Re: [Rucus] ARF BoF: no SIP?
"Dan Wing" <dwing@cisco.com> Sun, 20 September 2009 15:51 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: rucus@core3.amsl.com
Delivered-To: rucus@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E45903A6925 for <rucus@core3.amsl.com>; Sun, 20 Sep 2009 08:51:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.492
X-Spam-Level:
X-Spam-Status: No, score=-6.492 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0hwPVX7D9jGG for <rucus@core3.amsl.com>; Sun, 20 Sep 2009 08:51:40 -0700 (PDT)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id ACA163A67F5 for <rucus@ietf.org>; Sun, 20 Sep 2009 08:51:40 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApsEAELstUpAZnme/2dsb2JhbACKbKtyiFABjXgFhBs
X-IronPort-AV: E=Sophos;i="4.44,419,1249257600"; d="scan'208";a="59016606"
Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-1.cisco.com with ESMTP; 20 Sep 2009 15:52:39 +0000
Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n8KFqdnb028690; Sun, 20 Sep 2009 11:52:39 -0400
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by rtp-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n8KFqcnG019207; Sun, 20 Sep 2009 15:52:39 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 20 Sep 2009 08:52:38 -0700
Received: from dwingwxp01 ([10.32.240.194]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 20 Sep 2009 08:52:38 -0700
From: Dan Wing <dwing@cisco.com>
To: 'John Levine' <johnl@taugh.com>, rucus@ietf.org
References: <021101ca37f4$81144e60$5da36b80@cisco.com> <20090919020041.2533.qmail@simone.iecc.com>
Date: Sun, 20 Sep 2009 08:52:38 -0700
Message-ID: <018401ca3a0a$613508b0$c6f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <20090919020041.2533.qmail@simone.iecc.com>
Thread-Index: Aco4zQsmVsO5V2jKRhi+eaMQEIJSkgAhFrBw
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-OriginalArrivalTime: 20 Sep 2009 15:52:38.0273 (UTC) FILETIME=[60DE0F10:01CA3A0A]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1301; t=1253461959; x=1254325959; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[Rucus]=20ARF=20BoF=3A=20no=20SIP? |Sender:=20 |To:=20=22'John=20Levine'=22=20<johnl@taugh.com>,=20<rucus@ ietf.org>; bh=XvLlqv8blew4gfr6iM0YgfR71+xjy2ZZwuCVCmmXe60=; b=RV5GQw4U4NhFkRtkWfY98WpirxF7mV8MJwhmaxSYTUr9El8qZ26ZeNHSSQ eVsWK8C/psJ7l2t1x3dPwzreDvcTxd3diqRvu3l2Aqb70DnvqjOShcarLwiA vgxZbAOlAd;
Authentication-Results: rtp-dkim-1; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Subject: Re: [Rucus] ARF BoF: no SIP?
X-BeenThere: rucus@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" <rucus.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/rucus>, <mailto:rucus-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rucus>
List-Post: <mailto:rucus@ietf.org>
List-Help: <mailto:rucus-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rucus>, <mailto:rucus-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Sep 2009 15:51:42 -0000
> >Interesting that while they list SSH, FTP, and "web server" > >attacks as possible extensions, but SIP isn't listed. > > I'll throw it into the pot. > > Although there are people who wish it were otherwise, the current ARF > format is tightly tied to reporting metadata about an individual > e-mail message, and that's not likely to change. > > There's interest in a more general abuse report, but I have not yet > succeeded in getting people to explain why, other than a dislike of > XML, we wouldn't just be doing a rerun of INCH. Dunno. I'm not familiar with INCH and currently not connected to the Internet to figure out what it is. My only thought is that if ARF is going to be extended to cover things like SSH and FTP attacks, it should also cover SIP (and, to Peter's point) and XMPP. SIP and XMPP are much more similar to email than ssh, as well (From/To headers and suchlike), which may ease extending ARF to cover SIP/XMPP than the complications of extending ARF to report abuse of a service such as ssh. -d > Regards, > John Levine, johnl@iecc.com, Primary Perpetrator of "The > Internet for Dummies", > Information Superhighwayman wanna-be, > http://www.johnlevine.com, ex-Mayor > "More Wiener schnitzel, please", said Tom, revealingly.
- [Rucus] ARF BoF: no SIP? Dan Wing
- Re: [Rucus] ARF BoF: no SIP? Peter Saint-Andre
- Re: [Rucus] ARF BoF: no SIP? John Levine
- Re: [Rucus] ARF BoF: no SIP? Dan Wing
- Re: [Rucus] ARF BoF: no SIP? John R Levine
- Re: [Rucus] ARF BoF: no SIP? Dan Wing