Re: [Asrg] [ASRG] SMTP pull anyone?

Tim Chown <tjc@ecs.soton.ac.uk> Thu, 27 August 2009 09:26 UTC

Return-Path: <tjc@ecs.soton.ac.uk>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B96B33A6DC8 for <asrg@core3.amsl.com>; Thu, 27 Aug 2009 02:26:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N9AYlhDl9VDR for <asrg@core3.amsl.com>; Thu, 27 Aug 2009 02:26:40 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [IPv6:2001:630:d0:f102::25e]) by core3.amsl.com (Postfix) with ESMTP id E72413A6B1C for <asrg@irtf.org>; Thu, 27 Aug 2009 02:26:39 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (localhost.ecs.soton.ac.uk [127.0.0.1]) by falcon.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id n7R9Qhdh022867 for <asrg@irtf.org>; Thu, 27 Aug 2009 10:26:43 +0100
X-DKIM: Sendmail DKIM Filter v2.8.2 falcon.ecs.soton.ac.uk n7R9Qhdh022867
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ecs.soton.ac.uk; s=200903; t=1251365203; bh=vx8B81Kw1ZUCut57u2eOxhVHfpQ=; h=Date:From:To:Subject:References:Mime-Version:In-Reply-To; b=23dzXVQuoML9IP5vfIa27DgE/b1zxrL7BjStZiUOK9A+Ikj3GtpDAizVXN3ZaW61U SKWg7Eya/jfVMtYn1uffJ5ZbzDksZDhHmoDuw/oOm14qy5eWHUWanPOpewug/ocVJU kg5Tp2Y/BCRKp05mjatpJjEG/9nWwICBbMpYbeGg=
Received: from gander.ecs.soton.ac.uk ([2001:630:d0:f102:21d:9ff:fe22:9fc]) by falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [2001:630:d0:f102:21e:c9ff:fe2e:e915]) envelope-from <tjc@ecs.soton.ac.uk> with ESMTP id l7QAQh0427703426cp ret-id none; Thu, 27 Aug 2009 10:26:43 +0100
Received: from login.ecs.soton.ac.uk (login.ecs.soton.ac.uk [IPv6:2001:630:d0:f102:230:48ff:fe59:5f12]) by gander.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id n7R9QYVG021982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <asrg@irtf.org>; Thu, 27 Aug 2009 10:26:34 +0100
Received: from login.ecs.soton.ac.uk (localhost.localdomain [127.0.0.1]) by login.ecs.soton.ac.uk (8.13.8/8.11.6) with ESMTP id n7R9QXfH007305 for <asrg@irtf.org>; Thu, 27 Aug 2009 10:26:33 +0100
Received: (from tjc@localhost) by login.ecs.soton.ac.uk (8.13.8/8.13.8/Submit) id n7R9QXUM007304 for asrg@irtf.org; Thu, 27 Aug 2009 10:26:33 +0100
Date: Thu, 27 Aug 2009 10:26:33 +0100
From: Tim Chown <tjc@ecs.soton.ac.uk>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <EMEW3|58a020d42973ba230015fc29c44e0564l7QAQh03tjc|ecs.soton.ac.uk|2633.GB4842@login.ecs.soton.ac.uk>
References: <20090826180601.79333.qmail@simone.iecc.com> <Pine.GSO.4.64.0908261605410.13418@nber5.nber.org> <20090827092633.GB4842@login.ecs.soton.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.64.0908261605410.13418@nber5.nber.org>
User-Agent: Mutt/1.4.2.2i
X-ECS-MailScanner: Found to be clean, Found to be clean
X-smtpf-Report: client=relay,forged,no_ptr,ipv6; mail=; rcpt=
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: n7R9Qhdh022867
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
Subject: Re: [Asrg] [ASRG] SMTP pull anyone?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2009 09:26:41 -0000

On Wed, Aug 26, 2009 at 05:22:35PM -0400, Daniel Feenberg wrote:
> 
> I think it unlikely that an IPv6 only MTA will ever have acceptance even 
> as wide as, for instance, MTAs with "pool" or "dial-up" in their RDNS. 
> IPv6 only MTAs will be refused by many MTAs. There are simply too many 
> IPv6 addresses to blacklist bad hats, and blacklisting /48s would be a 
> very broad brush. The advantage of IPv4 is that the number of addresses is 
> finite, and legitimate holders of addresses are loath to waste them.
> 
> I understand that many IPv6 capable MTAs exist, but I expect they do all 
> or nearly all of their external traffic via IPv4. I don't mean a general 
> condemdantion of IPv6, I am only saying that SMTP traffic from strangers 
> on IPv6 is not likely to be worthwhile.

I think this assumption has some problems, particularly in the area of
IPv6 transition.

If one assumes that RFC3974 is still generally valid, and sites use both
A and AAAA records for MXes (as we do here), then such sites may receive
email via IPv4 or IPv6, depending on the preference of the sending MTA.
And that's the important thing - that MTA if sendmail (for example)
defaults to trying IPv6 first, so you won't just receive IPv6 SMTP
connections by being IPv6 only, but also from any sender who, probably
like you, is dual-stack.

We choose to run MTAs dual-stack so we can accept mail (internally or
externally) from IPv4-only, IPv6-only or of course dual-stack nodes.

I think if you reject IPv6 SMTP, even if 'just' from strangers, you 
make transition harder - you either don't turn on v6, or if you do you
prefer v4 over v6.  Neither helps transition.

Based on our stats from June, we received an average of 158,000 messages
per day over IPv4 transport, of which 81% were deemed spam, while we 
received 438 (yes, 438!) messages via per day IPv6, of which 32% were spam.
So even for us, v6 is less than 1% of all received mail.

The spam was largely from dual-stack mail list servers, not from random
clients/hosts.   But it's interesting to look at specific connections -
non list spam tends to come from autoconfigured v6 addresses (implying
desktops) while 'good' mail comes from apparently manually configured
IPv6 addresses (because v6 admins know to not use autoconf addresses on
their servers).

One day I will convert the experience of 3+ years of running a dual-stack
MTA in production to a draft, and analyse the (at least) year's worth of 
data on v6 spam sources that we have :)

Tim