On Thu, 30 Dec 2010 19:21:25 -0800 Ted Mittelstaedt <t...@ipinc.net> wrote:
> No, I am assuming the spammers will do as they have always done in the > past - attempt to use other people's computers for free. Other > computers that are NOT cycling through lots of IP number in the > normal case. That's because they can't. Most end-user computers won't get very far if they attempt to use an IP address other than the provider-assigned ones. Things change with IPv6. You can typically pick from 2^64 possible addresses per machine without any restrictions from your provider. [...] > Don't you realize that the same thing could be done TODAY to limit > queries? SA's developers could make a very (IMHO) legitimate > assumption that any IPv4 address that comes up as a positive hit on a > BL automatically marks the entire /24 that the IPv4 address is > in, based on the idea that a spammer is going to obtain a /24 subnet > and cycle through the IP numbers in that subnet. That's a very bad assumption. We use a colocated server as our ourbound mail host and it's assigned an IPv4 /29. There could be up to 32 completely-unrelated machines in our /24; blacklisting us because of one of them would be very unfair. [...] > The only reason nobody has done this is because there has been no > interest in limiting DNS queries from most SA users. No. People don't do that because it's far too draconian. > The other thing is that if a spammer blows out a client's DNS cache > (or a client's ISP's dns cache) then the MTA is going to start > hanging, while it waits for DNS queries that never return (since > the server is overloaded) and mail receiving will get very, very > slow - hardly the situation the spammer wants when their intent > is to deliver e-mail spam!!! Umm... and that's OK? > >> Well for starters it almost sounds to me like your not that > >> familiar with IPv6 to even say this. The lower 64 bits of the > >> address is the interface identifier, and the upper 64 bits is the > >> sub-network prefix. It doesn't have to be: $ host mail.ipv6.roaringpenguin.com mail.ipv6.roaringpenguin.com has IPv6 address 2607:f748:1200:fb:70:38:112:54 70:38:112:54 bears no relationship to any MAC address on that machine. (But check out the IPv4 adress of mail.roaringpenguin.com) > and doing this cycling just makes them much more visible as a spammer > a lot quicker, thus making it a lot easier to smack 'em down faster. So assume a spammer has 1,000 botnet nodes, each of which has 2^64 possible IPv6 addresses. Explain how you can efficiently detect such cycling and block it. Perhaps you've heard of "snowshoe spamming"? > It's far better for the RBL's to just blacklist the entire /48 that > a spamming IPv6 address appears in. Sure that sounds draconian but > that's because your thinking in IPv4 address-scarcity terms. The > RBLs can always offer 3 different query servers, one for /48's, one > for /56's and one for /64s but a /48 is what we need to be shooting for. I think /48 might be a bit much, but here I mostly agree with you. I think John's solution is over-engineered and that a /64 or greater granularity would be perfectly fine. Regards, David.