How to wish you hadn't forced ipv6 adoption (was "How to force rapid ipv6 adoption")

cortana5 at gmail.com cortana5 at gmail.com
Fri Oct 2 03:18:28 UTC 2015


Greetings,

Excuse my probable ignorance of such matters, but would it not then be
preferred to create a whitelist of proven Email servers/ip's , and just
drop the rest?  Granted, one would have to create a process to vet anyone
creating a new email server, but would that not be easier then trying to
create and maintain new blacklists?

- Blake

On Thu, Oct 1, 2015 at 8:07 PM Rob McEwen <rob at invaluement.com> wrote:

> RE: How to wish you hadn't rushed ipv6 adoption
>
> Force the whole world to switch to IPv6 within the foreseeable future,
> abolish IPv4... all within several years or even within 50 years... and
> then watch spam filtering worldwide get knocked back to the stone ages
> while spammers and blackhat and grayhat ESPs laugh their way to the
> bank... that is, until e-mail becomes unworkable and is virtually
> abandoned.
>
> I welcome IPv6 adoption in the near future in all but one area: the
> sending IPs of valid mail servers. Those need to stay IPv4 for as long
> as reasonably possible.
>
> It turns out... the scarcity of IPv4 IPs in THIS area... is a feature,
> not a bug.
>
> That scarcity makes it harder for spammers to acquire new IPs, and they
> therefore pay a price for the ones they burn through via their
> spam-sending. Likewise, scarcity of IPv4 IPs *forces* ESPs, hosters, and
> ISPs to try HARD to keep their IPs clean. THEY pay a price when a
> bad-apple customer soils up their IP space.
>
> In contrast, with IPv6, order of magnitude MORE IPs are easily acquired,
> and order of magnitude more are in each allocation. It is truly a
> spammer's dream come true. This reminds me about a recent article Brian
> Krebs wrote about a famous hoster who slowly drove their business into
> the ground by allowing in the kind of spammers that look a little legit
> at first glance. (like the "CAN-SPAM" spammers who are doing nothing
> illegal, follow the law, but still send to purchase lists). But even
> this hoster's bank account was bursting at the seams with cash due to a
> booming business, their IP space's reputation was slowly turning in
> crap. Eventually, they started losing even their spammer customers.
> Then, their CEO made a decision to get serious about abuse and keeping
> spammers off of their network---and this turned into a success story
> where they now run a successful hosting business without the spammers.
> In an IPv6 world, I wonder if they would have ever even cared? There
> would always be new fresh IPv6 IPs to acquire! There would never have
> been the "motivation" to turn things around. There would always be new
> IPv6 IPs to move on to. (or at least enough available to "kick the can
> down the road" and not worry about any long term repercussions). It was
> ONLY when this CEO started seeing even the spammers start to leave him
> (along with some SpamHaus blacklistings)! that he realized that his IP
> reputation would eventually get so bad that he be virtually out of
> business. It was ONLY then that he decided to make changes. Would this
> have happened in an all-IPv6 world? I highly doubt it! He'd just keep
> moving on to fresh IPs!
>
> The cumulative sum total of all those hosters and ESPs downward
> spiraling in an IPv6 world... could cause the spam problem to GREATLY
> accelerate.
>
> Meanwhile, sender IP blacklists would become useless in an IPv6 world
> because the spammer now has enough IPs (in many scenarios) to EVEN SEND
> ONE SPAM PER IP, never to have to use that one IP again FOR YEARS, if
> ever. So a blacklisting is ineffective... and actually helps the spammer
> to listwash spamtrap addresses... since the ONE listing maps to a single
> recipient address. Now the sender's IP blacklist is even less effective
> and is helping the spammers more than it is blocking spam! And did I
> mention that the sender's IP list has bloated so large that it is hard
> to host in DNS and hard to distribute--and most of the listings are now
> useless anyways!
>
> Yes, there are other types of spam filtering... including content
> filtering techniques. But in the real world, these only work because the
> heavy lifting is ALREADY done by the sender's IP blacklist. The vast
> majority of this worldwide "heavy lifting" is done by
> "zen.spamhaus.org". If many of the largest ISPs suddenly lost access to
> Zen, some such filters would be in huge trouble.... brought down to
> their knees. Now imagine that all the other sending-IP blacklists are
> gone too? In that spammer's dream scenario, the spammer has upgraded to
> a Lamborghini, while the spam filters have reverted back to the horse
> and buggy. Serious, that analogy isn't the slightest bit of an
> exaggeration.
>
> Yes, you can STILL have your toaster and refrigerator and car send mail
> from an IPv6 address... they would just need to SMTP-Authenticate to a
> valid mail server... via an IPv6 connection... yet where that valid MTA
> would then send their mail to another MTA via IPv4. Since the number of
> IPv4 IPs needed for such valid mail servers is actually very, very small
> (relatively speaking), then it isn't a big problem for THOSE to get IPv4
> addresses, at a trivial cost. We might even see IPv4 open up a bit as
> OTHER services move to IPv6. IPv6 addresses NOT being able to send
> directly to the e-mail recipient's IPv4 mail servers might actually help
> cut down on botnet spam, which is an added plus! (whereas those IPv6's
> IPv4 predecessors sometimes could send that botnet spam directly to the
> recipient's mail server).
>
> So push IPv6 all you want.. .even "force" it... but please don't be too
> quick to rush the elimination of IPv4 anytime soon. And lets keep MTA
> sending IPs (which is server-to-server traffic) as IPv4-only, even if
> they are able to receive their own customers' SMTP auth mail via IPv6.
>
> Otherwise, we'll be having discussions one day about how to limit WHICH
> and HOW MANY IPv6 addresses can be assigned to MTAs! (hey, maybe that
> isn't a bad idea either!)
>
> --
> Rob McEwen
>
>



More information about the NANOG mailing list