On 12/1/2010 10:29 AM, Rob McEwen wrote:
On 12/1/2010 12:55 PM, David F. Skoll wrote:
I don't see any nightmare.
When DNSBL resources are order of magnitudes higher... when the largest
data files for DNSBLs go from 100MB to probably Terabytes... and then
trying to transfer that via rsync... and getting all the mirrors to
handle loading that much data into rbldnsd... THAT will be a nightmare.
(will Terabytes of RAM be affordable anytime soon?)
DNSBLs are a useful anti-spam tool that
will be made somewhat less effective with the advent of IPv6, but they're
by no means the only or most effective anti-spam tool we have.
Not the only tool... but (particularly for IP DNSBLs worthy of blocking
at the MTA...) they are the BEST tool from a price/performance
perspective. In contrast, content scanning messages is comparatively
resource expensive.
which we currently are doing.
If Wonkulating Gronkulator ISP Inc. has 2000 customers on their
mailserver in an IPv4 world, they will have 2000 customers on their
IPv6-enabled mailserver. They will thus be doing the same amount of
work content scanning on the IPv6-enabled mailserver as they are now
doing on the IPv4-enabled mailserver.
Adding more IP addresses into the market isn't going to increase
the amount of spam being sent.
What really increases the amount of spam being sent (IMHO) is
increasing the number of HOSTS that can directly send out via
port 25.
Without question the real driver of IPv6 is stuff like cell phones,
blue ray players, and so on that need more IP addresses. Do these
devices need unrestricted port 25 access? Absolutely not. So it
seems that the organizations constructing the IPv6 networks that these
devices need, have every incentive to be responsible and block such
access.
If for example your an ISP managing a FIOS network who is looking into
going to IPv6 you know your going to either have to replace firmware in
your customer's CPEs or provide them with new CPEs. And the new
CPE cannot depend on NAT it will need to have a real firewall in it.
Why would you NOT set an outbound port25 block as a DEFAULT?
Today, Comcast blocks SMB ports, I have run tests with techs here and
I can guarantee that it is impossible to map a drive over Comcast,
unless you either use nonstandard ports or put it in a VPN. Yet
does the average customer notice? NO. So then why would it be so
difficult for them to block port 25? it WOULDN'T.
We know that with the newer broadband networks - wiMax, cable, fios
and FTTN, that in the US at any rate we are heading into a monopoly
age where the wire carrier will be the ISP. Thus there will not be
many ISPs out there and those that will be out there will be
gigantic. We know that for these megaliths to go to IPv6 they will
need to forklift upgrade their CPE's. We also know these CPEs will
not be NAT devices and thus will need stateful firewalls to do IPv6.
So the opportunity is to have the ISPs today that will be doing this
set the defaults in these CPE devices to block things like outbound
SMTP. If the customer is clueful they can login and turn off the
block, if they are clueless they should definitely not be turning
off any SMTP blocks.
Problem solved.
Ted
I suppose a nation's military *could* fight a war without airplanes,
without ships, and without missiles.. and just depend on the foot
soldiers and tanks to do *all* the work. But is that wise? Does that
happen without a steep price?
We have a chance to impose some strict standards for mail sending on
IPv6 that will lessen these problems. Why wait until its too late?
