Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
The /128 issue with Linode (insofar as it relates to Spamhaus) has been percolating for at least 5 years if I recall correctly, but no shorter than the strong RFC-level guidelines of /64. Linode will allocate at /64 on request, and has being doing so for about just as long. On 2021-11-25 2:01 p.m., Jarland Donnell via mailop wrote: In all fairness, some of these systems may have been deployed before we were all really certain that a /64 per customer was going to be an accepted standard. You know how RFCs go, they're the law of the land except when they're not, which is actually pretty often. By now most should have figured out that they need to conform to this one, but I don't really blame early adopters for second guessing what common implementations would look like a few years down the road. On 2021-11-25 12:04, Jay Hennigan via mailop wrote: On Thu, Nov 25, 2021 at 03:07:02PM +0200, Mary via mailop wrote:>> I think Linode does not follow the /64 rule and assigns thousands of customers within the 2a01:7e01::/64 block. They user a bunch of blocks, depending on their data centre.>> I think by default each client is assigned a single /128 IPv6 address per server. That is rather stupid behavior on Linode's part then. The rest of the Internet uses a /64 per subnet and typically a /56 per customer minimum. What are they thinking? Are they really worried about running out of IPv6 addresses? Vote with your feet. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
On 11/25/21 6:07 AM, Mary via mailop wrote: I think by default each client is assigned a single /128 IPv6 address per server. As a Linode customer, I can confirm, yes, Linode does share the /64 among may customers /by/ /default/. It is trivial to get an independent /64 from Linode. Simply open a ticket and say that you're having problems with the reputation of other tenants in the same /64 and request your own /64. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
It appears that Michael Peddemors via mailop said: >See item one. > >> - Submits a JSON report to XYZ provider (https://blocklist.api.provider.com) See RFC 5965, published 11 years ago. Spamhaus has extensive facilities for ISPs that want to know what their users are up to. If you're not an ISP, you wouldn't have heard about it. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
Aye. We use Debouncer for our notifications. HetrixTools has also proven quite useful. Monitoring blacklists for a large number of IPs can scale into a bit heavier of a task than some might assume up front. But on that note, I worked for a very large cloud provider for a few years. Really quite a blast. I knew that our IP reputation at the time was a huge problem, and everyone who knows what I know certainly agreed. The problem comes in trying to convince the business types can't see it. They're used to us IT types and our tendencies to turn everything into an objective crisis even when it's really actually quite subjective. So when you tell them "You're going to lose money over this" it's a hard sell. Some people might have some decent tricks up their sleeves but proving why you don't have customers that you don't have is not exactly the most specific of all calculations. Despite knowing that IP reputation revenue and customers in my head, out of somewhere around 10,000 NPS feedback submissions I could only pull out a handful that were related. The type of customers that know to avoid you because of your IP reputation, they're not often the type to fill out those surveys either. The blacklists have half of the job of turning IP reputation into value, but the customers need to complete the circle and make their voices heard. I assure you, someone there cares. Someone there is struggling with what I did, explaining it to business types. On 2021-11-26 15:19, Andy Smith via mailop wrote: Hi Mary, On Fri, Nov 26, 2021 at 11:25:06AM +0200, Mary via mailop wrote: Would it be possible for the two sides (blocklists and a cloud/hosting providers) to come together and have some kind of automated notification? As a tiny hosting provider we already receive notifications from SpamCop and Spamhaus and we act upon them so we don't get our IPs listed in blocklists, or to get quickly de-listed when the problem customer has been dealt with. What you are missing here is that [the executive tier of] most large hosting providers don't care until they are made to care, which isn't a great starting point for co-operation. Cheers, Andy ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
Hi Mary, On Fri, Nov 26, 2021 at 11:25:06AM +0200, Mary via mailop wrote: > Would it be possible for the two sides (blocklists and a > cloud/hosting providers) to come together and have some kind of > automated notification? As a tiny hosting provider we already receive notifications from SpamCop and Spamhaus and we act upon them so we don't get our IPs listed in blocklists, or to get quickly de-listed when the problem customer has been dealt with. What you are missing here is that [the executive tier of] most large hosting providers don't care until they are made to care, which isn't a great starting point for co-operation. Cheers, Andy ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
