On 1/3/2011 9:21 PM, Dave Pooser wrote: > Not to speak for Rob, but... Dave,
You described my point quite well and I appreciate your help! What I described is vastly different than whitelisting and has massive "upsides". I haven't yet found any noteworthy downsides. Overall, this discussion thread took many twists and turns over the past few weeks. And tensions were often very high. But *two things became clear to everyone involved*, even those who disagreed with each other passionately over various things: (1) The problems caused by using IPv6 for SMTP are quite large, and there are *many* interrelated problems... RECAP: dns cache bloating--to a point of ruining ISP's caches, DNSBL bloating, bloating of resource requirements for serving IPv6 DNSBLs & distributing the massively larger data files, and dream-come-true scenarios for the spammers--such as giving them the ability to send a million spams each from an individual IP that is never to be heard from again--and that defeats ALL benefits of individual IP blacklisting AND gives the spammers a superb list-washing tool at the same time (In a /*single*/ e-mail campaign, they'll know /*exactly*/ which e-mail addresses are feeding DNSBLs!!!). Some of this was partially solved by blacklisting larger blocks... but no one came up with any good means for blacklisting of larger blocks that doesn't cause collateral damage. OVERALL--THE END RESULT IS AN ABSOLUTE NIGHTMARE!!! (2) These problem are DIRECTLY and ONLY caused by the available pool of IP addresses at a spammer's disposal having grown exponentially with IPv6--so much so that the possible pool of spam-sending IPs is obscenely large--and those IPs will be dolled out in vastly larger numbers than IP allocation under IPv4. Accordingly, my proposed solution VASTLY lowers this number of IPs that could e used for SMTP in a way that is amazingly inexpensive for legit senders, and extremely expensive for spammers who would try to burn through large numbers of IPs. Ironically, as I sat and read all the heated bickering... I was extremely happy that ALL of these problems were finally being openly discussed in a realistic fashion. It is about time. *And thanks, John, for engaging us on this and bringing to light these massive problems!* ...moving on... > John Levine said: >> Haven't you just reinvented whitelisting? No. As described, this is vastly different than whitelisting... and doesn't replace whitelisting in the slightest. >> Oh, and if you did that, how would MTAs check that an address of an >> incoming connection was on the list? That's the issue that started >> this discussion. > If it's an opt-in on a registrar level, I'd think that could be a host file > that's rsynced as infrequently as once or twice a day. I mean, as a > practical matter your MX records aren't going to propagate through DNS much > faster than that anyway. Exactly! The "master list" of "IPv6 IPs used for SMTP" would only update perhaps even just once per day, and would be available via rsync, ftp, http, etc (in some cases, compressed). BTW - Ironically, it is all the more of an upside that spammers could freely pay registrars for as many IPs to have "SMTP designation" as desired because, quite frankly, that is a lesser evil than the registrars ever getting "political" about who gets SMTP-designation. Since this is already an issue they deal with in their "regular" IP allocations, they probably already handle this quite nicely? In fact, I'd think it is in their best interest to just collect the money and laugh all the way to the bank... and not be bothered with denying SMTP designations, and, in this case, that is a GOOD THING!!! ALSO: With such a system in place, *IPv6 botnet-sent spam via dynamically-assigned IPs connections would be non-existent /by design/ from day one!!!!* (that alone is makes this idea worthwhile!) BOTTOM LINE: the IPv6 "status quo" is a spam sender's dream and a DNSBL's nightmare. My proposed solution is the opposite. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
