On 12/1/2010 11:47 AM, Rob McEwen wrote:
On 12/1/2010 12:05 PM, David F. Skoll wrote:
Where did you hear that? I can't imagine that
IPv6 is any less (or any more) anonymous than IPv4.
One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's
nightmare. A spammers (and blackhat ESPs) would potentially send out
each spam from a different IP and then not use each IP again for YEARS!
This will make DNSBLs much less effective.. and it will bloat their file
sizes and memory/resource requirements exponentially. The DNSBLs will
have no choice but to make their entire DNSBL the equivalent of a /24
list today... except painting with a much broader stroke, and many will
complain about unfair collateral damage. Even then, the bloat will STILL
be out of control.
SOLUTIONS?
Personally, I prefer everyone everywhere agree that, unless the e-mail
is password authenticated to one's own mail server, all mail be rejected
unless the mail server had IPv4. But purists won't like that because
their goal is to eventually *end* IPv4.
So what else could be done?
v6 is now at the core and at the edge, and much of the server-to-server
talking in the middle is going to remain v4 for a while. Significant
numbers of smtp servers will remain v4 only, and so v6 only servers will
need to use a v4 gateway to be of any real use to their customers. I
think we can safely firewall, or whitelist v6 on port 25 until we have a
useful whitelist, and probably a large droplist. Greylisting and
watching for IPv6 "hopping" would probably be useful too..
Ken
If we must receive mail from IPv6 IPs, then I recommend doing the
equivalent of the following (put in IPv4 terms for simplicity):
(A) All other non-authenticated mail rejected... unless the message came
from a "XXX.XXX.XXX.0" IP (this is in IPv4 terms... translate this into
some equivalent IPv6 standard... but case a super wide net!) That will
greatly reduces the number of possible valid mail sending IP. (again,
auth mail to one's own server need not fulfill this standard)
(b) industry wide, agree that mail is NOT accepted from IPv6 unless it
does "Forward Confirmed reverse DNS" FCrDNS
If one or both of those were agreed upon up front--this would go a long
way towards preventing the coming nightmare. (and forgive me of RFCs
have already established those as absolute standards for IPv6... I
haven't kept up with all the RFC for IPv6!)
--
Ken Anderson
Pacific Internet - http://www.pacific.net