On 2021-11-26 11:25:06, Mary via mailop wrote: > > Thinking out loud... > > Would it be possible for the two sides (blocklists and a > cloud/hosting providers) to come together and have some kind of > automated notification? The blocklists already provide a convenient API to the providers: if you want to know if you're listed, do a DNS lookup. You can easily script this for as many blacklists as you want and run it in a cron job. Or if you want to get more complicated, you can use dedicated plugins for e.g. nagios to check the lists and alert you if any of your hosts are listed. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
On 2021-11-26 1:25 a.m., Mary via mailop wrote: Thinking out loud... Yes Mary.. in a perfect world.. but.. Would it be possible for the two sides (blocklists and a cloud/hosting providers) to come together and have some kind of automated notification? Sample automated conversation via JSON API: - The blocklist adds a block for X net block Since many providers hide behind GDPR as a reason to not have SWIP or 'rwhois' for customers, it is hit in miss what 'block' is owned by the threat actor, which is why sometimes there is collatoral damage. - Resolves the owner of the net block (XYZ provider) See item one. - Submits a JSON report to XYZ provider (https://blocklist.api.provider.com) Um.. yeah.. trouble is, many networks do not keep up their contact information as it is, in spite of years of efforts via various RIR's. And there is a whole business out there, just designed to create automated abuse responses, or bots, or even worse no response mechanism at all.. I am sure many of us have seen the dreaded 'Mailbox is full' from a abuse or postmaster mail box. And how do you prevent 'fake' reports? - The provider takes an automated action (close port 25) As pointed out on this list even, not an action even the good hosting providers will take. For instance, once sent a malware report to Microsoft, and got the response that since it was a reseller, they have to give them seven (7) days before taking action.. But of course, say it was a more critical system, eg responsible for sending life saving email alerts, (something a hoster once told me as a reason they could not shut the server down even after more than a week, 'just in case') Of course, it could be other threats, not just email. Business and Revenue come first to many operations, and they don't want ANY policy that can risk that, unless they are eventually forced to. - The provider takes manual action by getting in touch with their client Who may have to get in touch with his client, who has to get in touch with their clients... - Client of the server takes action (clean server) Many clients are not engineers, they might not know HOW to clean their servers - Client of the server requests delisting via a web form Thus: - the actual client of the server is notified of a security incident in a timely manner - spam is stopped as soon as possible! Actually, in the real work it works MUCH simpler, RBL's list them, they can't send mail, world is a safer place, and up to the operator, or the hosting provider to subscribe to and act on alerts.. The key thing is threats NEED to be stopped! Fast! And have to point out there are many very good hosters out there that almost NEVER get on a RBL.. but if you start up a VPS service only charging $.99/month, even with 10,000 of those, try paying for a qualified engineer. Do remember, it is the hoster and the operators fault, and the burden should NOT be on the receiver of the attack to spend time/money on reporting it, especially with such a long history of that not working.. even the most altruistic security people give up reporting soon enough. And it REALLY isn't hard for a hoster to identify it BEFORE it is seen on the internet. Simply set up a TCP SYN alert for port 25 on egress at the edge routers, which send a notification when an IP all of sudden starts sending lots of volume. Some hoster's don't allow rDNS changes for a few days, to stop driveby's and malicous account setups, and other techniques.. Like I said Mary, nice thoughts tho.. in a perfect world. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
On 2021-11-26 2:24 a.m., Hetzner Blacklist via mailop wrote: I manually check those lists every other day, and then use our abuse system to send notifications to the respective clients. Hosters who have implemented the API can do so automatically. The obvious question, given that you manually check them, and send a 'notification', (You didn't mention when/if you shout it down) .. How much damage can a threat actor do in a couple of days.. Ouch! Even if they can get a few days out of it, you have made it worthwhile for the bad guys to target your networks. Long take down periods are a systematic problem in the industry, whether a Spammer, a Phisher, a Hacker, or a C server. And there are a couple of mentions of manually checking lists on this thread, you can of course use an automated checker that checks all the common lists, SpamHaus, SpamRats, and dozens of other reputable lists. That service is offered by HetrixTools, MXtoolbox.. I am sure you can convince management the small cost is cheaper than your time.. ;) -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
