IPv6 smtp spam

Jeroen Massar jeroen at unfix.org
Mon Apr 28 13:44:55 CEST 2008


SM wrote:
> At 05:58 23-04-2008, Tim Chown wrote:
>> Having now added IPv6 transport mails to our service graphs for a week,
>> we're running at an average of 410 mails per day over IPv6, plus an
>> average of 525 spams per day.    So it's sticking around 1000 mails
>> a day, and the spam rate is over 50%, but not at IPv4 ratios (yet).
> 
> That's a fairly high rate.  I expect that it's mostly from mail servers 
> instead of compromised hosts.

It should be trivial to find out who is running these IPv6 hosts I guess 
as whois gets populated relatively nicely and generally the admin behind 
it knows where IPv6 is located in their network and then who to kick. 
Finding that admin might sometimes be tricky, but try this list or the 
irc channel for getting those quickly when they are present there.

>> Well, we could record the sender IPs and run some tests I guess.
>> The RIPE-NCC chaps used to have some tunnel detector code that they
>> ran, which worked by looking at PMTUs:

PMTU only tells you that somewhere there might be a tunnel, not where 
the tunnel actually is located, thus if some silly 'transit' uses 
tunnels it is not very useful. There was another tunnel detection trick 
where you simply insert proto-41 packets at certain places and see if 
they still arrive or not. See the RIPE presentation archives for that one.

> You could use that through passive fingerprinting  or else do a match
> against a list of known prefixes used by tunnel brokers.

For the SixXS prefixes, see http://www.sixxs.net/pops/prefixes/ or 
http://www.sixxs.net/pops/prefixes/?txtonly for a convenient CSV format 
for your parsing pleasures. The list is quite stable, but grows once in 
a while to accommodate new PoPs (more always welcome of course ;)

Of course, if you see spam or any other kind of abuse coming from those 
prefixes never ever hesitate to provide adequate information to 
abuse at sixxs.net (See also http://www.sixxs.net/contact/#abuse) so we can 
swiftly resolve those issues. We don't provide IPv6 to abusers...

Greets,
  Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20080428/bb03f978/signature.bin


More information about the ipv6-ops mailing list