ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!

Rob McEwen rob at invaluement.com
Fri Jun 15 20:30:31 UTC 2012


On 6/15/2012 11:59 AM, Jay Ashworth wrote:
> http://news.cnet.com/8301-1009_3-57453738-83/fbi-dea-warn-ipv6-could-shield-criminals-from-police/

I don't know how much of this has been covered on NANOG, and I
personally have a healthy innate distrust of government power grabs and
intrusive government information grabs.

However, having said that, as someone on the anti-spam front lines, I
think that IPv6 may well be a tremendous gift to spammers if accepting
mail from IPv6 becomes a free-for-all, as I understand it to be.

First, it is NOT a problem to accept your own authenticated user's mail
via their IPv6 connection to your server. Therefore, for the point I'm
raising, consider that the millions of a large ISP's *own* customers can
transition to sending their mail through that ISP's mail server vi IPv6
without any problems. (if problems arise, it would probably be more a
problem with weak authentication?)

But for all other mail, such as mail sent from valid mail servers to
other valid mail servers... then the following two suggestions would go
a long way:

(1) simple don't accept IPv6 mail for the foreseeable future. (In this
case, scarcity of IPv4 addresses is a FEATURE, not a bug.)

(2) And/or limit (what would be considered) valid IPv6 mail servers to
those assigned a particular IP on particularly large-sized block... then
sending IP not within those specs.

(3) MANY hosters who aren't deliberate spammers, but really don't care
to police abusive customers much except when dragged kicking and
screaming... and there are MANY such hosters... have a motivation to
keep their IPv4 mail server addresses "clean". in an IPv6 world, I think
they'll not care because they'll get these huge allocations where
they'll figure that they have YEARS of IP blocks to burn through before
recycling them. As it stands now, if they get too sloppy, then their
next customer isn't happy when senderbase.org has their new IPs as
already in the "poor" category. Again, THAT is a feature, not a bug.

Moreover, as I said, scarcity of IPs, with regards to mail servers, is a
feature... not a bug. If these suggestions are not followed/heeded, MANY
reading this right now will look back a decade from now and say,
"wouldn't it have been great if we could have somehow created a
situation where valid mail server IPs for IPv6 could have been more
scarce and not a free-for-all?"

In the "free for all" world, a spammer could send thousands or even
millions of spams, each from a different IPv6 address... with each IP
indexed back to the sender (to aid in "listwashing" of recipient
addresses that triggered blacklistings), and not use a single IP twice.
Furthermore, even if the IPs are blacklisted at the /64 level, as I
understand it,  some of the allocations happening are so generous, this
statement could still be somewhat true where the spammer send each spam
from a separate /64 block? Certainly, 65,536 /64 blocks in a /24
allocation is a hell of a lot more /64 blocks to burn through than the
256 IPs in an IPv4 /24 allocation!!!

Again, keep in mind that the massive expansion of sending IP from a
customer that is routed via to their own ISP's mail server, hopefully
using authentication, is unaffected by this suggestion. So your future
refrigerator and oven can STILL send you an e-mail from its IPv6 ip address.

-- 
Rob McEwen
http://dnsbl.invaluement.com/
rob at invaluement.com
+1 (478) 475-9032





More information about the NANOG mailing list