Am 26.11.2021 um 10:25 schrieb Mary via mailop: Thinking out loud... Would it be possible for the two sides (blocklists and a cloud/hosting providers) to come together and have some kind of automated notification? It is possible and it already works that way for a handful of blacklists. Since this thread is about Spamhaus I'll start with them. They already send automated notifications for any public SBL listings. Atro linked to those listings for Linode earlier in this thread. CSS and XBL listings don't cause automated notifications. However, hosters/ISPs have access to that data via the PBL account: https://portal.spamhaus.org/isp/start/ Once they sign up for their networks, they can download a list of all CSS and XBL listings for IPs within those ranges. In fact, Spamhaus even offers an API that allows automatic downloading of those lists. I manually check those lists every other day, and then use our abuse system to send notifications to the respective clients. Hosters who have implemented the API can do so automatically. Quick aside: I only see IPv4 listings on those lists, so it is possible IPv6 isn't yet supported through that system, which means in this case it wouldn't have helped. There are a few Spamhaus reps on this list, so I'm sure one of them will correct me if anything I mentioned above is wrong. Apart from Spamhaus, there are also other blacklists that send notifications. The larger ones are SpamCop and SORBS, but there are also smaller ones like 0spam and Manitu. All of them send notifications automatically, apart from SORBS, where a sign-up is required. For a hoster like us that is hugely beneficial, and we are really thankful for those blacklists. FBL notifications can also be helpful (mostly setup through validity - https://fbl.validity.com/). To sum up, there is already a system in place with multiple blacklists sending automated notifications. A few reasons why there isn't more cooperation have already been mentioned, and I know there are more reasons (like cost). Kind regards Bastiaan ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
Dnia 26.11.2021 o godz. 09:23:08 Hans-Martin Mosner via mailop pisze: > "Unlike" refers to "blocks port 25 by default" in the line above, > not to assigning /64s to customers. And yes, blocking outgoing port > 25 would make a bit of a difference. From a customer point of view (contrary to hosting company point of view probably), I don't like any ports being blocked "by default". If I buy a VPS, I expect to have a full functionality available, in particular, being able to setup a mail server on it. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
> Would it be possible for the two sides (blocklists and a cloud/hosting > providers) to come together and have some kind of automated notification? Objection, requires an interest in collaboration from hosting providers. -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
Am 26.11.21 um 10:25 schrieb Mary via mailop: Thinking out loud... Would it be possible for the two sides (blocklists and a cloud/hosting providers) to come together and have some kind of automated notification? Possible - yes of course. Doable as in both sides cooperating - when OVH, DigitalOcean, Colocrossing, to name just a few, don't handle manual abuse reports properly, I don't have much hope for cooperation in such an automated system. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
Thinking out loud... Would it be possible for the two sides (blocklists and a cloud/hosting providers) to come together and have some kind of automated notification? Sample automated conversation via JSON API: - The blocklist adds a block for X net block - Resolves the owner of the net block (XYZ provider) - Submits a JSON report to XYZ provider (https://blocklist.api.provider.com) - The provider takes an automated action (close port 25) - The provider takes manual action by getting in touch with their client - Client of the server takes action (clean server) - Client of the server requests delisting via a web form Thus: - the actual client of the server is notified of a security incident in a timely manner - spam is stopped as soon as possible! Would any of this be possible? Someone should write the RFC :) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
Am Freitag, dem 26.11.2021 um 09:23 +0100 schrieb Hans-Martin Mosner via mailop: > Am 26.11.21 um 09:04 schrieb Bastian Blank via mailop: > > On Fri, Nov 26, 2021 at 09:34:44AM +0200, Mary via mailop wrote: > > > Unlike other providers like OVH and hetzner... > > Hetzner does not assign less then a /64 in all their current > > products. > > > > Bastian > > > "Unlike" refers to "blocks port 25 by default" in the line above, not > to assigning /64s to customers. And yes, blocking > outgoing port 25 would make a bit of a difference. Of course, it does > not prevent spam being sent from hacked servers > that regularly send mail, so it would not be a complete solution but > would help in reducing the spam load. > Hetzner does now block port 25 outgoing for new customers on their cloud servers. But I guess on their dedicated ones it's still unblocked. > Cheers, > Hans-Martin > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
