Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Jaroslaw Rafa via mailop]

Dnia 17.03.2024 o godz. 16:17:10 Hans-Martin Mosner via mailop pisze:
> >My current ISP (BTW, one of the biggest cable providers in Europe, you can
> >probably guess which one it is) currently provides by default an IPv6 *only*
> >connection to the home users, even if you have IPv4-only devices in your
> >LAN. They use the solution called DS-Lite: the modem/router they lease to
> >you does an IPv4-over-IPv6 tunnel(!) to some point inside the ISP's network,
> >where the packet is decapsulated, a CG-NAT is done to some public IPv4
> >address and the connection continues via IPv4 to the target address. IPv6
> >connections just pass through unchanged.
> 
> I would prefer to avoid going through a NAT, but for most home users this
> is probably not an issue.

With my ISP, you can request to switch your connection from IPv6 only to
dual-stack IPv4 and IPv6, then you get a public IPv4 address and NAT is
performed at your home modem/router (you can then control it, do usual port
forwarding stuff etc.). This does not differ from any other ISP, where you
usually also get a single public IPv4 address and must do NAT.

> My point is mostly that it's quite possible to get IPv6 if you want,
> most small or medium organizations just don't have the expertise to
> do it, and the providers are not very helpful.

Well, doesn't the fact that the provider I'm talking about (and it's a
really very big one) is *mostly* IPv6 based, somehow contradict that?
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Hans-Martin Mosner via mailop]

Am 17.03.24 um 14:05 schrieb Jaroslaw Rafa via mailop:

Dnia 17.03.2024 o godz. 08:30:39 Hans-Martin Mosner via mailop pisze:

does IPv6 (not exclusively though), and I've been trying to usher in
the future by setting up at least dual stack on my home DSL
connection (that at least works now after years of IPv6 routing
issues with my previous home DSL and no way of contacting tech-savvy
support there) and in our company (where I set up an IPv6 tunnel
which worked until the tunnel provider closed shop).

I don't quite understand what exactly the end user has to do to have dual
stack on his home connection. The ISP either provides IPv6 to you or not,
there's nothing to do for you.
Well when I first did it my provider had no IPv6 so I used a tunnel. And even now I have to enable it in my router, 
otherwise I get only IPv4. So I didn't have to do much, but it also didn't happen magically.


My current ISP (BTW, one of the biggest cable providers in Europe, you can
probably guess which one it is) currently provides by default an IPv6 *only*
connection to the home users, even if you have IPv4-only devices in your
LAN. They use the solution called DS-Lite: the modem/router they lease to
you does an IPv4-over-IPv6 tunnel(!) to some point inside the ISP's network,
where the packet is decapsulated, a CG-NAT is done to some public IPv4
address and the connection continues via IPv4 to the target address. IPv6
connections just pass through unchanged.


I would prefer to avoid going through a NAT, but for most home users this is 
probably not an issue.

My point is mostly that it's quite possible to get IPv6 if you want, most small or medium organizations just don't have 
the expertise to do it, and the providers are not very helpful.


Cheers,
Hans-Martin
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Jaroslaw Rafa via mailop]

Dnia 17.03.2024 o godz. 08:30:39 Hans-Martin Mosner via mailop pisze:
> does IPv6 (not exclusively though), and I've been trying to usher in
> the future by setting up at least dual stack on my home DSL
> connection (that at least works now after years of IPv6 routing
> issues with my previous home DSL and no way of contacting tech-savvy
> support there) and in our company (where I set up an IPv6 tunnel
> which worked until the tunnel provider closed shop).

I don't quite understand what exactly the end user has to do to have dual
stack on his home connection. The ISP either provides IPv6 to you or not,
there's nothing to do for you.

My current ISP (BTW, one of the biggest cable providers in Europe, you can
probably guess which one it is) currently provides by default an IPv6 *only*
connection to the home users, even if you have IPv4-only devices in your
LAN. They use the solution called DS-Lite: the modem/router they lease to
you does an IPv4-over-IPv6 tunnel(!) to some point inside the ISP's network,
where the packet is decapsulated, a CG-NAT is done to some public IPv4
address and the connection continues via IPv4 to the target address. IPv6
connections just pass through unchanged.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Hans-Martin Mosner via mailop]

Am 17.03.24 um 04:23 schrieb Jarland Donnell via mailop:

I'm gonna be "that guy" though for a minute.

