Hi, On Thu, Feb 20, 2014 at 08:44:59AM +1000, Noel Butler wrote: > On Wed, 2014-02-19 at 10:54 +0100, Gert Doering wrote: > > > On Wed, Feb 19, 2014 at 02:45:33PM +1000, Noel Butler wrote: > > > We block only by IP from whatever spam source is used (4, or 6), and > > > rbldnsd handles ipv6 nicely (albeit in /64's - fair enough too, since > > > most end users get that, typically), so your MTA's query would get a > > > response from your DNSBL if it has an entry. > > > > Blocking by /64 by default is likely to get collateral damage. Enough > > people do shared subnets with multiple customers in the same /64 - while > > I won't recommend it, it is *done*, and blocking the whole /64 because > > you have seen SPAM from a single IP out of it is hurting the wrong > > people. > > But, since pretty much every end user gets a /64 (I accept some web > hosts and vps services do not work that way - including one of my vps > providers), blocking a /64 would be identical to blocking a single IPv4 > address with NAT, so should be overall, no worse than what we've been > doing for decades.
It *is* worse, because the assumption "every end user gets a /64" is
just plain *wrong*.
A single counterexample voids the word "every" in maths, and two
counterexamples have been given.
> I would prefer it if rbldnsd allowed smaller, or even singular, but it
> does not, and the reasoning that was given was fair enough, it only
> allows a single IPv6 address if it is an exclusion, you may know this
> already, but for others, as an eg to take out fdid:c01d:1ce:ab/64 but
> allow real mail server fdid:c01d:1ce:ab::10you use
In that case, rbldnsd can not be used for mail filtering on IPv6, as it
is not fit for that purpose.
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
pgpDHyfGaVANO.pgp
Description: PGP signature
