>
> On 02.03.18 10:12, Leandro wrote:
>
>> If the spammer uses the same domain at rDNS, when rotating IPs, our system
>> will list each new IP at first DNSBL query.
>>
>
> do you verify synthetic rDNS too? when do you blacklist whole /64 ?
>
> I mean: there's 2^64 (18446744073709551616) IPv6 addresses in /64 range and
> there's 2^64 (18446744073709551616) of /64 IPv6 ranges in the IPv6
> namespace.
>
No. Our system lists a /64 for some cases, but not check each rDNS.
It just needs a sample large enough to list the entire /64.
>
> blacklisting either is not in possibilities of present systems.
> I'm curious whether you have any plan what to do when someone starts
> abusing
> IPv6 space and how does the plan look like.
>
Our system uses a CIDR oriented database. This means that system can be
clustering all IPv6 addresses for a minimal equivalent CIDR list.
Example:
show() => []
add("2001:db8::0") => ADDED
show() => ["2001:db8::/128"]
add("2001:db8::1") => JOINED
show() => ["2001:db8::/127"]
add("2001:db8::2") => ADDED
show() => ["2001:db8::/127", "2001:db8::2/128"]
add("2001:db8::3") => JOINED
show() => ["2001:db8::/126"]
listed("2001:db8::1") => TRUE
listed("2001:db8::4") => FALSE
overlap("2001:db8::0/64") => OVERLAPPED
show() => ["2001:db8::/64"]
remove("2001:db8::7fff") => EXTRACTED
show() => ["2001:db8::/114", "2001:db8::4000/115",
"2001:db8::6000/116", "2001:db8::7000/117",
"2001:db8::7800/118", "2001:db8::7c00/119",
"2001:db8::7e00/120", "2001:db8::7f00/121",
"2001:db8::7f80/122", "2001:db8::7fc0/123",
"2001:db8::7fe0/124", "2001:db8::7ff0/125",
"2001:db8::7ff8/126", "2001:db8::7ffc/127",
"2001:db8::7ffe/128", "2001:db8::8000/113",
"2001:db8::1000:0/100", "2001:db8::100:0/104",
"2001:db8::10:0/108", "2001:db8::1:0/112",
"2001:db8::2000:0/99", "2001:db8::200:0/103",
"2001:db8::20:0/107", "2001:db8::2:0/111",
"2001:db8::4000:0/98", "2001:db8::400:0/102",
"2001:db8::40:0/106", "2001:db8::4:0/110",
"2001:db8::8000:0/97", "2001:db8::800:0/101",
"2001:db8::80:0/105", "2001:db8::8:0/109",
"2001:db8::1000:0:0/84", "2001:db8::100:0:0/88",
"2001:db8::10:0:0/92", "2001:db8::1:0:0/96",
"2001:db8::2000:0:0/83", "2001:db8::200:0:0/87",
"2001:db8::20:0:0/91", "2001:db8::2:0:0/95",
"2001:db8::4000:0:0/82", "2001:db8:0:0:0:400:0:0/86",
"2001:db8::40:0:0/90", "2001:db8::4:0:0/94",
"2001:db8::8000:0:0/81", "2001:db8::800:0:0/85",
"2001:db8::80:0:0/89", "2001:db8::8:0:0/93",
"2001:db8::1000:0:0:0/68", "2001:db8::100:0:0:0/72",
"2001:db8::10:0:0:0/76", "2001:db8::1:0:0:0/80",
"2001:db8::2000:0:0:0/67", "2001:db8::200:0:0:0/71",
"2001:db8::20:0:0:0/75", "2001:db8::2:0:0:0/79",
"2001:db8::4000:0:0:0/66", "2001:db8::400:0:0:0/70",
"2001:db8::40:0:0:0/74", "2001:db8::4:0:0:0/78",
"2001:db8::8000:0:0:0/65", "2001:db8::800:0:0:0/69",
"2001:db8::80:0:0:0/73", "2001:db8::8:0:0:0/77"]
add("2001:db8::7fff") => JOINED
show() => ["2001:db8::/64"]
This solution helps to minimize this type of abuse.
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> There's a long-standing bug relating to the x86 architecture that
> allows you to install Windows. -- Matthew D. Fuller
>
