Re: Why spam blacklisting isn't going to work anymore ...

[Dan White <dwhite () olp net>]

On 08/03/11 13:38 -0800, Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:
> http://www.theregister.co.uk/2011/03/08/ipv6_spam_filtering_headache/

Summary:

> The migration towards IPv6, which has been made necessary by the expansion
> of the internet, will make it harder to filter spam messages, service
> providers warn.
...
> While this expansion allows far more devices to have a unique internet
> address, it creates a host of problems for security service providers, who
> have long used databases of known bad IP addresses to maintain blacklists
> of junk mail cesspools. Spam-filtering technology typically uses these
> blacklists as one (key component) in a multi-stage junk mail filtering
> process that also involves examining message contents.
...
> "Cloudmark advocates that ISPs do not initially need to be able to receive
> mail from IPv6 addresses (on inbound) except from their own customers
> (known as outbound)," Paton explained. "This would ensure business
> continuity for ISPs and provisioning of ADSL/Cable modems to continue.
> This measure will also protect the IPv4 reputation system that is
> currently in use and working well."

The rather simple solution (if you're in to blacklists) is to treat
comprised traffic as coming from a subnet (such as the containing /64
subnet), rather than an individual address.

This is one of the reasons why I'm assigning v6 subnets in /48 blocks to
customers rather than something shorter, regardless of the complexity of
the customer's network. When it's all said and done, I expect many such
blacklists to reject on the /48 boundary.

-- 
Dan White
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.