spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Levine <jo...@taugh.com>
Subject Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01
Date Thu, 30 Dec 2010 18:55:37 GMT
>If blacklists like CBL are currently at 100 MBs (for IPv4)... the bloat
>for IPv6 could break DNSBLs. RSYNCing Gigabyte (or terabyte!) -sized
>files is memory and CPU intensive. Loading those into rbldnsd is also
>resource expensive! Furthermore, getting that data out to DNS mirrors
>quickly and efficiently is going to be a nightmare! And... this requires
>that ALL mirrors be upgraded to accommodate the vastly larger size.

Right.  I don't think the CBL will get much larger, since it will
certainly do /64 granularity, but it'll still be a challenge to query
efficiently.

>(1) create a standard whereby non-authenticated IPv6 mail can ONLY be
>accepted by certain IPs (such as x.x.x.0

Sorry, no chance.

>(2) Why can't "Forward Confirmed reverse DNS" (FCrDNS) become a standard
>for IPv6?

Because rDNS lookups will explode your cache just as badly as DNSBL
lookups.  In the words of a friend who used to run a very large mail
system, when I asked him about IPv6 rDNS: Just Say No.  rDNS isn't
likely to be useful at all for v6, although you could try something
like CSV based on looking up the EHLO name.

>(3) A shifting of focus on whitelists is important... but some of those
>shouldn't really be "whitelists" in the traditional sense. Instead, they
>should merely indicate that an IP is a candidate for sending mail.

This one I agree with.  The Spamhaus whitelist is intended only for
very virtuous sources of mail, but it will clearly also be useful to
have what was called a yellow list a few days ago, hosts that send
enough real mail that you can't just blacklist them even if you see
some spam.

R's,
John

Mime
View raw message