"Murray S. Kucherawy" <msk@xxxxxxxxxxxxx> wrote: >> -----Original Message----- >> From: ietf-bounces@xxxxxxxx [mailto:ietf-bounces@xxxxxxxx] On Behalf >Of Scott Kitterman >> Sent: Monday, May 07, 2012 3:35 PM >> To: ietf@xxxxxxxx >> Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> >(Source Ports in ARF Reports) to Proposed Standard >> >> My suggestion would be to change the last part of section three to >> read: >> >> When any authentication failure report [AUTHFAILURE-REPORT] is >generated >> that includes the "Source-IP" reporting field (see Section 3.1 of >> [AUTHFAILURE-REPORT]]), this field MAY also be included. >> >> Other than that, I think it's ready to go. > >If all one is doing is figuring out why something like a DKIM signature >failed on an otherwise legitimate message, then I agree the source port >isn't a useful input to that work. In fact, as far as DKIM goes, the >source IP address is probably not useful either. > >If, however, one is trying to track down the transmission of fraudulent >email such as phishing attacks, source ports can be used to identify >the perpetrator more precisely when compared to logs. Support for this >latter use case is why I believe RECOMMENDED is appropriate. Which is exactly the case (abuse report) the second to last paragraph takes care of. I agree RECOMMENDED is appropriate there and you have it there. For auth failure analysis I read you as agreeing it's not needed. There are some authorization methods that use IP address, so I don't think that for auth failure reports inclusion of IP address and source port are comparable. Based on your response, I don't understand your objection to dropping the RECOMMENDS for auth failure reports and keeping it for abuse reports?