> > On 02.03.18 10:12, Leandro wrote: > >> If the spammer uses the same domain at rDNS, when rotating IPs, our system >> will list each new IP at first DNSBL query. >> > > do you verify synthetic rDNS too? when do you blacklist whole /64 ? > > I mean: there's 2^64 (18446744073709551616) IPv6 addresses in /64 range and > there's 2^64 (18446744073709551616) of /64 IPv6 ranges in the IPv6 > namespace. >
No. Our system lists a /64 for some cases, but not check each rDNS. It just needs a sample large enough to list the entire /64. > > blacklisting either is not in possibilities of present systems. > I'm curious whether you have any plan what to do when someone starts > abusing > IPv6 space and how does the plan look like. > Our system uses a CIDR oriented database. This means that system can be clustering all IPv6 addresses for a minimal equivalent CIDR list. Example: show() => [] add("2001:db8::0") => ADDED show() => ["2001:db8::/128"] add("2001:db8::1") => JOINED show() => ["2001:db8::/127"] add("2001:db8::2") => ADDED show() => ["2001:db8::/127", "2001:db8::2/128"] add("2001:db8::3") => JOINED show() => ["2001:db8::/126"] listed("2001:db8::1") => TRUE listed("2001:db8::4") => FALSE overlap("2001:db8::0/64") => OVERLAPPED show() => ["2001:db8::/64"] remove("2001:db8::7fff") => EXTRACTED show() => ["2001:db8::/114", "2001:db8::4000/115", "2001:db8::6000/116", "2001:db8::7000/117", "2001:db8::7800/118", "2001:db8::7c00/119", "2001:db8::7e00/120", "2001:db8::7f00/121", "2001:db8::7f80/122", "2001:db8::7fc0/123", "2001:db8::7fe0/124", "2001:db8::7ff0/125", "2001:db8::7ff8/126", "2001:db8::7ffc/127", "2001:db8::7ffe/128", "2001:db8::8000/113", "2001:db8::1000:0/100", "2001:db8::100:0/104", "2001:db8::10:0/108", "2001:db8::1:0/112", "2001:db8::2000:0/99", "2001:db8::200:0/103", "2001:db8::20:0/107", "2001:db8::2:0/111", "2001:db8::4000:0/98", "2001:db8::400:0/102", "2001:db8::40:0/106", "2001:db8::4:0/110", "2001:db8::8000:0/97", "2001:db8::800:0/101", "2001:db8::80:0/105", "2001:db8::8:0/109", "2001:db8::1000:0:0/84", "2001:db8::100:0:0/88", "2001:db8::10:0:0/92", "2001:db8::1:0:0/96", "2001:db8::2000:0:0/83", "2001:db8::200:0:0/87", "2001:db8::20:0:0/91", "2001:db8::2:0:0/95", "2001:db8::4000:0:0/82", "2001:db8:0:0:0:400:0:0/86", "2001:db8::40:0:0/90", "2001:db8::4:0:0/94", "2001:db8::8000:0:0/81", "2001:db8::800:0:0/85", "2001:db8::80:0:0/89", "2001:db8::8:0:0/93", "2001:db8::1000:0:0:0/68", "2001:db8::100:0:0:0/72", "2001:db8::10:0:0:0/76", "2001:db8::1:0:0:0/80", "2001:db8::2000:0:0:0/67", "2001:db8::200:0:0:0/71", "2001:db8::20:0:0:0/75", "2001:db8::2:0:0:0/79", "2001:db8::4000:0:0:0/66", "2001:db8::400:0:0:0/70", "2001:db8::40:0:0:0/74", "2001:db8::4:0:0:0/78", "2001:db8::8000:0:0:0/65", "2001:db8::800:0:0:0/69", "2001:db8::80:0:0:0/73", "2001:db8::8:0:0:0/77"] add("2001:db8::7fff") => JOINED show() => ["2001:db8::/64"] This solution helps to minimize this type of abuse. > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > There's a long-standing bug relating to the x86 architecture that > allows you to install Windows. -- Matthew D. Fuller >