If there are any IPv6 only mail servers, they are hobbyists trying to prove a point. There are a ton of IPv4 only mail 
servers. In short, there is no benefit to sending mail over IPv6 beyond the ideological preference some people have 
for feeling like they're ushering in the future. A future they've been predicting would arrive any day now for well 
over a decade. 


Well I might suppose I'm one of those. My personal web/mail server does IPv6 (not exclusively though), and I've been 
trying to usher in the future by setting up at least dual stack on my home DSL connection (that at least works now after 
years of IPv6 routing issues with my previous home DSL and no way of contacting tech-savvy support there) and in our 
company (where I set up an IPv6 tunnel which worked until the tunnel provider closed shop).


I do believe that mail and network admins at organizations of any size should make themselves knowledgeable and gain 
experience with IPv6 networking. Instead I see massive inertia and ignorance, and that's sad.


Cheers,
Hans-Martin
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Jarland Donnell via mailop]

I'm gonna be "that guy" though for a minute.

If there are any IPv6 only mail servers, they are hobbyists trying to 
prove a point. There are a ton of IPv4 only mail servers. In short, 
there is no benefit to sending mail over IPv6 beyond the ideological 
preference some people have for feeling like they're ushering in the 
future. A future they've been predicting would arrive any day now for 
well over a decade.


On 2024-03-16 11:44, Bill Cole via mailop wrote:

On 2024-03-14 at 20:26:00 UTC-0400 (Thu, 14 Mar 2024 17:26:00 -0700)
Jay Hennigan via mailop 
is rumored to have said:


On 3/14/24 15:18, Michael Grimm via mailop wrote:

OVH is sharing a /64 subnet among multiple customers since they 
started their public cloud project. You are only provided with a 
single IPv6 address for your instance. In the years before that, I 
had had access to an exclusive /64 subnet.


This is very bad practice on OVH's part. Why are they doing this? Are 
they afraid of running out of IPv6 addresses?


Unlikely.

They are afraid of running out of the scarcity that allows them to make 
money by hoarding addresses and selling the clean ones at a premium.


Proper IPv6 deployment by mass-market hosters and ISPs is an attack on 
their business models. It is, in a sense, anti-capitalist in that it 
eliminates any meaningful address scarcity and so eliminates the 
profitable market for usable addresses.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Bill Cole via mailop]

On 2024-03-14 at 20:26:00 UTC-0400 (Thu, 14 Mar 2024 17:26:00 -0700)
Jay Hennigan via mailop 
is rumored to have said:


On 3/14/24 15:18, Michael Grimm via mailop wrote:

OVH is sharing a /64 subnet among multiple customers since they 
started their public cloud project. You are only provided with a 
single IPv6 address for your instance. In the years before that, I 
had had access to an exclusive /64 subnet.


This is very bad practice on OVH's part. Why are they doing this? Are 
they afraid of running out of IPv6 addresses?


Unlikely.

They are afraid of running out of the scarcity that allows them to make 
money by hoarding addresses and selling the clean ones at a premium.


Proper IPv6 deployment by mass-market hosters and ISPs is an attack on 
their business models. It is, in a sense, anti-capitalist in that it 
eliminates any meaningful address scarcity and so eliminates the 
profitable market for usable addresses.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Christophe Kalt via mailop]

On Fri, Mar 15, 2024 at 9:41 AM Alexandre Dangreau via mailop <
mailop@mailop.org> wrote:

> > there are other providers in the same price range which assign /64.
>
> The VPS/PCI price start at 4€ per month. Not sure you will be able to find
> server with /64 IPv6 at this price.
>

One of your competitors assigns a /64 on their cheapest VPS (3.29€/mo)

Due to this cheaper price, we had lots of spammers, and we put in place
> some specific rules for these services (e.g. : port 25 blocked). After
> putting in place this kind of restrictions on these services, we saw a huge
> decrease of spam report and the spammer doesn't moving to baremetal (start
> price 45€).
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Robert Giles via mailop]

On 3/15/2024 at 10:35, Chris Adams via mailop wrote:

Linode/Akamai has $5/month VMs that include a /64.  So that's not a
good excuse either.


