IPv6 black lists?

Dave Taht d at teklibre.org
Wed Mar 10 02:32:45 CET 2010 

On 03/09/2010 07:10 PM, Dave Taht wrote:
> On 03/09/2010 06:37 PM, Marco d'Itri wrote:
>> On Mar 10, Dave Taht<d at teklibre.org>  wrote:
>>
>>> So this translates out to 2^16*5 = 327680 detected spams to get
>>> completely blocked for someone that gets a /48 allocation from some
>>> tunneling provider or another. While I suppose the virbl method will
>>> work for random zombie machines which can't change their ip addresses,
>>> it's not going to slow down a dedicated abuser all that much.
>> Like it happens for IPv4, I expect that different DNSBLs (or their
>> components) will adopt different approaches at complimentary upgrades
>> of listings depending on what kind of sources they target.
>>
>>> I tend to think that changing the relevant RFC (sorry, can't remember
>>> which one) for exchanging email to require a valid certificate for 
>>> email
>>> exchanged over ipv6 would be more effective in that case.
>> This is clearly a FUSSP, one of the main botnets already uses TLS
>
> TLS and "Valid Certificate" are  separate animals. You can use TLS 
> without a valid cert, you can also tell TLS to enforce that you accept 
> only certificates created by a valid trust-chain, and various levels 
> in-between.
>
> The human overhead required to create, software to distribute certs 
> and revocations around is (possibly) an answer of some sort to some 
> spam problems, which is why I threw the idea out there.
>
> In the case where invalid certs are still accepted, distributing the 
> fingerprint of certs distributing spam might be more effective than 
> blocking ipv6 addresses.
>
> A lot of this has been discussed over on the postfix mailing list. 
> There is a large contingent of stressed out, overworked email admins 
> over there vehemently opposed to distributing email, "as we know it" 
> over ipv6, at all.
>
> That said, it too may well be yet another FUSSP. It's a hard problem. 
> On my bad days I tend to think humanity's last role on this planet is 
> to fully educate the spam-bots into sentience.

I just enjoyed re-reading

http://www.rhyolite.com/anti-spam/you-might-be.html

It seemed to be longer than I remembered.

More information about the ipv6-ops mailing list