Correct, we automatically assign a /64 per server, and we've done that since the beginning of our IPv6 support (2011 if memory serves me correctly). A /56 is possible via a support request. We also block port 25 by default for new cloud clients, though we've only been doing that since April of this year, so it's understandable that not everyone is aware of that yet. Kind regards Bastiaan Am 26.11.2021 um 09:04 schrieb Bastian Blank via mailop: On Fri, Nov 26, 2021 at 09:34:44AM +0200, Mary via mailop wrote: Unlike other providers like OVH and hetzner... Hetzner does not assign less then a /64 in all their current products. Bastian ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
Am 26.11.2021 um 08:34 schrieb Mary via mailop: Linode blocks port 25 by default and requires manual intervention and a "discussion" with support before they unblock it. Unlike other providers like OVH and hetzner... Hetzner Cloud has Port 25 blocked by default, you need to send a request to unblock it (after paying your first invoice). Michael On 25 Nov 2021 23:18:51 -0500 John Levine via mailop wrote: It appears that Jarland Donnell via mailop said: In all fairness, some of these systems may have been deployed before we were all really certain that a /64 per customer was going to be an accepted standard. A /64 per customer has always been the plan. There is no good reason to assign less. It's not like there is any risk of running out of addresses. A reasonable transition plan would be for linode (or any other hosting provlder) to block port 25 by default. If a customer asks to unblock it, put them in their own /64. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
Am 26.11.21 um 09:04 schrieb Bastian Blank via mailop: On Fri, Nov 26, 2021 at 09:34:44AM +0200, Mary via mailop wrote: Unlike other providers like OVH and hetzner... Hetzner does not assign less then a /64 in all their current products. Bastian "Unlike" refers to "blocks port 25 by default" in the line above, not to assigning /64s to customers. And yes, blocking outgoing port 25 would make a bit of a difference. Of course, it does not prevent spam being sent from hacked servers that regularly send mail, so it would not be a complete solution but would help in reducing the spam load. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
On Fri, Nov 26, 2021 at 09:34:44AM +0200, Mary via mailop wrote: > Unlike other providers like OVH and hetzner... Hetzner does not assign less then a /64 in all their current products. Bastian -- There is an order of things in this universe. -- Apollo, "Who Mourns for Adonais?" stardate 3468.1 ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
Linode blocks port 25 by default and requires manual intervention and a "discussion" with support before they unblock it. Unlike other providers like OVH and hetzner... On 25 Nov 2021 23:18:51 -0500 John Levine via mailop wrote: > It appears that Jarland Donnell via mailop said: > >In all fairness, some of these systems may have been deployed before we > >were all really certain that a /64 per customer was going to be an > >accepted standard. > > A /64 per customer has always been the plan. There is no good reason > to assign less. It's not like there is any risk of running out of addresses. > > A reasonable transition plan would be for linode (or any other hosting > provlder) > to block port 25 by default. If a customer asks to unblock it, put them > in their own /64. > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)
It appears that Jarland Donnell via mailop said: >In all fairness, some of these systems may have been deployed before we >were all really certain that a /64 per customer was going to be an >accepted standard. A /64 per customer has always been the plan. There is no good reason to assign less. It's not like there is any risk of running out of addresses. A reasonable transition plan would be for linode (or any other hosting provlder) to block port 25 by default. If a customer asks to unblock it, put them in their own /64. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
Fair enough too, the amount of crap coming from linode in recent weeks exceeds the levels from gmail and outlook combined, both ipv4 and 6 usually they send about the same as the others, not more than both of them together. On 25/11/2021 21:15, Mary via mailop wrote: I first noticed that all outgoing emails that are using IPv6 addresses, are being rejected by anyone using zen.spamhaus.org -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
One thing that I think we can do to "help" in this instance is actually list which addresses traffic has been seen from, rather than just reporting the /64 being listed. For this range - I'm only seeing 3 IPv6 addresses hitting traps 2a01:7e01::f03c:92ff:fed4:25b5 "YourBud " - abuseable web form 2a01:7e01::f03c:92ff:fee3:7758 - infected/compromised host 2a01:7e01::f03c:91ff:fece:24e8 - ""Sparkasse" " - compromised account Hope that helps. Kind regards, Steve. -- Steve Freegard Senior Product Owner Abusix Intelligence On 25/11/2021 11:15, Mary via mailop wrote: I first noticed that all outgoing emails that are using IPv6 addresses, are being rejected by anyone using zen.spamhaus.org I then tried a bunch of my addresses and they all tested as listed inhttps://check.spamhaus.org/ Please see attached screenshot. On Thu, 25 Nov 2021 12:52:18 +0200 Atro Tossavainen via mailop wrote: On Thu, Nov 25, 2021 at 12:33:54PM +0200, Mary via mailop wrote: Hello everyone, I noticed today that spamhaus.org is blocking large net blocks of IPv6 (2a01:7e01) owned by Linode. Pretty much all my clients hosted at Linode are being blocked en mass (for IPv6 only). https://www.spamhaus.org/sbl/listings/linode.com contains nothing on IPv6. What exactly are you seeing? Is there a way to inform spamhaus about this rather aggressive blocking and get things sorted? Thank you. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600,http://www.infinitemho.fi/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