 This.  And Linode actually has an effective abuse desk.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Chris Adams via mailop]

Once upon a time, Alexandre Dangreau  said:
> Hello, 
> 
> > there are other providers in the same price range which assign /64. 
> 
> The VPS/PCI price start at 4€ per month. Not sure you will be able to find 
> server with /64 IPv6 at this price.

Linode/Akamai has $5/month VMs that include a /64.  So that's not a good
excuse either.
-- 
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Alexandre Dangreau via mailop]

Hello, 

> there are other providers in the same price range which assign /64. 

The VPS/PCI price start at 4€ per month. Not sure you will be able to find 
server with /64 IPv6 at this price.

Due to this cheaper price, we had lots of spammers, and we put in place some 
specific rules for these services (e.g. : port 25 blocked). After putting in 
place this kind of restrictions on these services, we saw a huge decrease of 
spam report and the spammer doesn't moving to baremetal (start price 45€).

___
mailop mailing list
mailop@mailop.org 
https://list.mailop.org/listinfo/mailop 




___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Chris Adams via mailop]

Once upon a time, Alexandre Dangreau  said:
> In fact, if you need a /64 IPv6 range you probably use the wrong service. For 
> VPS and Public Cloud instances (PCI) the IPv6 range is shared with all the 
> VM, so each VM (VPS or PCI) have one single IPv4 (/32) and one single IPv6 
> (/128).
> 
> Only baremetal have a dedicated /64 IPv6 range. The support team could help 
> you to find a server corresponding to your needs.

What you are saying is that OVH has bad product design (another reason
VPS customers should look elsewhere).  Other VPS providers do not have
such an artificial limitation; proper network support should not be an
up-sell.

-- 
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Andy Smith via mailop]

Hi,

On Fri, Mar 15, 2024 at 12:48:25AM +, Alexander Huynh via mailop wrote:
> Would you consider your own /64 or /48 from RIPE?

The Local Internet Registry (sponsoring ISP) will charge you
something (recurring) for managing the Provider Independent
allocation.

If the need is only for one mail server and one /48 or /64 it's far
cheaper to just get a VM with a provider that has a more sensible
addressing policy and better overall reputation than OVH. That
certainly should not be difficult, though you would still be bound
to the overall reputation of that provider, then.

Turning off IPv6 email would be a better choice than sending it from
a /64 shared with the general OVH customer base.

Thanks,
Andy
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Bjoern Franke via mailop]

Hi,


As this is a hobby project of mine, and I am not willing to increase my 
expenses significantly, I have re-configured both mailservers of mine to use 
IPv4 addresses for outgoing mails, only. No big deal, and I can live with that.


there are other providers in the same price range which assign /64. So 
no need to increase the expenses.


Regards
Bjoern

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Michael Grimm via mailop]

John Levine via mailop  wrote:
> 
> It appears that Michael Grimm via mailop  said:
>>> Sharing a /64 among multiple customers doesn't make sense. It's not like 
>>> OVH is in danger of running out of IPv6 space any time soon.
>> 
>> OVH is sharing a /64 subnet among multiple customers since they started 
>> their public cloud project. You are only provided with a single IPv6 address 
>> for your
>> instance. In the years before that, I had had access to an exclusive /64 
>> subnet.
>> 
>> 
>> But that isn't the point of my initial post: Spamhaus is blocking the /64 
>> subnet my address is part of. Fair enough. 
>> 
>> *But* on the other hand they are offering an web-based de-listing service 
>> without human interference. Good. After successful delisting, that 
>> particular IPv6 address
>> becomes immediately de-listed. Fine.
>> 
>> That tells me, that they must have a setup where individual IPv6 of a 
>> blocked /64 subnet become whitelisted. *That* worked in the past for a very 
>> long time. Only
>> recently the whitelisting is of a very short time frame.
> 
> No, it means that they will let people delist a few mistakes, but if the /64 
> keeps being
> listed I think you will find that the self removal goes away.
> 
> The solution is to find a competent hosting company that will provide
> your own /64. As I keep saying, sometimes when you pick a cheap
> option, you get what you pay for.

