Greetings, Excuse my probable ignorance of such matters, but would it not then be preferred to create a whitelist of proven Email servers/ip's , and just drop the rest? Granted, one would have to create a process to vet anyone creating a new email server, but would that not be easier then trying to create and maintain new blacklists?
- Blake On Thu, Oct 1, 2015 at 8:07 PM Rob McEwen <r...@invaluement.com> wrote: > RE: How to wish you hadn't rushed ipv6 adoption > > Force the whole world to switch to IPv6 within the foreseeable future, > abolish IPv4... all within several years or even within 50 years... and > then watch spam filtering worldwide get knocked back to the stone ages > while spammers and blackhat and grayhat ESPs laugh their way to the > bank... that is, until e-mail becomes unworkable and is virtually > abandoned. > > I welcome IPv6 adoption in the near future in all but one area: the > sending IPs of valid mail servers. Those need to stay IPv4 for as long > as reasonably possible. > > It turns out... the scarcity of IPv4 IPs in THIS area... is a feature, > not a bug. > > That scarcity makes it harder for spammers to acquire new IPs, and they > therefore pay a price for the ones they burn through via their > spam-sending. Likewise, scarcity of IPv4 IPs *forces* ESPs, hosters, and > ISPs to try HARD to keep their IPs clean. THEY pay a price when a > bad-apple customer soils up their IP space. > > In contrast, with IPv6, order of magnitude MORE IPs are easily acquired, > and order of magnitude more are in each allocation. It is truly a > spammer's dream come true. This reminds me about a recent article Brian > Krebs wrote about a famous hoster who slowly drove their business into > the ground by allowing in the kind of spammers that look a little legit > at first glance. (like the "CAN-SPAM" spammers who are doing nothing > illegal, follow the law, but still send to purchase lists). But even > this hoster's bank account was bursting at the seams with cash due to a > booming business, their IP space's reputation was slowly turning in > crap. Eventually, they started losing even their spammer customers. > Then, their CEO made a decision to get serious about abuse and keeping > spammers off of their network---and this turned into a success story > where they now run a successful hosting business without the spammers. > In an IPv6 world, I wonder if they would have ever even cared? There > would always be new fresh IPv6 IPs to acquire! There would never have > been the "motivation" to turn things around. There would always be new > IPv6 IPs to move on to. (or at least enough available to "kick the can > down the road" and not worry about any long term repercussions). It was > ONLY when this CEO started seeing even the spammers start to leave him > (along with some SpamHaus blacklistings)! that he realized that his IP > reputation would eventually get so bad that he be virtually out of > business. It was ONLY then that he decided to make changes. Would this > have happened in an all-IPv6 world? I highly doubt it! He'd just keep > moving on to fresh IPs! > > The cumulative sum total of all those hosters and ESPs downward > spiraling in an IPv6 world... could cause the spam problem to GREATLY > accelerate. > > Meanwhile, sender IP blacklists would become useless in an IPv6 world > because the spammer now has enough IPs (in many scenarios) to EVEN SEND > ONE SPAM PER IP, never to have to use that one IP again FOR YEARS, if > ever. So a blacklisting is ineffective... and actually helps the spammer > to listwash spamtrap addresses... since the ONE listing maps to a single > recipient address. Now the sender's IP blacklist is even less effective > and is helping the spammers more than it is blocking spam! And did I > mention that the sender's IP list has bloated so large that it is hard > to host in DNS and hard to distribute--and most of the listings are now > useless anyways! > > Yes, there are other types of spam filtering... including content > filtering techniques. But in the real world, these only work because the > heavy lifting is ALREADY done by the sender's IP blacklist. The vast > majority of this worldwide "heavy lifting" is done by > "zen.spamhaus.org". If many of the largest ISPs suddenly lost access to > Zen, some such filters would be in huge trouble.... brought down to > their knees. Now imagine that all the other sending-IP blacklists are > gone too? In that spammer's dream scenario, the spammer has upgraded to > a Lamborghini, while the spam filters have reverted back to the horse > and buggy. Serious, that analogy isn't the slightest bit of an > exaggeration. > > Yes, you can STILL have your toaster and refrigerator and car send mail > from an IPv6 address... they would just need to SMTP-Authenticate to a > valid mail server... via an IPv6 connection... yet where that valid MTA > would then send their mail to another MTA via IPv4. Since the number of > IPv4 IPs needed for such valid mail servers is actually very, very small > (relatively speaking), then it isn't a big problem for THOSE to get IPv4 > addresses, at a trivial cost. We might even see IPv4 open up a bit as > OTHER services move to IPv6. IPv6 addresses NOT being able to send > directly to the e-mail recipient's IPv4 mail servers might actually help > cut down on botnet spam, which is an added plus! (whereas those IPv6's > IPv4 predecessors sometimes could send that botnet spam directly to the > recipient's mail server). > > So push IPv6 all you want.. .even "force" it... but please don't be too > quick to rush the elimination of IPv4 anytime soon. And lets keep MTA > sending IPs (which is server-to-server traffic) as IPv4-only, even if > they are able to receive their own customers' SMTP auth mail via IPv6. > > Otherwise, we'll be having discussions one day about how to limit WHICH > and HOW MANY IPv6 addresses can be assigned to MTAs! (hey, maybe that > isn't a bad idea either!) > > -- > Rob McEwen > >
