Hi, On Thu, Feb 20, 2014 at 08:44:59AM +1000, Noel Butler wrote: > On Wed, 2014-02-19 at 10:54 +0100, Gert Doering wrote: > > > On Wed, Feb 19, 2014 at 02:45:33PM +1000, Noel Butler wrote: > > > We block only by IP from whatever spam source is used (4, or 6), and > > > rbldnsd handles ipv6 nicely (albeit in /64's - fair enough too, since > > > most end users get that, typically), so your MTA's query would get a > > > response from your DNSBL if it has an entry. > > > > Blocking by /64 by default is likely to get collateral damage. Enough > > people do shared subnets with multiple customers in the same /64 - while > > I won't recommend it, it is *done*, and blocking the whole /64 because > > you have seen SPAM from a single IP out of it is hurting the wrong > > people. > > But, since pretty much every end user gets a /64 (I accept some web > hosts and vps services do not work that way - including one of my vps > providers), blocking a /64 would be identical to blocking a single IPv4 > address with NAT, so should be overall, no worse than what we've been > doing for decades.
It *is* worse, because the assumption "every end user gets a /64" is just plain *wrong*. A single counterexample voids the word "every" in maths, and two counterexamples have been given. > I would prefer it if rbldnsd allowed smaller, or even singular, but it > does not, and the reasoning that was given was fair enough, it only > allows a single IPv6 address if it is an exclusion, you may know this > already, but for others, as an eg to take out fdid:c01d:1ce:ab/64 but > allow real mail server fdid:c01d:1ce:ab::10you use In that case, rbldnsd can not be used for mail filtering on IPv6, as it is not fit for that purpose. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
pgpDHyfGaVANO.pgp
Description: PGP signature