spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Troxel <...@ir.bbn.com>
Subject Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01
Date Fri, 31 Dec 2010 14:55:29 GMT

Ted Mittelstaedt <tedm@ipinc.net> writes:

> No, since the number of total host numbers in a /64 is vastly larger
> than in a /128, if you hold to single number queries then it will blow
> it out far far faster.
>
> This is why I said SA needs to be modified to treat a single hit in a
> /64 as the entire /64 is contaminated, and cease further queries on
> numbers in that /64.

A /64 is in some respects like an IPv4 /24 except that it has vastly
more hosts.  Declaring all occupants of a /64 bad due to one misbehaving
host seems no more reasonable than blacklisting an entire IPV4 /24 or
larger.

There are two separate issues here:

  ability to list individual hosts when the network running the host is
  basically reasonable but may have compromised hosts.  For this, the
  semantics of the list should be similar to the IPv4 blacklists, but
  with a larger address space and not necessarily any more entries.

  ability to aggregate blacklists of prefixes when a spammer is rotating
  through addresses to evade blacklisting.   Here, the BL operator can
  detect this and publish a blacklist entry for an entire prefix.

So a whole /64 or /48 can be blocked with one DNS-published entry, while
retaining the ability to not paint all hosts with the same brush.

Mime
View raw message