> -----Original Message----- > From: ietf-bounces@xxxxxxxx [mailto:ietf-bounces@xxxxxxxx] On Behalf Of Scott Kitterman > Sent: Tuesday, May 08, 2012 7:05 PM > To: ietf@xxxxxxxx > Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> > (Source Ports in ARF Reports) to Proposed Standard > > > In the absence of that capability, isn't it better to give the > > investigating user as much information as possible to use in > > correlation of logs and such? > > Personally, in the forensic work I've done I've found things like mail > queue IDs a lot more important than source port. There is lots of > information that would be useful for an investigation. On this basis, > I could see MAY include source port on auth failure reports, but I > think making it RECOMMENDED on the basis of it may be useful is > justified. If a spam bot connects to your MTA and sends a message in, the only queue ID you have is the one your own MTA generated. How will that be useful tracing the spam back to the very machine that generated it? RFC6302 talks about why this is important a lot more than this document does. -MSK