> On Jun 6, 2018, at 5:11 PM, Brandon Long via mailop <[email protected]> wrote: > > > > Isn't the simplest way to handle this is to treat IPv6 at the /64 or smaller > level? More likely, because most people use IPv4, the RBL's just don't have > the data sources they need to populate the data, not because of some inherent > size problem with the data. >
IPv6 blacklists served over DNS using "regular" DNS infrastructure risk blowing out the caches of recursive resolvers (theoretically) if the lookup is done by /128 - there are potentially many, many queries you might have to make without getting cache hits. It's better with /64, but that's potentially not as selective as you might want while still meaning more cache hits (in theory) as /48s are handed out like candy in a way /16s aren't. I'm not sure I believe that it's an actual problem today, or one that's likely in the future, but there is a potential issue there. Distributing IPv6 reputation data via something other than DNS eliminates the issue. It can still be provided to the MXes via DNS, just directly from a local authoritative server rather than via a caching resolver. That'd be better in many respects. (The history of BGP not being trivial to feed into mailservers and the coincidence that m4-ed sendmail.cf can be persuaded to do DNS lookups are the only reason we're where we are.) > I'm also not clear that content level scanning is really so much more > expensive that it can't be invested in. "Here's a nickel kid, buy yourself > another VM" or something. More likely, there's a trade-off in trusting RBLs > completely vs how much mail you receive, and as you scale up, the more > numerous the false positives from RBLs become (not as a fraction but as an > absolute number) and the more effort you need to put into doing more > complicated evaluations even as your traffic is higher. I think content scanning is critical. A significant fraction of the spam I see - and a large fraction of the spam that's not trivially blocked - is coming from shared infrastructure (whether that be ESPs, Large Webmail Providers or Large Hosted Business Apps). Content can block that. Source IP based blocking can't, really, as the sources are shared between legitimate users and spammers. And, to wander back to the topic, the majority of spam I see on IPv6 comes from those sorts of provider. Cheers, Steve _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
