On 6/15/2012 11:59 AM, Jay Ashworth wrote:
http://news.cnet.com/8301-1009_3-57453738-83/fbi-dea-warn-ipv6-could-shield-...
I don't know how much of this has been covered on NANOG, and I personally have a healthy innate distrust of government power grabs and intrusive government information grabs. However, having said that, as someone on the anti-spam front lines, I think that IPv6 may well be a tremendous gift to spammers if accepting mail from IPv6 becomes a free-for-all, as I understand it to be. First, it is NOT a problem to accept your own authenticated user's mail via their IPv6 connection to your server. Therefore, for the point I'm raising, consider that the millions of a large ISP's *own* customers can transition to sending their mail through that ISP's mail server vi IPv6 without any problems. (if problems arise, it would probably be more a problem with weak authentication?) But for all other mail, such as mail sent from valid mail servers to other valid mail servers... then the following two suggestions would go a long way: (1) simple don't accept IPv6 mail for the foreseeable future. (In this case, scarcity of IPv4 addresses is a FEATURE, not a bug.) (2) And/or limit (what would be considered) valid IPv6 mail servers to those assigned a particular IP on particularly large-sized block... then sending IP not within those specs. (3) MANY hosters who aren't deliberate spammers, but really don't care to police abusive customers much except when dragged kicking and screaming... and there are MANY such hosters... have a motivation to keep their IPv4 mail server addresses "clean". in an IPv6 world, I think they'll not care because they'll get these huge allocations where they'll figure that they have YEARS of IP blocks to burn through before recycling them. As it stands now, if they get too sloppy, then their next customer isn't happy when senderbase.org has their new IPs as already in the "poor" category. Again, THAT is a feature, not a bug. Moreover, as I said, scarcity of IPs, with regards to mail servers, is a feature... not a bug. If these suggestions are not followed/heeded, MANY reading this right now will look back a decade from now and say, "wouldn't it have been great if we could have somehow created a situation where valid mail server IPs for IPv6 could have been more scarce and not a free-for-all?" In the "free for all" world, a spammer could send thousands or even millions of spams, each from a different IPv6 address... with each IP indexed back to the sender (to aid in "listwashing" of recipient addresses that triggered blacklistings), and not use a single IP twice. Furthermore, even if the IPs are blacklisted at the /64 level, as I understand it, some of the allocations happening are so generous, this statement could still be somewhat true where the spammer send each spam from a separate /64 block? Certainly, 65,536 /64 blocks in a /24 allocation is a hell of a lot more /64 blocks to burn through than the 256 IPs in an IPv4 /24 allocation!!! Again, keep in mind that the massive expansion of sending IP from a customer that is routed via to their own ISP's mail server, hopefully using authentication, is unaffected by this suggestion. So your future refrigerator and oven can STILL send you an e-mail from its IPv6 ip address. -- Rob McEwen http://dnsbl.invaluement.com/ rob@invaluement.com +1 (478) 475-9032