STARTTLS and sp*m (was: Re: current usage of AAAA implicit MX?)

SM sm at resistor.net
Wed Apr 16 07:38:07 CEST 2008


At 13:04 15-04-2008, Tim wrote:
>Greylisting itself works ok right now, but slows down mail and I suspect
>will become less effective in the future.  If everyone were using it,
>the bots will just try multiple times.  It's inherently a tit-for-tat

The bots already do that.

>If you don't select an obvious IPv6 address for your mail server, then
>the bots won't be able to scan the addresses to find port 25.  They
>*must* use the DNS in order to find hosts.

There was a document about scanning IPv6 space which deems it 
feasible as the obvious IPv6 address will be a common mistake for 
people operating with an IPv4 mindset.

>Now suppose you can dedicate a /48 to your mail server.  What if the
>remaining 80 bits were actually an encrypted cookie generated by your
>DNS server?  This encrypted cookie could contain information about what
>DNS resolver IP address (to an approximation) requested the MX/AAAA
>record.  It could also store a time stamp to guarantee proper expiration
>of the cookie, and even have room left over for a few flags and a
>checksum.
>
>Once a port 25 connection comes in to this IPv6 address (48 bit prefix
>plus 80 bit cookie) your firewall decrypts it, checks the source DNS
>resolver for it's level of "evil" and possibly grey/white/black lists
>based on that and possibly other information.  I haven't really thought
>through the best approach for this part, but there's the teaser.  It
>essentially gives you more information about /who/ is initiating the
>connection, since now you have an idea of where they got the DNS record
>in addition to what their actual source IP is.

The above could be used to determine whether the sender used the MX 
to find the host.  It may not be worth it if it doesn't catch that 
many "bad" senders.  The idea is interesting.

Regards,
-sm





More information about the ipv6-ops mailing list