IPv6 black lists?

Dave Taht d at teklibre.org
Wed Mar 10 02:10:38 CET 2010

On 03/09/2010 06:37 PM, Marco d'Itri wrote:
> On Mar 10, Dave Taht<d at teklibre.org>  wrote:
>> So this translates out to 2^16*5 = 327680 detected spams to get
>> completely blocked for someone that gets a /48 allocation from some
>> tunneling provider or another. While I suppose the virbl method will
>> work for random zombie machines which can't change their ip addresses,
>> it's not going to slow down a dedicated abuser all that much.
> Like it happens for IPv4, I expect that different DNSBLs (or their
> components) will adopt different approaches at complimentary upgrades
> of listings depending on what kind of sources they target.
>> I tend to think that changing the relevant RFC (sorry, can't remember
>> which one) for exchanging email to require a valid certificate for email
>> exchanged over ipv6 would be more effective in that case.
> This is clearly a FUSSP, one of the main botnets already uses TLS

TLS and "Valid Certificate" are  separate animals. You can use TLS 
without a valid cert, you can also tell TLS to enforce that you accept 
only certificates created by a valid trust-chain, and various levels 

The human overhead required to create, software to distribute certs and 
revocations around is (possibly) an answer of some sort to some spam 
problems, which is why I threw the idea out there.

In the case where invalid certs are still accepted, distributing the 
fingerprint of certs distributing spam might be more effective than 
blocking ipv6 addresses.

A lot of this has been discussed over on the postfix mailing list. There 
is a large contingent of stressed out, overworked email admins over 
there vehemently opposed to distributing email, "as we know it" over 
ipv6, at all.

That said, it too may well be yet another FUSSP. It's a hard problem. On 
my bad days I tend to think humanity's last role on this planet is to 
fully educate the spam-bots into sentience.

More information about the ipv6-ops mailing list