Hi Gert, On Wed, 2014-02-19 at 10:54 +0100, Gert Doering wrote:
> Hi,
>
> On Wed, Feb 19, 2014 at 02:45:33PM +1000, Noel Butler wrote:
> > We block only by IP from whatever spam source is used (4, or 6), and
> > rbldnsd handles ipv6 nicely (albeit in /64's - fair enough too, since
> > most end users get that, typically), so your MTA's query would get a
> > response from your DNSBL if it has an entry.
>
> Blocking by /64 by default is likely to get collateral damage. Enough
> people do shared subnets with multiple customers in the same /64 - while
> I won't recommend it, it is *done*, and blocking the whole /64 because
> you have seen SPAM from a single IP out of it is hurting the wrong
> people.
>
But, since pretty much every end user gets a /64 (I accept some web
hosts and vps services do not work that way - including one of my vps
providers), blocking a /64 would be identical to blocking a single IPv4
address with NAT, so should be overall, no worse than what we've been
doing for decades.
I would prefer it if rbldnsd allowed smaller, or even singular, but it
does not, and the reasoning that was given was fair enough, it only
allows a single IPv6 address if it is an exclusion, you may know this
already, but for others, as an eg to take out fdid:c01d:1ce:ab/64 but
allow real mail server fdid:c01d:1ce:ab::10you use
fdid:c01d:1ce:ab
!fdid:c01d:01ce:ab00:0000:0000:0000:0010
It accepts no other approaches
(note: If I block an IPv6 address in postfix's access files, I usually
only block singular, unless I end up with a few addresses in same /64,
then I'll change to /64 and clear out the singles)
> And yes, I've seen that in the wild, Ironport reputation for a very
> well-behaved machine going down the drain because of "bad neighbourhood".
>
ironport *shudders* I never let external orgs decide who I can trust,
what's that saying... "trust is earned, not bought"
Cheers
signature.asc
Description: This is a digitally signed message part
