[Asrg] NATs and spam

Daniel Feenberg feenberg at nber.org
Mon Mar 5 07:05:04 EST 2007 


On Sun, 4 Mar 2007, Douglas Otis wrote:

>

<snip>>
>
> Perhaps in a few years there will be a forklift changeover to IPv6 when NATs 
> and firewall automation goes awry, where network and memory manufactures 
> rejoice.  When that happens, this will likely thwart IP address scrutiny, or 
> reverse lookup schemes.  IPv6 may mean public "anonymous" messages can not be 
> accepted without first confirming a CA certificate.  It is obvious having a 
> registered domain will not represent an impediment to abuse.  The cost of 
> sending an message may someday be a CA cert.  While something like DKIM 
> offers a means for domains to assert their certificates, some type of 
> accreditation analogous to a CA is still be required.
>

Is smtp mail ever likely to switch to IPV6? I don't anticipate ever 
accepting mail from IPv6 addresses on our mailserver, simply because there 
are too many addresses for Spamhaus to keep track of. Given the difficulty
IPV6 is having already I would guess that even if IPv6 became very 
widespread, it would never even gain a foothold for MTA senders.

I understand that in Japan IPV6 is well established, does anyone know if 
Japanese mail servers ever use it? I understand that there are plans in 
the US Government to require agencies to use IPv6. Does anyone know if 
those plans anticipate forbidding agencies from sending/receiving mail at 
IPv4 addresses?

As (if?) IPv6 becomes more widespread, the operator of an MTA may have the 
choice of keeping his IPv4 address, or getting a certificate as this 
poster suggests. Since he already has the address, and the certificate 
will be complicated and expensive to acquire (and of limited use, since 
few receivers will recognize any particular certificate), I think the 
decision will be to do nothing. New entrants will either manage to obtain 
a single IPv4 address for the MTA, or use a smarthost. I don't anticipate 
addresses will ever be in such shortage that it will be harder to get 
*one* than any imaginable certificate.

An alternative scenario is for Spamhaus to start listing IPv6 addresses, 
but in blocks of /48. But that hardly seems likely. I think MTA operators 
would rather just avoid IPv6 altogether.

Daniel Feenberg

More information about the Asrg mailing list