In all fairness, some of these systems may have been deployed before we were all really certain that a /64 per customer was going to be an accepted standard. You know how RFCs go, they're the law of the land except when they're not, which is actually pretty often. By now most should have figured out that they need to conform to this one, but I don't really blame early adopters for second guessing what common implementations would look like a few years down the road. On 2021-11-25 12:04, Jay Hennigan via mailop wrote: On Thu, Nov 25, 2021 at 03:07:02PM +0200, Mary via mailop wrote:>> I think Linode does not follow the /64 rule and assigns thousands of customers within the 2a01:7e01::/64 block. They user a bunch of blocks, depending on their data centre.>> I think by default each client is assigned a single /128 IPv6 address per server. That is rather stupid behavior on Linode's part then. The rest of the Internet uses a /64 per subnet and typically a /56 per customer minimum. What are they thinking? Are they really worried about running out of IPv6 addresses? Vote with your feet. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
On 11/25/21 12:18 PM, Jay Hennigan via mailop wrote: It's not a Spamhaus problem. Linode is beyond stupid. Linode has over four billion /64s. The rest of the Internet treats a /64 as a single user or subnet. Linode should be allocating each customer subnet a /64 as a minimum. If you're a Linode customer, demand a /64. Point them here: https://datatracker.ietf.org/doc/html/rfc7421 There's some questionable info on this thread. Linode uses SLAAC to assign a single IPv6 to each linode, but gives out /64 blocks on request https://www.linode.com/docs/guides/linux-static-ip-configuration/ They recommended to me to use a /64 address and not the SLAAC address for my servers, including the mail server. No charge. You don't have to demand, just submit a support ticket as the docs say. I ran into this problem a couple of years ago, switching to the /64 block resolved it. It wasn't a huge deal. John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
On 11/25/21 06:22, Mary via mailop wrote: But that is not a real solution is it? Maybe linode and spamhaus can come up with a better solution between them? It's not a Spamhaus problem. Linode is beyond stupid. Linode has over four billion /64s. The rest of the Internet treats a /64 as a single user or subnet. Linode should be allocating each customer subnet a /64 as a minimum. If you're a Linode customer, demand a /64. Point them here: https://datatracker.ietf.org/doc/html/rfc7421 -- Jay Hennigan - j...@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
On Thu, Nov 25, 2021 at 03:07:02PM +0200, Mary via mailop wrote:>> I think Linode does not follow the /64 rule and assigns thousands of customers within the 2a01:7e01::/64 block. They user a bunch of blocks, depending on their data centre.>> I think by default each client is assigned a single /128 IPv6 address per server. That is rather stupid behavior on Linode's part then. The rest of the Internet uses a /64 per subnet and typically a /56 per customer minimum. What are they thinking? Are they really worried about running out of IPv6 addresses? Vote with your feet. -- Jay Hennigan - j...@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
On 25/11/2021 14:22, Mary via mailop wrote: But that is not a real solution is it? Maybe linode and spamhaus can come up with a better solution between them? Why is it not a real solution? It's a bigger problem than Linode and Spamhaus. (I refer to Linode in my writings, but I don't mean to single them out. It could refer to any VM or hosting provider) And in a way it is because the address space numbers (and maths) for IPv6 are so completely bonkers, it takes a big of getting used to. There have been various ideas floated over the years to declare the allocation size in a way that improves on what is in the whois data or RIPE database. I don't think any have really worked. The theory being a spam blocker could look up an IP address and see what size netblocks are allocated to customers. So how wide to block to stop the customer just swapping to one of the other 18446744073709551616 IP addresses a typically IPv6 user with a /64 has. 2001:db8:1::/48 - > in here, customers are each given a /64 So 2001:db8::1 and 2001:db8::2 will be the same customer/VM just with 2 IP's on the machine. If one is spamming, maybe don't trust the other. 