Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft codifies some best practices, developed over the past several years, involving a "complaint feedback loop" to deal with abusive or unwanted email, i.e. spam. It is full of lots of motherhood-and-apple-pie statements like this, "The decision to provide a Complaint Feedback Loop service should not be taken lightly. The benefits of a Feedback Loop are great, but success depends on a sound plan, organized implementation, and dedication to upkeep." Indeed. There doesn't seem to be a whole lot of behavior that requires standardization. As a BCP-type of RFC this seems OK, though. The security considerations consist of a single line that refers readers to 3 other sections of the draft, none of which it appears to me deal with security. I would suggest a rewording of this to make the section broadly address the security implications of implementing, joining, or contributing to a "complaint feedback loop". Maybe also have a little something about countermeasures or dealing with spammers trying to game the system. regards, Dan.