FYI: I do have a reply from Spamhaus on one of my tickets, now:

[begin quote]
CSS lists IPv6 with /64 granularity, and one or more IPs within the /64 in 
question are sending spam. A /64 is he industry standard for the smallest IPv6 
allocation to individual customers, even for home-uses like cable, DSL or 
wireless. The /64 choice has RFC4291 as its origin and it is further discussed 
in RFC6177.
[end quote]

Thanks to all who responded. Now, I do understand my erroneous assumptions 
regarding Spamhaus' delisting process.

As this is a hobby project of mine, and I am not willing to increase my 
expenses significantly, I have re-configured both mailservers of mine to use 
IPv4 addresses for outgoing mails, only. No big deal, and I can live with that.

Regards,
Michael
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Atro Tossavainen via mailop]

On Fri, Mar 15, 2024 at 08:11:42AM +, Alexandre Dangreau via mailop wrote:
> Hello, 
> 
> In fact, if you need a /64 IPv6 range you probably use the wrong service. For 
> VPS and Public Cloud instances (PCI) the IPv6 range is shared with all the 
> VM, so each VM (VPS or PCI) have one single IPv4 (/32) and one single IPv6 
> (/128).
> 
> Only baremetal have a dedicated /64 IPv6 range. The support team could help 
> you to find a server corresponding to your needs.

Let me point out the obvious: that is a suicidal approach.

You're not exactly running out of /64's. There are altogether
18 446 744 073 709 551 616 of them in the address space, not all of
which are yours, of course, but even if you only have a /32 you
still have 4 billion, and it's safe to say you don't have 4 billion
customers. (I will go deeper into this at the end of this message.)

Spamhaus released their IPv6 policy already in 2011:

https://www.spamhaus.org/resource-hub/dnsbl/spamhaus-releases-ipv6-blocklists-strategy/

They refer to RFC 6177:

https://datatracker.ietf.org/doc/html/rfc6177

I am nobody, but I wholeheartedly wish for OVH to reconsider its
approach and to always assign at least a /64 to a customer, no
matter whether they're buying VPS or bare metal. (It should be
per customer, not per unit of hardware, as well.)

You have over 17 billion /64's in your four /32's. Restricting all
VPS customers to a single /64 is something that could only be caused
by a fundamental, should I say utter, misunderstanding of IPv6.

Once again, please reconsider.

$ whois -h whois.radb.net -- '-i origin AS16276' | grep route6: | grep /32 | 
sort -u
route6: 2001:41d0::/32
route6: 2402:1f00::/32
route6: 2604:2dc0::/32
route6: 2607:5300::/32

Best,
-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Hans-Martin Mosner via mailop]

Am 15.03.24 um 09:11 schrieb Alexandre Dangreau via mailop:

Hello,

In fact, if you need a /64 IPv6 range you probably use the wrong service. For 
VPS and Public Cloud instances (PCI) the IPv6 range is shared with all the VM, 
so each VM (VPS or PCI) have one single IPv4 (/32) and one single IPv6 (/128).

Only baremetal have a dedicated /64 IPv6 range. The support team could help you 
to find a server corresponding to your needs.



Of course such a "feature" can be used as a selling point for more 
expensive service options. It is still irresponsible to fence ordinary 
users together with spammers into a single /64 (and given the "success" 
of keeping spammers out, every /64 managed by OVH will have a number of 
spammers at any point in time). If unrelated users share a /64, you 
should disable outgoing access to port 25 (and probably some other 
ports) completely and advertise this service as "not suitable for e-mail 
operation"; that would also reduce the spam load on other networks a bit.


There are enough /64s available that you can give each customer her own.

