How to wish you hadn't forced ipv6 adoption (was "How to force rapid ipv6 adoption")

• Previous message (by thread): How to force rapid ipv6 adoption
• Next message (by thread): How to wish you hadn't forced ipv6 adoption (was "How to force rapid ipv6 adoption")
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: How to wish you hadn't rushed ipv6 adoption

Force the whole world to switch to IPv6 within the foreseeable future, 
abolish IPv4... all within several years or even within 50 years... and 
then watch spam filtering worldwide get knocked back to the stone ages 
while spammers and blackhat and grayhat ESPs laugh their way to the 
bank... that is, until e-mail becomes unworkable and is virtually abandoned.

I welcome IPv6 adoption in the near future in all but one area: the 
sending IPs of valid mail servers. Those need to stay IPv4 for as long 
as reasonably possible.

It turns out... the scarcity of IPv4 IPs in THIS area... is a feature, 
not a bug.

That scarcity makes it harder for spammers to acquire new IPs, and they 
therefore pay a price for the ones they burn through via their 
spam-sending. Likewise, scarcity of IPv4 IPs *forces* ESPs, hosters, and 
ISPs to try HARD to keep their IPs clean. THEY pay a price when a 
bad-apple customer soils up their IP space.

In contrast, with IPv6, order of magnitude MORE IPs are easily acquired, 
and order of magnitude more are in each allocation. It is truly a 
spammer's dream come true. This reminds me about a recent article Brian 
Krebs wrote about a famous hoster who slowly drove their business into 
the ground by allowing in the kind of spammers that look a little legit 
at first glance. (like the "CAN-SPAM" spammers who are doing nothing 
illegal, follow the law, but still send to purchase lists). But even 
this hoster's bank account was bursting at the seams with cash due to a 
booming business, their IP space's reputation was slowly turning in 
crap. Eventually, they started losing even their spammer customers. 
Then, their CEO made a decision to get serious about abuse and keeping 
spammers off of their network---and this turned into a success story 
where they now run a successful hosting business without the spammers. 
In an IPv6 world, I wonder if they would have ever even cared? There 
would always be new fresh IPv6 IPs to acquire! There would never have 
been the "motivation" to turn things around. There would always be new 
IPv6 IPs to move on to. (or at least enough available to "kick the can 
down the road" and not worry about any long term repercussions). It was 
ONLY when this CEO started seeing even the spammers start to leave him 
(along with some SpamHaus blacklistings)! that he realized that his IP 
reputation would eventually get so bad that he be virtually out of 
business. It was ONLY then that he decided to make changes. Would this 
have happened in an all-IPv6 world? I highly doubt it! He'd just keep 
moving on to fresh IPs!

The cumulative sum total of all those hosters and ESPs downward 
spiraling in an IPv6 world... could cause the spam problem to GREATLY 
accelerate.

Meanwhile, sender IP blacklists would become useless in an IPv6 world 
because the spammer now has enough IPs (in many scenarios) to EVEN SEND 
ONE SPAM PER IP, never to have to use that one IP again FOR YEARS, if 
ever. So a blacklisting is ineffective... and actually helps the spammer 
to listwash spamtrap addresses... since the ONE listing maps to a single 
recipient address. Now the sender's IP blacklist is even less effective 
and is helping the spammers more than it is blocking spam! And did I 
mention that the sender's IP list has bloated so large that it is hard 
to host in DNS and hard to distribute--and most of the listings are now 
useless anyways!

Yes, there are other types of spam filtering... including content 
filtering techniques. But in the real world, these only work because the 
heavy lifting is ALREADY done by the sender's IP blacklist. The vast 
majority of this worldwide "heavy lifting" is done by 
"zen.spamhaus.org". If many of the largest ISPs suddenly lost access to 
Zen, some such filters would be in huge trouble.... brought down to 
their knees. Now imagine that all the other sending-IP blacklists are 
gone too? In that spammer's dream scenario, the spammer has upgraded to 
a Lamborghini, while the spam filters have reverted back to the horse 
and buggy. Serious, that analogy isn't the slightest bit of an exaggeration.

Yes, you can STILL have your toaster and refrigerator and car send mail 
from an IPv6 address... they would just need to SMTP-Authenticate to a 
valid mail server... via an IPv6 connection... yet where that valid MTA 
would then send their mail to another MTA via IPv4. Since the number of 
IPv4 IPs needed for such valid mail servers is actually very, very small 
(relatively speaking), then it isn't a big problem for THOSE to get IPv4 
addresses, at a trivial cost. We might even see IPv4 open up a bit as 
OTHER services move to IPv6. IPv6 addresses NOT being able to send 
directly to the e-mail recipient's IPv4 mail servers might actually help 
cut down on botnet spam, which is an added plus! (whereas those IPv6's 
IPv4 predecessors sometimes could send that botnet spam directly to the 
recipient's mail server).

So push IPv6 all you want.. .even "force" it... but please don't be too 
quick to rush the elimination of IPv4 anytime soon. And lets keep MTA 
sending IPs (which is server-to-server traffic) as IPv4-only, even if 
they are able to receive their own customers' SMTP auth mail via IPv6.

Otherwise, we'll be having discussions one day about how to limit WHICH 
and HOW MANY IPv6 addresses can be assigned to MTAs! (hey, maybe that 
isn't a bad idea either!)

-- 
Rob McEwen

• Previous message (by thread): How to force rapid ipv6 adoption
• Next message (by thread): How to wish you hadn't forced ipv6 adoption (was "How to force rapid ipv6 adoption")
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]