IPv6 smtp spam
jeroen at unfix.org
Mon Apr 28 13:44:55 CEST 2008
> At 05:58 23-04-2008, Tim Chown wrote:
>> Having now added IPv6 transport mails to our service graphs for a week,
>> we're running at an average of 410 mails per day over IPv6, plus an
>> average of 525 spams per day. So it's sticking around 1000 mails
>> a day, and the spam rate is over 50%, but not at IPv4 ratios (yet).
> That's a fairly high rate. I expect that it's mostly from mail servers
> instead of compromised hosts.
It should be trivial to find out who is running these IPv6 hosts I guess
as whois gets populated relatively nicely and generally the admin behind
it knows where IPv6 is located in their network and then who to kick.
Finding that admin might sometimes be tricky, but try this list or the
irc channel for getting those quickly when they are present there.
>> Well, we could record the sender IPs and run some tests I guess.
>> The RIPE-NCC chaps used to have some tunnel detector code that they
>> ran, which worked by looking at PMTUs:
PMTU only tells you that somewhere there might be a tunnel, not where
the tunnel actually is located, thus if some silly 'transit' uses
tunnels it is not very useful. There was another tunnel detection trick
where you simply insert proto-41 packets at certain places and see if
they still arrive or not. See the RIPE presentation archives for that one.
> You could use that through passive fingerprinting or else do a match
> against a list of known prefixes used by tunnel brokers.
For the SixXS prefixes, see http://www.sixxs.net/pops/prefixes/ or
http://www.sixxs.net/pops/prefixes/?txtonly for a convenient CSV format
for your parsing pleasures. The list is quite stable, but grows once in
a while to accommodate new PoPs (more always welcome of course ;)
Of course, if you see spam or any other kind of abuse coming from those
prefixes never ever hesitate to provide adequate information to
abuse at sixxs.net (See also http://www.sixxs.net/contact/#abuse) so we can
swiftly resolve those issues. We don't provide IPv6 to abusers...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20080428/bb03f978/signature.bin
More information about the ipv6-ops