Cheers,
Hans-Martin

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Alexandre Dangreau via mailop]

Hello, 

In fact, if you need a /64 IPv6 range you probably use the wrong service. For 
VPS and Public Cloud instances (PCI) the IPv6 range is shared with all the VM, 
so each VM (VPS or PCI) have one single IPv4 (/32) and one single IPv6 (/128).

Only baremetal have a dedicated /64 IPv6 range. The support team could help you 
to find a server corresponding to your needs.



-- 
Alexandre Dangréau
Head of Trust & Safety 
VU.Ethics & Compliance 
Twitter  | LinkedIn 
 | ovhcloud.com 
 

__ 
This message was sent from OVH Groupe SAS, or one of its subsidiaries or 
affiliated entities, and is intended only for the sole use of the designated 
recipient(s). It may contain confidential and proprietary information. If you 
are not a designated recipient, you may not review, copy, use or distribute 
this message. If you received this message in error, please notify the sender 
by reply e-mail and delete this message. Thank you.



Le 14/03/2024 17:59, « mailop au nom de Michael Grimm via mailop » 
mailto:mailop-boun...@mailop.org> au nom de 
mailop@mailop.org > a écrit :


Hi,


is there someone from Spamhaus reading this list?


I am getting listed almost on a daily basis on two IPv6 addresses of mine which 
happen to be part of OVH's address space (yes, I know). Both of my mailservers 
are serving a handful users, only (family).


Whenever that happens I am using Spamhaus' de-listing Website 
https://check.spamhaus.org/  and become 
automatically de-listed thereafter. Only until I become listed again, today two 
times within 6 hours.


Example Case ID and IPv6 addresses involved: 


2001:41d0:20a:800::464
ST4415112 
ST4413096


2001:41d0:701:1000::435d
ST4415103
ST4413113


Is there a way to make that de-listing more persistent?


Thanks in advance and regards,
Michael


___
mailop mailing list
mailop@mailop.org 
https://list.mailop.org/listinfo/mailop 




___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[John Levine via mailop]

It appears that Michael Grimm via mailop  said:
>> Sharing a /64 among multiple customers doesn't make sense. It's not like OVH 
>> is in danger of running out of IPv6 space any time soon.
>
>OVH is sharing a /64 subnet among multiple customers since they started their 
>public cloud project. You are only provided with a single IPv6 address for your
>instance. In the years before that, I had had access to an exclusive /64 
>subnet.
>
>
>But that isn't the point of my initial post: Spamhaus is blocking the /64 
>subnet my address is part of. Fair enough. 
>
>*But* on the other hand they are offering an web-based de-listing service 
>without human interference. Good. After successful delisting, that particular 
>IPv6 address
>becomes immediately de-listed. Fine.
>
>That tells me, that they must have a setup where individual IPv6 of a blocked 
>/64 subnet become whitelisted. *That* worked in the past for a very long time. 
>Only
>recently the whitelisting is of a very short time frame.

No, it means that they will let people delist a few mistakes, but if the /64 
keeps being
listed I think you will find that the self removal goes away.

The solution is to find a competent hosting company that will provide
your own /64. As I keep saying, sometimes when you pick a cheap
option, you get what you pay for.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Alexander Huynh via mailop]

Would you consider your own /64 or /48 from RIPE?

It's one way of being in control of your own reputation.
-- 
Alex
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Jay Hennigan via mailop]

On 3/14/24 13:21, Slavko via mailop wrote:


As the /64 is twice of whole IPv4 mask, plenty "spammers" with
minimal effort, just two/three kernel setting values...


A /64 is actually 4,294,967,296 times the whole IPv4 space, but who's 
counting?


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Jay Hennigan via mailop]

On 3/14/24 15:18, Michael Grimm via mailop wrote:


OVH is sharing a /64 subnet among multiple customers since they started their 
public cloud project. You are only provided with a single IPv6 address for your 
instance. In the years before that, I had had access to an exclusive /64 subnet.


This is very bad practice on OVH's part. Why are they doing this? Are 
they afraid of running out of IPv6 addresses?



But that isn't the point of my initial post: Spamhaus is blocking the /64 
subnet my address is part of. Fair enough.