2001:db8:2::/48 -> in here, customers are each given a /128 so 2001:db8:2::1 and 2001:db8:2::2 are 2 absolutely completely unrelated customers and so if ::1 is spamming, this is no indication about what ::2 might be doing (except that maybe if it keeps going a long time, the provider is not proactive in kicking off spammy customers) But I don't think any of these schemes really got off the ground. Is it realistic to do some kind of lookup everytime you want to drop in a firewall rule or some kind of blocklist (or be less trusting list)? I don't think the whois system could scale that well to the numbre of lookups. Ok, my home /48 is in RIPE saying I have a /48 allocation, but my ISP happens to be good at keeping the RIPE DB up to date and they like the detail in RIPE. Other ISPs have way less complete data. In reality IPv6 addresses are abundant and even consumer services like SKY are allocating a /56 (256 lots of /64) to every single home customer. So probably just easier for VM providers to dish out /64 per paying customer or VM. Or at least make it really easy for a customer who needs it just request a /64. And let everybody block on /64. Linode's /32 allocation allows for 4,294,967,296 customers to have their own /64 network. (ok, less than this, some grouping to make their internal routing table easier, network segmentation, different datacentres) And if you think that isn't enough, linode have at least 13 x /32 allocations. See https://bgp.he.net/AS63949#_prefixes6 They aren't exactly short of address space. :) I'm sure linode could to go RIPE and ask for more space too. (if Linode go past 52 billion customers, give me a call) -- Tim Bray Huddersfield, GB t...@kooky.org ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
> Sure. Linode could decide to stop operating a public nuisance and > police their sewer more effectively. Historically, Spamhaus has a > long record of delisting network operators who reform their > abuse-handling. This isn't even about that. This is only about Linode cramming more than one customer into a /64 against best current practice, pure and simple. -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
On 2021-11-25 at 09:22:05 UTC-0500 (Thu, 25 Nov 2021 16:22:05 +0200) Mary via mailop is rumored to have said: But that is not a real solution is it? Maybe linode and spamhaus can come up with a better solution between them? Sure. Linode could decide to stop operating a public nuisance and police their sewer more effectively. Historically, Spamhaus has a long record of delisting network operators who reform their abuse-handling. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
Hi, I think Linode does not follow the /64 rule and assigns thousands of customers within the 2a01:7e01::/64 block. They user a bunch of blocks, depending on their data centre. I think by default each client is assigned a single /128 IPv6 address per server. See https://www.spamhaus.org/organization/statement/012/spamhaus-ipv6-blocklists-strategy-statement :( Indeed. That would seem like a very counterproductive approach from Linode. As talvi.dovecot.org is also on the list, which provides Dovecot mailinglists - does Upcload also assign only a /128 from a /64 shared with other customers? Regards Bjoern ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
On Thu, Nov 25, 2021 at 04:22:05PM +0200, Mary via mailop wrote: > > But that is not a real solution is it? It is because it's the right thing to do in the first place. > Maybe linode and spamhaus can come up with a better solution between them? I would not expect any changes on the policy of the latter. > > > > On Thu, 25 Nov 2021 13:48:27 + Riccardo Alfieri via mailop > wrote: > > > Hi Mary, > > > > please see: > > https://www.linode.com/community/questions/266/ipv6-64-blocks-on-linode > > > > Linode can assign you a /64 that will probably solve your problems. > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
Well, RIPE itself (https://www.ripe.net/publications/docs/ripe-690) states that it's a best practice to assign to an end user no less than a /64 On 25/11/21 15:22, Mary via mailop wrote: But that is not a real solution is it? Maybe linode and spamhaus can come up with a better solution between them? On Thu, 25 Nov 2021 13:48:27 + Riccardo Alfieri via mailop wrote: Hi Mary, please see: https://www.linode.com/community/questions/266/ipv6-64-blocks-on-linode Linode can assign you a /64 that will probably solve your problems. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
But that is not a real solution is it? Maybe linode and spamhaus can come up with a better solution between them? On Thu, 25 Nov 2021 13:48:27 + Riccardo Alfieri via mailop wrote: > Hi Mary, > > please see: > https://www.linode.com/community/questions/266/ipv6-64-blocks-on-linode > > Linode can assign you a /64 that will probably solve your problems. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
Hi Mary, please see: https://www.linode.com/community/questions/266/ipv6-64-blocks-on-linode Linode can assign you a /64 that will probably solve your problems. On 25/11/21 11:33, Mary via mailop wrote: Hello everyone, I noticed today that spamhaus.org is blocking large net blocks of IPv6 (2a01:7e01) owned by Linode. Pretty much all my clients hosted at Linode are being blocked en mass (for IPv6 only). Is there a way to inform spamhaus about this rather aggressive blocking and get things sorted? Thank you. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
