ietf.org<mailto:mile@ietf.org> Subject: [mile] Mail fields Hi, In looking at the updated rfc5070bis and coming across some requests for handling certain types of exchanges, I am curious to hear how others think we should handle mail related indicators and incidents. A couple of commonly exchanged fields were added into the Record class. You can still extend out using RFC5901 and include a full mail message, but if you wanted to include DKIM or Sender Policy Framework, you need something else. The IETF group MARF already solved these issues. MARF uses the email tags rather than XML and there was a draft that embedded MARF content into IODEF (contains an example), can be found here: http://tools.ietf.org/html/draft-vesely-mile-mail-abuse-00 Since mail is already marked and can be parsed, would this be a better option to use what MARF has already done to solve the question on how to exchange this data? Other options would be to update RFC5901 or to extend IODEF further. I prefer the use of MARF. It is already in use by mail operators, so there is adoption. Thanks, Kathleen _______________________________________________ mile mailing list mile@ietf.org<mailto:mile@ietf.org> https://www.ietf.org/mailman/listinfo/mile _______________________________________________ mile mailing list mile@ietf.org<mailto:mile@ietf.org> https://www.ietf.org/mailman/listinfo/mile _______________________________________________ marf mailing list marf@ietf.org<mailto:marf@ietf.org> https://www.ietf.org/mailman/listinfo/marf
- [marf] Including Mail fields in IODEF Moriarty, Kathleen
- Re: [marf] Including Mail fields in IODEF Shmuel Metz (Seymour J.)
- Re: [marf] Including Mail fields in IODEF Alessandro Vesely
- Re: [marf] Including Mail fields in IODEF Murray S. Kucherawy
- Re: [marf] Including Mail fields in IODEF Panos Kampanakis (pkampana)
- Re: [marf] Including Mail fields in IODEF Murray S. Kucherawy
- Re: [marf] Including Mail fields in IODEF John Levine
- Re: [marf] Including Mail fields in IODEF Panos Kampanakis (pkampana)
- Re: [marf] Including Mail fields in IODEF Murray S. Kucherawy
- Re: [marf] Including Mail fields in IODEF Moriarty, Kathleen