IPv6 black lists?
d at teklibre.org
Wed Mar 10 02:10:38 CET 2010
On 03/09/2010 06:37 PM, Marco d'Itri wrote:
> On Mar 10, Dave Taht<d at teklibre.org> wrote:
>> So this translates out to 2^16*5 = 327680 detected spams to get
>> completely blocked for someone that gets a /48 allocation from some
>> tunneling provider or another. While I suppose the virbl method will
>> work for random zombie machines which can't change their ip addresses,
>> it's not going to slow down a dedicated abuser all that much.
> Like it happens for IPv4, I expect that different DNSBLs (or their
> components) will adopt different approaches at complimentary upgrades
> of listings depending on what kind of sources they target.
>> I tend to think that changing the relevant RFC (sorry, can't remember
>> which one) for exchanging email to require a valid certificate for email
>> exchanged over ipv6 would be more effective in that case.
> This is clearly a FUSSP, one of the main botnets already uses TLS
TLS and "Valid Certificate" are separate animals. You can use TLS
without a valid cert, you can also tell TLS to enforce that you accept
only certificates created by a valid trust-chain, and various levels
The human overhead required to create, software to distribute certs and
revocations around is (possibly) an answer of some sort to some spam
problems, which is why I threw the idea out there.
In the case where invalid certs are still accepted, distributing the
fingerprint of certs distributing spam might be more effective than
blocking ipv6 addresses.
A lot of this has been discussed over on the postfix mailing list. There
is a large contingent of stressed out, overworked email admins over
there vehemently opposed to distributing email, "as we know it" over
ipv6, at all.
That said, it too may well be yet another FUSSP. It's a hard problem. On
my bad days I tend to think humanity's last role on this planet is to
fully educate the spam-bots into sentience.
More information about the ipv6-ops