A simple test for email via IPv6

Ted Mittelstaedt tedm at ipinc.net
Tue Apr 30 12:20:58 CEST 2013 

On 4/30/2013 2:41 AM, Philipp Kern wrote:
> On Tue, Apr 30, 2013 at 02:32:59AM -0700, Ted Mittelstaedt wrote:
>>    Here is a transcript of me spamming myself with your script.  Notice
>> that your script does NO error checking.   I transmitted the mail
>> message from the Internet Partners public mailserver with my Gmail
>> address forged as the senders address and your script happily delivered
>> it to my Gmail address.
>>
>>    I hope this adequately demonstrates the potential for abuse.  If
>> not, imagine if I was a malevolent attacker who wanted to fill up
>> someone's Gmailbox with thousands of "Congratula​tions from v6net.ru"
>> mail messages.
>
> Sure, but that's also possible by the spammer connecting directly to
> your mail-in or by using any other autoresponder on the net.

We aren't talking some opt-in mailing list that could possibly
argue that they had a reason to allow a reply to a 3rd party.

There is no reason that a proper autoresponder setup for the purpose
of testing (that the OP stated) should allow what I did.

> Now it's
> possible that they did not implement throttling like sane autoresponders
> do, but that's not what you wrote.
>

Even if it did implement throttling that is not an excuse to allow a
3rd party relay unless it's needed.  And in this case it's not needed.

> Even though gmail.com does have SPF records set they have a neutral
> catch-all. Sender policies also do not say that everything has to be
> DKIM-signed so I'm not sure at what kind of checking you are pointing
> at.
>
> It's technically not an open relay in any case.
>

I didn't say it was.  I said that it could be abused to stuff up 
someone's e-mail box.  That implied a lack of throttling of course.  I
assumed that if the OP was ignoring the sender's IP that they would
not have implemented throttling either.

>>    I know we're all excited about IPv6 but the problem is that way too
>> many people are implementing it without any firewalling, or filtering
>> or anything.  Please don't think that the spammers are stupid.
>
> I'm not sure how this relates to the problem at hand, except for
> pushing the filtering agenda.
>

Oh good Lord.  So, reasonable mail filtering is now an 'agenda'?  Since 
when did mail filtering become undesirable?

Please publicly post the IP address of a mailserver YOU administer that 
is NOT filtered and allows unthrottled autoresponses.  And for extra
credit, why don't you open it for open relaying, too?

Do I really have to explain why it's not polite to walk out into the 
middle of a crowd in the city and take off all your clothes?  (well, for
most people to do that, that is - I can think of a few exceptions)

Ted

> Kind regards
> Philipp Kern
>

More information about the ipv6-ops mailing list