marf | K. Li |
Internet-Draft | B. Leiba |
Intended status: Standards Track | Huawei Technologies |
Expires: February 13, 2012 | August 12, 2011 |
Email Feedback Report Type Value : not-spam
draft-ietf-marf-not-spam-feedback-01
This document defines a new Abuse Reporting Format (ARF) feedback report type value: "not-spam". It can be used to report a message that was mistakenly marked as spam.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 13, 2012.
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
In RFC 5965 [RFC5965], an Abuse Reporting Format (ARF) is defined for reporting email abuse. Currently two feedback report types are defined that are related to the spam problem, and that can be used to report abusive or fraudulent email messages:
This specification defines a new feedback report type: "not-spam". It can be used to report a message that was mistakenly marked as spam.
In some cases, the email client receives an email message that was incorrectly tagged as spam, perhaps by the email system, or accidentally by the user. The email client accepts the end user's "not-spam" report instruction, retrieves information related to the message, and reports this email as not-spam to the email operator. When the email operator receives the report, it can determine what action is appropriate for the particular message and user. (The requirement for a not-spam report type is from the Open Mobile Alliance (OMA) Spam Report Requirement Document [OMA-SpamRep-RD].)
For example, in response to a "not-spam" report the email system can remove the spam tag or otherwise reclassify the message, possibly preventing future similar email for this user from being marked as spam. The report can be used to adjust the training of an automated classifier. After processing the report, the email operator might send a notification to the email client about the processing result (for example, by moving the message from one mailbox to another, such as from "Junk" to "Inbox").
In most cases, "not-spam" reports will probably not be taken on their own, but will be considered along with other information, analysis of the message, etc. Because different users have different needs and different views of what constitutes spam, reports from one user might or might not be applicable to others. And because users might sometimes press a "report not spam" button accidentally, immediate strong action, such as marking all similar messages as "good" based on a single report, is probably not the right approach. Recipients of "not-spam" reports need to consider what's right in their environments.
There are anti-spam systems that use "not spam" feedback today. All of them take the reports and mix them with other spam reports and other data, using their own algorithms, to determine appropriate action. In no case do the existing systems use a "not spam" report as an immediate, automatic override.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. These terms take their normative values only when presented in UPPER CASE.
This document only defines a new feedback report type, "not-spam", extending the Email Feedback Reports specification [RFC5965].
In the first MIME part of the feedback report message, the end user or the email client MAY add information to indicate why the message is not spam -- for example, because the originator or its domain is well known.
In the example, Joe, a pharmaceuticals sales representative, has received a message about discount pharmaceuticals. Because that is a frequent subject of spam email, the message has been marked as spam -- incorrectly, in this case. Joe has reported it as "not-spam", and this is an example of the report.
Note that the message is DKIM-signed [I-D.ietf-dkim-rfc4871bis], a good security practice as suggested in RFC 5965 section 8.2 [RFC5965].
DKIM-Signature: v=1; a=rsa-sha256; s=abuse; d=example.com; c=simple/simple; q=dns/txt; i=abusedesk@example.com; h=From:Date:Subject:To:Message-ID:MIME-Version:Content-Type; bh=iF4dMNYs/KepE0HuwfukJCDyjkduUzZFiaHqO9DMIPU=; b=e+BF8DCHFGqCp7/pExleNz7pVaLEoT+uWj/8H9DoZpxFI1vNnCTDu14w5v ze4mqJkldudVI0JspsYHTYeomhPklCV4F95GfwpM5W+ziUOv7AySTfygPW EerczqZwAK88//oaYCFXq3XV9T/z+zlLp3rrirKGmCMCPPcbdSGv/Eg= From: <abusedesk@example.com> Date: Thu, 8 Mar 2005 17:40:36 EDT Subject: FW: Discount on pharmaceuticals To: <abuse@example.net> Message-ID: <20030712040037.46341.5F8J@example.com> MIME-Version: 1.0 Content-Type: multipart/report; report-type=feedback-report; boundary="part1_13d.2e68ed54_boundary" --part1_13d.2e68ed54_boundary Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit This is an email abuse report for an email message received from IP 192.0.2.1 on Thu, 8 Mar 2005 14:00:00 EDT. For more information about this format please see http://www.mipassoc.org/arf/. Comment: I sell pharmaceuticals, so this is not spam for me. --part1_13d.2e68ed54_boundary Content-Type: message/feedback-report Feedback-Type: not-spam User-Agent: SomeGenerator/1.0 Version: 1 --part1_13d.2e68ed54_boundary Content-Type: message/rfc822 Content-Disposition: inline Received: from mailserver.example.net (mailserver.example.net [192.0.2.1]) by example.com with ESMTP id M63d4137594e46; Thu, 08 Mar 2005 14:00:00 -0400 From: <someone@example.net> To: <Undisclosed Recipients> Subject: Discount on pharmaceuticals MIME-Version: 1.0 Content-type: text/plain Message-ID: 8787KJKJ3K4J3K4J3K4J3.mail@example.net Date: Thu, 02 Sep 2004 12:31:03 -0500 Hi, Joe. I got a lead on a source for discounts on pharmaceuticals, and I thought you might be interested. [...etc...] --part1_13d.2e68ed54_boundary-- Example 1: Not-spam report
All of the Security Considerations from the Email Feedback Reports specification [RFC5965] are inherited here.
Not-spam reports could possibly be used in an attack on a filtering system, reporting true spam as "not-spam". Even in absence of malice, some not-spam reports might be made in error, or will only apply to the user sending the report. Operators need to be careful in trusting such reports, beyond their applicability to the specific user in question.
Registration is requested for the newly defined feedback type name: "not-spam", according to the instructions in section 7.3 of the base specification [RFC5965].
Please add the following to the "Feedback Report Type Values" registry:
The authors would like thank Murray S. Kucherawy and Bert Greevenbosch for their discussion and review, and J.D. Falk for suggesting some explanatory text.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC5965] | Shafranovich, Y., Levine, J. and M. Kucherawy, "An Extensible Format for Email Feedback Reports", RFC 5965, August 2010. |
[OMA-SpamRep-RD] | Open Mobile Alliance, "Mobile Spam Reporting Requirements", OMA-RD-SpamRep-V1_0 20101123-C, November 2010. |
[I-D.ietf-dkim-rfc4871bis] | Crocker, D, Hansen, T and M Kucherawy, "DomainKeys Identified Mail (DKIM) Signatures", Internet-Draft draft-ietf-dkim-rfc4871bis-15, July 2011. |