On Thu, Nov 25, 2021 at 03:07:02PM +0200, Mary via mailop wrote: > > I think Linode does not follow the /64 rule and assigns thousands of > customers within the 2a01:7e01::/64 block. They user a bunch of blocks, > depending on their data centre. > > I think by default each client is assigned a single /128 IPv6 address per > server. See https://www.spamhaus.org/organization/statement/012/spamhaus-ipv6-blocklists-strategy-statement > :( Indeed. That would seem like a very counterproductive approach from Linode. > > > On Thu, 25 Nov 2021 05:57:03 -0600 Jarland Donnell via mailop > wrote: > > > Blacklists tend to target a whole /64 at once for IPv6 and this is > > standard behavior. I just looked at my two Linode VMs and both have one > > IPv6 from the same /64. It's possible that Linode is assigning a /64 per > > customer and that no one else is in the same /64 as you. This is a > > reasonable expectation, and while arguing over v6 implementation will > > probably continue for the rest of my lifetime, this is an expected > > standard. Here's a little fun thing people like to use as a quick > > reference on that note: https://slash64.net/ > > > > This would suggest that Spamhaus is not blocking all of Linode's IPv6, > > but instead just you, a single customer with a single /64. This would be > > for the reasons that they note, and would need to be resolved prior to > > requesting delisting. If you're certain that the listing has nothing to > > do with you, then you'll want to ask Linode support if there could be > > anyone else on that /64. If they say yes, stop sending mail over IPv6 > > from Linode right away, because blacklists will target a /64 at once and > > Linode's implementation will be proven at that moment to be bad. I don't > > think that'll be the case though. > > > > On 2021-11-25 05:15, Mary via mailop wrote: > > > I first noticed that all outgoing emails that are using IPv6 > > > addresses, are being rejected by anyone using zen.spamhaus.org > > > > > > I then tried a bunch of my addresses and they all tested as listed in > > > https://check.spamhaus.org/ > > > > > > Please see attached screenshot. > > > > > > > > > > > > On Thu, 25 Nov 2021 12:52:18 +0200 Atro Tossavainen via mailop > > > wrote: > > > > > >> On Thu, Nov 25, 2021 at 12:33:54PM +0200, Mary via mailop wrote: > > >> > Hello everyone, > > >> > > > >> > I noticed today that spamhaus.org is blocking large net blocks of IPv6 > > >> > (2a01:7e01) owned by Linode. Pretty much all my clients hosted at > > >> > Linode are being blocked en mass (for IPv6 only). > > >> > > >> https://www.spamhaus.org/sbl/listings/linode.com contains nothing on > > >> IPv6. What exactly are you seeing? > > >> > > >> > Is there a way to inform spamhaus about this rather aggressive > > >> > blocking and get things sorted? > > >> > > > >> > Thank you. > > >> > > > >> > > > >> > > > >> > > > >> > ___ > > >> > mailop mailing list > > >> > mailop@mailop.org > > >> > https://list.mailop.org/listinfo/mailop > > >> > > >> -- > > >> Atro Tossavainen, Chairman of the Board > > >> Infinite Mho Oy, Helsinki, Finland > > >> tel. +358-44-5000 600, http://www.infinitemho.fi/ > > >> ___ > > >> mailop mailing list > > >> mailop@mailop.org > > >> https://list.mailop.org/listinfo/mailop > > > > > > ___ > > > mailop mailing list > > > mailop@mailop.org > > > https://list.mailop.org/listinfo/mailop > > ___ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
I think Linode does not follow the /64 rule and assigns thousands of customers within the 2a01:7e01::/64 block. They user a bunch of blocks, depending on their data centre. I think by default each client is assigned a single /128 IPv6 address per server. :( On Thu, 25 Nov 2021 05:57:03 -0600 Jarland Donnell via mailop wrote: > Blacklists tend to target a whole /64 at once for IPv6 and this is > standard behavior. I just looked at my two Linode VMs and both have one > IPv6 from the same /64. It's possible that Linode is assigning a /64 per > customer and that no one else is in the same /64 as you. This is a > reasonable expectation, and while arguing over v6 implementation will > probably continue for the rest of my lifetime, this is an expected > standard. Here's a little fun thing people like to use as a quick > reference on that note: https://slash64.net/ > > This would suggest that Spamhaus is not blocking all of Linode's IPv6, > but instead just you, a single customer with a single /64. This would be > for the reasons that they note, and would need to be resolved prior to > requesting delisting. If you're certain that the listing has nothing to > do with you, then you'll want to ask Linode support if there could be > anyone else on that /64. If they say yes, stop sending mail over IPv6 > from Linode right away, because blacklists will target a /64 at once and > Linode's implementation will be proven at that moment to be bad. I don't > think that'll be the case though. > > On 2021-11-25 05:15, Mary via mailop wrote: > > I first noticed that all outgoing emails that are using IPv6 > > addresses, are being rejected by anyone using zen.spamhaus.org > > > > I then tried a bunch of my addresses and they all tested as listed in > > https://check.spamhaus.org/ > > > > Please see attached screenshot. > > > > > > > > On Thu, 25 Nov 2021 12:52:18 +0200 Atro Tossavainen via mailop > > wrote: > > > >> On Thu, Nov 25, 2021 at 12:33:54PM +0200, Mary via mailop wrote: > >> > Hello everyone, > >> > > >> > I noticed today that spamhaus.org is blocking large net blocks of IPv6 > >> > (2a01:7e01) owned by Linode. Pretty much all my clients hosted at Linode > >> > are being blocked en mass (for IPv6 only). > >> > >> https://www.spamhaus.org/sbl/listings/linode.com contains nothing on > >> IPv6. What exactly are you seeing? > >> > >> > Is there a way to inform spamhaus about this rather aggressive blocking > >> > and get things sorted? > >> > > >> > Thank you. > >> > > >> > > >> > > >> > > >> > ___ > >> > mailop mailing list > >> > mailop@mailop.org > >> > https://list.mailop.org/listinfo/mailop > >> > >> -- > >> Atro Tossavainen, Chairman of the Board > >> Infinite Mho Oy, Helsinki, Finland > >> tel. +358-44-5000 600, http://www.infinitemho.fi/ > >> ___ > >> mailop mailing list > >> mailop@mailop.org > >> https://list.mailop.org/listinfo/mailop > > > > ___ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
