[Asrg] Meta channel, not bounces
Rich Kulawiec
rsk at gsp.org
Fri Jan 23 06:02:15 PST 2009
On Thu, Jan 15, 2009 at 06:39:54PM -0500, Seth wrote:
> It would be better to create a new protocol for the ARF responses
> (even if it's just email on a new port, though I'd include some
> extensions to allow for "Report of virus emitter on <IP>" "I already
> know" "QUIT")
This is a good point (as are others you made, which I've elided).
But I'll argue that before we set about the difficult work of inventing
and implementing another protocol, we should use the ones we have.
SMTP rejects of malware-laden mail messages are one way of signalling
emitters that they have problem, without allowing the problem to cause
the external system to generate more outbound traffic. Should we be
doing HTTP rejects? FTP rejects? And so on?
And if we do, what are the benefits and risks? Can we make the FP rate
low enough that we don't end up creating a secondary problem that's worse
the one we're trying to solve? Can we avoid attempts to game the system
and thus conduct DoS-by-proxy attacks? And so on.
---Rsk
More information about the Asrg
mailing list