*But* on the other hand they are offering an web-based de-listing service 
without human interference. Good. After successful delisting, that particular 
IPv6 address becomes immediately de-listed. Fine.


Likely not. Much more likely: After successful delisting, the entire /64 
became immediately de-listed. Then spam from someone within that subnet 
caused it to be listed again. Lather, rinse, repeat.


That tells me, that they must have a setup where individual IPv6 of a blocked /64 subnet become whitelisted. 


How do you arrive at that conclusion?


*That* worked in the past for a very long time. Only recently the whitelisting 
is of a very short time frame.


To the best of my knowledge most if not all DNSBLs are not going to be 
more granular than a /64 on IPv6, nor should they be. The rest of the 
world besides OVH assigns a /64 per customer subnet.


if DNSBLs blocked at the /128 level, every spammer with a normal /64 
subnet would have an immense (ridiculously, insanely, extremely immense) 
number of addresses from which to snowshoe spam. DNSBL database size 
would also rapidly become a problem.


You're in a very bad neighborhood with OVH when it comes to spammers. 
Either move to a better neighborhood or at least demand your own /64 
subnet.




76 or 63 reportings in a /64 subnet aren't necessarily a hint for excessive 
spamming as mentioned in this thread.


76 reports or spamtrap hits within a month for a /64 is a pretty big red 
flag that the subnet is infested with spammers. Industry practice is one 
/64 per customer subnet.


See here: 
https://www.spamhaus.org/faqs/exploits-blocklist-xbl/#how-does-xbl-handle-ipv6-addresses


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Michael Grimm via mailop]

Jay Hennigan via mailop  wrote:
> On 3/14/24 10:17, Graeme Fowler via mailop wrote:
>> On 14 Mar 2024, at 16:53, Michael Grimm via mailop  wrote:

>>> I am getting listed almost on a daily basis on two IPv6 addresses of mine 
>>> which happen to be part of OVH's address space (yes, I know).
>> …you do. So to:
>>> Is there a way to make that de-listing more persistent?
>> Yes. The following text is fairly instructive:
>> In the last month we have observed 76 listings.
>> 2001:41d0:701:1000::/64 has been detected 76 times in the last month. It has 
>> been removed 7 times.
>> In the last month we have observed 63 listings.
>> 2001:41d0:20a:800::/64 has been detected 63 times in the last month. It has 
>> been removed 4 times.
>> As you can see, it’s the entire /64 getting listed in both cases. They’re 
>> unsavoury neighbourhoods by the look of things.
> 
> And, with IPv6, the "entire /64" should be a single subnet. Either OVH is 
> sharing a /64 amongmultiple customers or OP has another machine that is 
> spamming from within the same subnet.
> 
> Sharing a /64 among multiple customers doesn't make sense. It's not like OVH 
> is in danger of running out of IPv6 space any time soon.

OVH is sharing a /64 subnet among multiple customers since they started their 
public cloud project. You are only provided with a single IPv6 address for your 
instance. In the years before that, I had had access to an exclusive /64 subnet.


But that isn't the point of my initial post: Spamhaus is blocking the /64 
subnet my address is part of. Fair enough. 

*But* on the other hand they are offering an web-based de-listing service 
without human interference. Good. After successful delisting, that particular 
IPv6 address becomes immediately de-listed. Fine.

That tells me, that they must have a setup where individual IPv6 of a blocked 
/64 subnet become whitelisted. *That* worked in the past for a very long time. 
Only recently the whitelisting is of a very short time frame.

76 or 63 reportings in a /64 subnet aren't necessarily a hint for excessive 
spamming as mentioned in this thread. 

Regards,
Michael

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Jay Hennigan via mailop]

On 3/14/24 10:17, Graeme Fowler via mailop wrote:

On 14 Mar 2024, at 16:53, Michael Grimm via mailop  wrote:

I am getting listed almost on a daily basis on two IPv6 addresses of mine which 
happen to be part of OVH's address space (yes, I know).


…you do. So to:


Is there a way to make that de-listing more persistent?


Yes. The following text is fairly instructive:

In the last month we have observed 76 listings.
2001:41d0:701:1000::/64 has been detected 76 times in the last month. It has 
been removed 7 times.

