funsec mailing list archives
Re: Why spam blacklisting isn't going to work anymore ...
From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Thu, 14 Apr 2011 05:41:32 -0700
Errr, putzus maximus revisits math and points out that it is 2^40 AAAA RRs, IE 2^8 x current Internet (256), DOH! It was late.
-----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Tomas L. Byrnes Sent: Wednesday, April 13, 2011 10:14 PM To: Valdis.Kletnieks () vt edu; rmslade () shaw ca Cc: funsec () linuxbox org Subject: Re: [funsec] Why spam blacklisting isn't going to work
anymore ...
The real issue isn't that you can't block an entire CIDR, but that the
current
DNSBL query methods compare with the full IP, which means that caching becomes useless, since the /56 that a given user gets can be cycled
through
randomly with more than the 2^40 times the current Internet worth of
AAAA
RRs. Sure, you can have the entire CIDR in your DNSBL, but you can't use
that
DNSBL, using current methods, effectively, since you have to reverse,
query,
and wait for each source IP. You need to preload, and use an alternate query method. RFC 3123 is a
good
start for such a method. It's part of how we do this in ThreatSTOP.-----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]On Behalf Of Valdis.Kletnieks () vt edu Sent: Wednesday, March 09, 2011 7:06 AM To: rmslade () shaw ca Cc: funsec () linuxbox org Subject: Re: [funsec] Why spam blacklisting isn't going to workanymore ...On Tue, 08 Mar 2011 13:38:11 PST, "Rob, grandpa of Ryan, Trevor,
Devon
&Hannah" said:http://www.theregister.co.uk/2011/03/08/ipv6_spam_filtering_headache/What total bozo blocks single IP addresses anyhow? The chances it's
a
snowshoe spammer are high enough that if you're going to go thatroute,you just block the whole /24 (or more). And if you can figure out how to block an IPv4 /24, the additionalclue tofigure out how to block an IPv6 /56 or /48 isn't much. And if youcan't figureout how to block a /24, the secret is to keep banging the rockstogether..._______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 13)
- Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 14)
- Re: Why spam blacklisting isn't going to work anymore ... der Mouse (Apr 14)
- Re: Why spam blacklisting isn't going to work anymore ... Paul Vixie (Apr 15)
- Re: Why spam blacklisting isn't going to work anymore ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 15)
- Re: Why spam blacklisting isn't going to work anymore ... der Mouse (Apr 16)
- Re: Why spam blacklisting isn't going to work anymore ... Paul Vixie (Apr 17)
- Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 17)
- Re: Why spam blacklisting isn't going to work anymore ... der Mouse (Apr 17)
- Re: Why spam blacklisting isn't going to work anymore ... Paul Vixie (Apr 17)
- Re: Why spam blacklisting isn't going to work anymore ... Larry Seltzer (Apr 17)
- Re: Why spam blacklisting isn't going to work anymore ... Tomas L. Byrnes (Apr 18)