On 12/1/2010 12:05 PM, David F. Skoll wrote:
> Where did you hear that?  I can't imagine that
> IPv6 is any less (or any more) anonymous than IPv4.

One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's
nightmare. A spammers (and blackhat ESPs) would potentially send out
each spam from a different IP and then not use each IP again for YEARS!

This will make DNSBLs much less effective.. and it will bloat their file
sizes and memory/resource requirements exponentially. The DNSBLs will
have no choice but to make their entire DNSBL the equivalent of a /24
list today... except painting with a much broader stroke, and many will
complain about unfair collateral damage. Even then, the bloat will STILL
be out of control.

SOLUTIONS?

Personally, I prefer everyone everywhere agree that, unless the e-mail
is password authenticated to one's own mail server, all mail be rejected
unless the mail server had IPv4. But purists won't like that because
their goal is to eventually *end* IPv4.

So what else could be done?

If we must receive mail from IPv6 IPs, then I recommend doing the
equivalent of the following (put in IPv4 terms for simplicity):

(A) All other non-authenticated mail rejected... unless the message came
from a "XXX.XXX.XXX.0" IP (this is in IPv4 terms... translate this into
some equivalent IPv6 standard... but case a super wide net!) That will
greatly reduces the number of possible valid mail sending IP. (again,
auth mail to one's own server need not fulfill this standard)

(b) industry wide, agree that mail is NOT accepted from IPv6 unless it
does "Forward Confirmed reverse DNS" FCrDNS

If one or both of those were agreed upon up front--this would go a long
way towards preventing the coming nightmare. (and forgive me of RFCs
have already established those as absolute standards for IPv6... I
haven't kept up with all the RFC for IPv6!)

-- 
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032

Reply via email to