In the last month we have observed 63 listings.
2001:41d0:20a:800::/64 has been detected 63 times in the last month. It has 
been removed 4 times.

As you can see, it’s the entire /64 getting listed in both cases. They’re 
unsavoury neighbourhoods by the look of things.


And, with IPv6, the "entire /64" should be a single subnet. Either OVH 
is sharing a /64 among multiple customers or OP has another machine that 
is spamming from within the same subnet.


Sharing a /64 among multiple customers doesn't make sense. It's not like 
OVH is in danger of running out of IPv6 space any time soon.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[John Levine via mailop]

It appears that Slavko via mailop  said:
>Dňa 14. marca 2024 19:15:14 UTC používateľ John Levine via mailop 
> napísal:
>
>>It would not be hard to use a different address for every message. 
>
>More precise, one can get/use new temporary IPv6 address every
>5 s (less is ignored on Linux), but IMO with custom kernel even more
>often can be possible. Thus blocking/listing whole /64 is wanted.

Oh, you can do it a lot faster than that by setting static IP addresses.

But we seem to agree, you don't want to share a /64.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Slavko via mailop]

Dňa 14. marca 2024 19:15:14 UTC používateľ John Levine via mailop 
 napísal:

>It would not be hard to use a different address for every message. 

More precise, one can get/use new temporary IPv6 address every
5 s (less is ignored on Linux), but IMO with custom kernel even more
often can be possible. Thus blocking/listing whole /64 is wanted.

As the /64 is twice of whole IPv4 mask, plenty "spammers" with
minimal effort, just two/three kernel setting values...

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[John Levine via mailop]

According to Graeme Fowler via mailop :
>As you can see, it’s the entire /64 getting listed in both cases. They’re 
>unsavoury neighbourhoods by the look of things.

If you are running a mail server on IPv6, you really do not want to share the 
/64 with anyone else.
Everyone I know who does IPv6 address reputation aggregates by /64 since it it 
trivial for hosts to
hop around within the /64.  It would not be hard to use a different address for 
every message.  It's
not like you're going to run out.



-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Michael Grimm via mailop]

Graeme Fowler via mailop  wrote:
> On 14 Mar 2024, at 16:53, Michael Grimm via mailop  wrote:

>> I am getting listed almost on a daily basis on two IPv6 addresses of mine 
>> which happen to be part of OVH's address space (yes, I know).
> 
> …you do. So to:
> 
>> Is there a way to make that de-listing more persistent?
> 
> Yes. The following text is fairly instructive:
> 
> In the last month we have observed 76 listings.
> 2001:41d0:701:1000::/64 has been detected 76 times in the last month. It has 
> been removed 7 times.
> 
> In the last month we have observed 63 listings.
> 2001:41d0:20a:800::/64 has been detected 63 times in the last month. It has 
> been removed 4 times.
> 
> As you can see, it’s the entire /64 getting listed in both cases. They’re 
> unsavoury neighbourhoods by the look of things.

I know that texts, and I am the one "removed 7 times" and "removed 4 times" 
respectively.

Been there, done that in the past, but *then* the de-listing had been 
*persistent* for months, until I had had to change my IPv6 addresses (new 
public cloud instances).

This changed a couple of days ago.

Regards,
Michael
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Graeme Fowler via mailop]

On 14 Mar 2024, at 16:53, Michael Grimm via mailop  wrote:
> I am getting listed almost on a daily basis on two IPv6 addresses of mine 
> which happen to be part of OVH's address space (yes, I know).

…you do. So to:

> Is there a way to make that de-listing more persistent?

Yes. The following text is fairly instructive:

In the last month we have observed 76 listings.
2001:41d0:701:1000::/64 has been detected 76 times in the last month. It has 
been removed 7 times.

In the last month we have observed 63 listings.
2001:41d0:20a:800::/64 has been detected 63 times in the last month. It has 
been removed 4 times.

As you can see, it’s the entire /64 getting listed in both cases. They’re 
unsavoury neighbourhoods by the look of things.

Graeme
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop