Last Call Review of draft-jdfalk-maawg-cfblbcp-
review-jdfalk-maawg-cfblbcp-secdir-lc-harkins-2011-10-28-00

  Hi,

  I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

  This draft codifies some best practices, developed over the past several
years, involving a "complaint feedback loop" to deal with abusive or
unwanted email, i.e. spam.

  It is full of lots of motherhood-and-apple-pie statements like this,
"The decision to provide a Complaint Feedback Loop service should not be
taken lightly. The benefits of a Feedback Loop are great, but success
depends on a sound plan, organized implementation, and dedication to
upkeep." Indeed. There doesn't seem to be a whole lot of behavior that
requires standardization. As a BCP-type of RFC this seems OK, though.

  The security considerations consist of a single line that refers
readers to 3 other sections of the draft, none of which it appears to
me deal with security. I would suggest a rewording of this to make the
section broadly address the security implications of implementing,
joining, or contributing to a "complaint feedback loop". Maybe also
have a little something about countermeasures or dealing with spammers
trying to game the system.

  regards,

  Dan.