Re: [mile] Mail fields
"Harrington, Christopher" <Christopher.Harrington@emc.com> Wed, 20 February 2013 19:57 UTC
Return-Path: <Christopher.Harrington@emc.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 487C121E8037 for <mile@ietfa.amsl.com>; Wed, 20 Feb 2013 11:57:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.605
X-Spam-Level:
X-Spam-Status: No, score=-0.605 tagged_above=-999 required=5 tests=[AWL=1.994, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gUhwAqbFxPY1 for <mile@ietfa.amsl.com>; Wed, 20 Feb 2013 11:57:33 -0800 (PST)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 8CCE921E8030 for <mile@ietf.org>; Wed, 20 Feb 2013 11:57:33 -0800 (PST)
Received: from hop04-l1d11-si03.isus.emc.com (HOP04-L1D11-SI03.isus.emc.com [10.254.111.23]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r1KJvSig011310 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <mile@ietf.org>; Wed, 20 Feb 2013 14:57:31 -0500
Received: from mailhub.lss.emc.com (mailhubhoprd02.lss.emc.com [10.254.221.253]) by hop04-l1d11-si03.isus.emc.com (RSA Interceptor) for <mile@ietf.org>; Wed, 20 Feb 2013 14:57:19 -0500
Received: from mxhub12.corp.emc.com (mxhub12.corp.emc.com [10.254.92.107]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r1KJvHLY009693 for <mile@ietf.org>; Wed, 20 Feb 2013 14:57:18 -0500
Received: from mx36a.corp.emc.com ([169.254.1.8]) by mxhub12.corp.emc.com ([10.254.92.107]) with mapi; Wed, 20 Feb 2013 14:57:16 -0500
From: "Harrington, Christopher" <Christopher.Harrington@emc.com>
To: "Moriarty, Kathleen" <kathleen.moriarty@emc.com>, "mile@ietf.org" <mile@ietf.org>
Date: Wed, 20 Feb 2013 14:57:16 -0500
Thread-Topic: Mail fields
Thread-Index: AQHODz/wwgzXX1a4vku3k5RaTnMVYJiDKKoA
Message-ID: <B14C10CA81885B4AAE1954F18457F2AB057004DB6D@MX36A.corp.emc.com>
References: <F5063677821E3B4F81ACFB7905573F24D6253D43@MX15A.corp.emc.com>
In-Reply-To: <F5063677821E3B4F81ACFB7905573F24D6253D43@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_032D_01CE0F7A.92BA4230"
MIME-Version: 1.0
X-EMM-MHVC: 1
Subject: Re: [mile] Mail fields
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 19:57:34 -0000
I'm for the simplest solution as always. These are the indicator types that we routinely share. I would use these as a base: Email address (denoting if it is to or from) Email Subject Email attachment name Email attachment hash X-Mailer (from header) Hyperlink in email It's also very common to share the whole header. Bad guys routinely forge them and put extra header items that can be used as indicators. Although not an indicator sharing the entire email as an .eml or .msg file is also pretty common. Thanks, --Chris -----Original Message----- From: mile-bounces@ietf.org [mailto:mile-bounces@ietf.org] On Behalf Of Moriarty, Kathleen Sent: Wednesday, February 20, 2013 2:58 AM To: mile@ietf.org Subject: [mile] Mail fields Hi, In looking at the updated rfc5070bis and coming across some requests for handling certain types of exchanges, I am curious to hear how others think we should handle mail related indicators and incidents. A couple of commonly exchanged fields were added into the Record class. You can still extend out using RFC5901 and include a full mail message, but if you wanted to include DKIM or Sender Policy Framework, you need something else. The IETF group MARF already solved these issues. MARF uses the email tags rather than XML and there was a draft that embedded MARF content into IODEF (contains an example), can be found here: http://tools.ietf.org/html/draft-vesely-mile-mail-abuse-00 Since mail is already marked and can be parsed, would this be a better option to use what MARF has already done to solve the question on how to exchange this data? Other options would be to update RFC5901 or to extend IODEF further. I prefer the use of MARF. It is already in use by mail operators, so there is adoption. Thanks, Kathleen _______________________________________________ mile mailing list mile@ietf.org https://www.ietf.org/mailman/listinfo/mile
- [mile] Mail fields Moriarty, Kathleen
- Re: [mile] Mail fields Harrington, Christopher
- [mile] Including Mail fields in IODEF Moriarty, Kathleen
- Re: [mile] [marf] Including Mail fields in IODEF Alessandro Vesely
- Re: [mile] Including Mail fields in IODEF Panos Kampanakis (pkampana)
- Re: [mile] [marf] Including Mail fields in IODEF Murray S. Kucherawy
- Re: [mile] [marf] Including Mail fields in IODEF Murray S. Kucherawy
- Re: [mile] [marf] Including Mail fields in IODEF Panos Kampanakis (pkampana)
- Re: [mile] [marf] Including Mail fields in IODEF Murray S. Kucherawy
- Re: [mile] [marf] Including Mail fields in IODEF Moriarty, Kathleen