On 3/29/13 12:58 PM, "John Levine" <johnl@xxxxxxxxx> wrote: >>As a result, it is questionable whether any IPv6 address-based >>reputation system can be successful (at least those based on voluntary >>principles.) > >It can probably work for whitelisting well behaved senders, give or take >the DNS cache busting issues of IPv6 per-message lookups. > >Since a bad guy can easily hop to a new IP for every message (offering >interesting new frontiers in listwashing) I agree that it's a losing >battle for blacklisting, other than blocking large ranges of hostile >networks. Agree. The IP blacklisting that worked well for IPv4 is completely unsuited for IPv6 (I'd go as far as to say it is a complete failure, no matter if you look at different size prefixes or not). The only model that I personally can see working at the moment for IPv6 is a mix of domain-based reputation and whitelisting. I like domain-based better since it is managed by sending domains on a distributed basis. Mail acceptance for IPv4 worked inclusively - receivers accept unless IP reputation or other factors failed. IMHO with IPv6 that model may need to be turned around to an exclusive one - so receivers will not accept mail unless certain factors are met (like domain-based authentication or the IPv6 address is on a whitelist). I'd expect MAAWG will continue to be a good place for mail ops folks to work through this stuff. - Jason