How to wish you hadn't forced ipv6 adoption (was "How to force rapid ipv6 adoption")

Fri Oct 2 03:44:02 UTC 2015

In message <560DF4BA.5000500 at invaluement.com>, Rob McEwen writes:
> RE: How to wish you hadn't rushed ipv6 adoption
> 
> Force the whole world to switch to IPv6 within the foreseeable future, 
> abolish IPv4... all within several years or even within 50 years... and 
> then watch spam filtering worldwide get knocked back to the stone ages 
> while spammers and blackhat and grayhat ESPs laugh their way to the 
> bank... that is, until e-mail becomes unworkable and is virtually abandoned.
> 
> I welcome IPv6 adoption in the near future in all but one area: the 
> sending IPs of valid mail servers. Those need to stay IPv4 for as long 
> as reasonably possible.
> 
> It turns out... the scarcity of IPv4 IPs in THIS area... is a feature, 
> not a bug.
> 
> That scarcity makes it harder for spammers to acquire new IPs, and they 
> therefore pay a price for the ones they burn through via their 
> spam-sending. Likewise, scarcity of IPv4 IPs *forces* ESPs, hosters, and 
> ISPs to try HARD to keep their IPs clean. THEY pay a price when a 
> bad-apple customer soils up their IP space.
> 
> In contrast, with IPv6, order of magnitude MORE IPs are easily acquired, 
> and order of magnitude more are in each allocation. It is truly a 
> spammer's dream come true. This reminds me about a recent article Brian 
> Krebs wrote about a famous hoster who slowly drove their business into 
> the ground by allowing in the kind of spammers that look a little legit 
> at first glance. (like the "CAN-SPAM" spammers who are doing nothing 
> illegal, follow the law, but still send to purchase lists). But even 
> this hoster's bank account was bursting at the seams with cash due to a 
> booming business, their IP space's reputation was slowly turning in 
> crap. Eventually, they started losing even their spammer customers. 
> Then, their CEO made a decision to get serious about abuse and keeping 
> spammers off of their network---and this turned into a success story 
> where they now run a successful hosting business without the spammers. 
> In an IPv6 world, I wonder if they would have ever even cared? There 
> would always be new fresh IPv6 IPs to acquire! There would never have 
> been the "motivation" to turn things around. There would always be new 
> IPv6 IPs to move on to. (or at least enough available to "kick the can 
> down the road" and not worry about any long term repercussions). It was 
> ONLY when this CEO started seeing even the spammers start to leave him 
> (along with some SpamHaus blacklistings)! that he realized that his IP 
> reputation would eventually get so bad that he be virtually out of 
> business. It was ONLY then that he decided to make changes. Would this 
> have happened in an all-IPv6 world? I highly doubt it! He'd just keep 
> moving on to fresh IPs!
> 
> The cumulative sum total of all those hosters and ESPs downward 
> spiraling in an IPv6 world... could cause the spam problem to GREATLY 
> accelerate.
> 
> Meanwhile, sender IP blacklists would become useless in an IPv6 world 
> because the spammer now has enough IPs (in many scenarios) to EVEN SEND 
> ONE SPAM PER IP, never to have to use that one IP again FOR YEARS, if 
> ever. So a blacklisting is ineffective... and actually helps the spammer 
> to listwash spamtrap addresses... since the ONE listing maps to a single 
> recipient address. Now the sender's IP blacklist is even less effective 
> and is helping the spammers more than it is blocking spam! And did I 
> mention that the sender's IP list has bloated so large that it is hard 
> to host in DNS and hard to distribute--and most of the listings are now 
> useless anyways!
> 
> Yes, there are other types of spam filtering... including content 
> filtering techniques. But in the real world, these only work because the 
> heavy lifting is ALREADY done by the sender's IP blacklist. The vast 
> majority of this worldwide "heavy lifting" is done by 
> "zen.spamhaus.org". If many of the largest ISPs suddenly lost access to 
> Zen, some such filters would be in huge trouble.... brought down to 
> their knees. Now imagine that all the other sending-IP blacklists are 
> gone too? In that spammer's dream scenario, the spammer has upgraded to 
> a Lamborghini, while the spam filters have reverted back to the horse 
> and buggy. Serious, that analogy isn't the slightest bit of an exaggeration.
> 
> Yes, you can STILL have your toaster and refrigerator and car send mail 
> from an IPv6 address... they would just need to SMTP-Authenticate to a 
> valid mail server... via an IPv6 connection... yet where that valid MTA 
> would then send their mail to another MTA via IPv4. Since the number of 
> IPv4 IPs needed for such valid mail servers is actually very, very small 
> (relatively speaking), then it isn't a big problem for THOSE to get IPv4 
> addresses, at a trivial cost. We might even see IPv4 open up a bit as 
> OTHER services move to IPv6. IPv6 addresses NOT being able to send 
> directly to the e-mail recipient's IPv4 mail servers might actually help 
> cut down on botnet spam, which is an added plus! (whereas those IPv6's 
> IPv4 predecessors sometimes could send that botnet spam directly to the 
> recipient's mail server).
> 
> So push IPv6 all you want.. .even "force" it... but please don't be too 
> quick to rush the elimination of IPv4 anytime soon. And lets keep MTA 
> sending IPs (which is server-to-server traffic) as IPv4-only, even if 
> they are able to receive their own customers' SMTP auth mail via IPv6.
> 
> Otherwise, we'll be having discussions one day about how to limit WHICH 
> and HOW MANY IPv6 addresses can be assigned to MTAs! (hey, maybe that 
> isn't a bad idea either!)
> 
> -- 
> Rob McEwen
> 

IPv6 really isn't much different to IPv4.  You use sites /48's
rather than addresses /32's (which are effectively sites).  ISP's
still need to justify their address space allocations to RIR's so
their isn't infinite numbers of sites that a spammer can get.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org