Re: [Asrg] DNSBL and IPv6

Paul Smith <paul@pscs.co.uk> Thu, 25 October 2012 14:50 UTC

Return-Path: <prvs=0645E458C4=paul@pscs.co.uk>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B231221F8982 for <asrg@ietfa.amsl.com>; Thu, 25 Oct 2012 07:50:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U6utV31yyl+b for <asrg@ietfa.amsl.com>; Thu, 25 Oct 2012 07:50:14 -0700 (PDT)
Received: from mail.pscs.co.uk (mail.pscs.co.uk [188.65.177.237]) by ietfa.amsl.com (Postfix) with ESMTP id 9451421F8963 for <asrg@irtf.org>; Thu, 25 Oct 2012 07:50:12 -0700 (PDT)
Received: from lmail.pscs.co.uk ([82.68.5.206]) by mail.pscs.co.uk ([188.65.177.237] running VPOP3) with ESMTP; Thu, 25 Oct 2012 15:52:13 +0100
Received: from [192.168.66.100] ([192.168.66.100]) by lmail.pscs.co.uk ([192.168.66.70] running VPOP3) with ESMTP; Thu, 25 Oct 2012 15:37:51 +0100
Message-ID: <50894EBF.2050004@pscs.co.uk>
Date: Thu, 25 Oct 2012 15:37:51 +0100
From: Paul Smith <paul@pscs.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <20121025024859.3176.qmail@joyce.lan> <A6AF6224-421E-4483-834B-A1F658BEC7C6@blighty.com> <50891887.50103@pscs.co.uk> <0D79787962F6AE4B84B2CC41FC957D0B0D22655F@abn-exch1b.green.sophos>
In-Reply-To: <0D79787962F6AE4B84B2CC41FC957D0B0D22655F@abn-exch1b.green.sophos>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: paul
X-Server: VPOP3 Enterprise V6.0 - Registered
X-Organisation: Paul Smith Computer Services
Subject: Re: [Asrg] DNSBL and IPv6
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Oct 2012 14:50:14 -0000

On 25/10/2012 13:14, Martijn Grooten wrote:
> Can't we do something entirely different for IPv6? Like, use domain-based filtering by making it mandatory to DKIM-sign a message you send over IPv6 outside of your network? As long as IPv4 and IPv6 are running in parallel it should be possible for IPv6 MTA to refuse messages that aren't DKIM-signed - and tell the sender to retry over IPv4
Is it even possible to tell an IPv6 sender to retry over IPv4? I know 
I've seen discussion about whether it should be possible, but I'm fairly 
sure it wasn't at that time (I think it should be possible)

Having a 'retry over IPv4' option would help a lot, especially if we had 
a mechanism to link an IPv6 and an IPv4 attempt - could be a good way of 
bootstrapping an IPv6 reputation system (or whitelist). But, I'm not 
sure the IETF would approve, and it may be too late anyway...

I do think that (with hindsight) IPv6 support for MTAs could have done 
with more thought before it was standardised. Things like requiring DKIM 
(or SPF or some new equivalent) and mechanisms to fallback to IPv4 may 
have been good things to enforce in an IPv6 world so being a mandatory 
part of 'SMTPv6' rather than options as we'd have to do now. MTA SMTP is 
a totally different world from pretty much everything else IP because 
although deployment is very widespread the actual number of legitimate 
MTAs is tiny compared to the rest of the Internet connected stuff, and 
SMTP is also quite vulnerable to 'legitimate attacks' unlike other 
protocols (eg most spam is sent by doing everything according to the 
standards, not by trying to find loopholes in it). IPv6 could have been 
the place to build a 'safe new SMTP world', but that opportunity is 
pretty much gone now :-(



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53