Blacklists tend to target a whole /64 at once for IPv6 and this is standard behavior. I just looked at my two Linode VMs and both have one IPv6 from the same /64. It's possible that Linode is assigning a /64 per customer and that no one else is in the same /64 as you. This is a reasonable expectation, and while arguing over v6 implementation will probably continue for the rest of my lifetime, this is an expected standard. Here's a little fun thing people like to use as a quick reference on that note: https://slash64.net/ This would suggest that Spamhaus is not blocking all of Linode's IPv6, but instead just you, a single customer with a single /64. This would be for the reasons that they note, and would need to be resolved prior to requesting delisting. If you're certain that the listing has nothing to do with you, then you'll want to ask Linode support if there could be anyone else on that /64. If they say yes, stop sending mail over IPv6 from Linode right away, because blacklists will target a /64 at once and Linode's implementation will be proven at that moment to be bad. I don't think that'll be the case though. On 2021-11-25 05:15, Mary via mailop wrote: I first noticed that all outgoing emails that are using IPv6 addresses, are being rejected by anyone using zen.spamhaus.org I then tried a bunch of my addresses and they all tested as listed in https://check.spamhaus.org/ Please see attached screenshot. On Thu, 25 Nov 2021 12:52:18 +0200 Atro Tossavainen via mailop wrote: On Thu, Nov 25, 2021 at 12:33:54PM +0200, Mary via mailop wrote: > Hello everyone, > > I noticed today that spamhaus.org is blocking large net blocks of IPv6 (2a01:7e01) owned by Linode. Pretty much all my clients hosted at Linode are being blocked en mass (for IPv6 only). https://www.spamhaus.org/sbl/listings/linode.com contains nothing on IPv6. What exactly are you seeing? > Is there a way to inform spamhaus about this rather aggressive blocking and get things sorted? > > Thank you. > > > > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
I first noticed that all outgoing emails that are using IPv6 addresses, are being rejected by anyone using zen.spamhaus.org I then tried a bunch of my addresses and they all tested as listed in https://check.spamhaus.org/ Please see attached screenshot. On Thu, 25 Nov 2021 12:52:18 +0200 Atro Tossavainen via mailop wrote: > On Thu, Nov 25, 2021 at 12:33:54PM +0200, Mary via mailop wrote: > > Hello everyone, > > > > I noticed today that spamhaus.org is blocking large net blocks of IPv6 > > (2a01:7e01) owned by Linode. Pretty much all my clients hosted at Linode > > are being blocked en mass (for IPv6 only). > > https://www.spamhaus.org/sbl/listings/linode.com contains nothing on > IPv6. What exactly are you seeing? > > > Is there a way to inform spamhaus about this rather aggressive blocking and > > get things sorted? > > > > Thank you. > > > > > > > > > > ___ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > > -- > Atro Tossavainen, Chairman of the Board > Infinite Mho Oy, Helsinki, Finland > tel. +358-44-5000 600, http://www.infinitemho.fi/ > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
On 25 Nov 2021, at 10:33, Mary via mailop wrote: > I noticed today that spamhaus.org is blocking large net blocks of IPv6 > (2a01:7e01) owned by Linode. Pretty much all my clients hosted at Linode are > being blocked en mass (for IPv6 only). > > Is there a way to inform spamhaus about this rather aggressive blocking and > get things sorted? It’s on the XBL rather than the SBL: https://check.spamhaus.org/listed/?searchterm=2a01:7e01:: "A device using 2a01:7e01::/64 is infected with malware and is emitting spam.” Coincidentally there’s also a CSS (so SBL) listing for 2a01:7e00::/32, also Linode. Graeme signature.asc Description: Message signed with OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
On Thu, Nov 25, 2021 at 12:33:54PM +0200, Mary via mailop wrote: > Hello everyone, > > I noticed today that spamhaus.org is blocking large net blocks of IPv6 > (2a01:7e01) owned by Linode. Pretty much all my clients hosted at Linode are > being blocked en mass (for IPv6 only). https://www.spamhaus.org/sbl/listings/linode.com contains nothing on IPv6. What exactly are you seeing? > Is there a way to inform spamhaus about this rather aggressive blocking and > get things sorted? > > Thank you. > > > > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] spamhaus blocking Linode IPv6 (2a01:7e01)
Hello everyone, I noticed today that spamhaus.org is blocking large net blocks of IPv6 (2a01:7e01) owned by Linode. Pretty much all my clients hosted at Linode are being blocked en mass (for IPv6 only). Is there a way to inform spamhaus about this rather aggressive blocking and get things sorted? Thank you. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
