Free Cloud Migration Limited Time Free Migration Service
Sign Up
Featured
Cloud Spectator Cloud Storage Benchmark Report
Cloud Spectator
Benchmark Report
Cloud Block Storage
Access Report
Why Linode
Get to Know Us Better
Featured
Free Services from Linode Free Bundled Services
Free Bundled Services
Discover our no-cost security, networking,
maintenance, and monitoring solutions.
Learn More
View All Products
Compute
Storage
Services
Networking
Developer Tools
Featured
The University of Oklahoma
Higher Ed: The University of Oklahoma
Developing Innovative Approaches
to Understanding Social and Natural Risks
Read OU Story
View All Solutions
Solutions
Featured
Total Cost of Ownership Calculator
Migrating from on-premises or between cloud providers for hosting, cloud storage, or cloud computing?
Launch Calculator
Pricing
Featured
CPU Benchmark Report Cloud CPU Benchmark Report
Cloud CPU Benchmarks
Benchmarking and analysis from Cloud Spectator includes Linode, AWS, Azure, Google Compute Engine, Alibaba, and DigitalOcean.
Download
Community
Engage With Us
Community Questions Spamhaus IPv6 blocking issues impacting Linodes
Log in to Ask a Question

Spamhaus IPv6 blocking issues impacting Linodes

email

This weekend one of our Linodes started being denied by Comcast's SMTP servers, but only via IPv6. Seems Comcast is rolling out IPv6 blocking with Spamhaus. I won't go into how frustrating it was to find out what was going on, since both Comcast and Spamhaus have no public facing search or removal tools that will accept input of IPv6 addresses. So if you get blocked, good luck figuring that out until they decide to fix that.

Anyway, with the help of a direct contact at Comcast I learned that the IPv6 address of the Linode in question was included on the Spamhaus IPv6 CSS (and therefore in Zen). Why? Because its part of an IPv6 /64 allocation that Spamhaus was listing. See the problem? Collateral damage. Kinda feels like 2002 all over again.

Spamhaus considers Linode's policy of assigning /128s (single IPs) to be "unusual" and told me to have Linode issue us our own /64 that we can move into. I'll be opening a ticket to bring this issue to the attention of the powers that be, but be aware that this can happen to you too.

8 Replies

Yes, the default SLAAC address space has ended up on some blacklists or been subject to rate-limiting. There are some prior forum topics discussing this issue and its solution (obtaining an address pool assignment). The Linode guide should probably mention this as a reason why someone would want to request an address pool.

I had the exact same problem. It is nice to know the root cause of the problem. The explanation by gbcx also explains why Comcast and Spamhaus considers my ipv6 address to be a "dynamic ip address".

I did open a ticket with Linode and their solution was to disable IPv6 support for sending email. I did not have time to question that solution, so that is what I did.

Now that a pattern has been established, it will be interesting to see what the proper solution will be.

@gbcx:

I won't go into how frustrating it was to find out what was going on, since both Comcast and Spamhaus have no public facing search or removal tools that will accept input of IPv6 addresses.
You should be able to search using nslookup or dig

http://www.spamhaus.org/organization/st … -statement">http://www.spamhaus.org/organization/statement/012/spamhaus-ipv6-blocklists-strategy-statement says

Querying IPv6 blocklists

IPv4 blocklists are queried by prepending the reversed decimal quad address to the zone to be queried. Legacy queries for IPv6 blocklists will use a similar model; the fully expanded IPv6 address is reversed by hex digit and prepended to the zone to be queried. For example, to query the address 2001:DB8:abc:123::42 the IPv6 address would be expanded, reversed and prepended to the zone to be queried, to give an example query of:

2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.2.1.0.c.b.a.0.8.b.d.0.1.0.0.2.zen.spamhaus.org

@sweh:

@gbcx:

I won't go into how frustrating it was to find out what was going on, since both Comcast and Spamhaus have no public facing search or removal tools that will accept input of IPv6 addresses.
You should be able to search using nslookup or dig

http://www.spamhaus.org/organization/st … -statement">http://www.spamhaus.org/organization/statement/012/spamhaus-ipv6-blocklists-strategy-statement says

Querying IPv6 blocklists

IPv4 blocklists are queried by prepending the reversed decimal quad address to the zone to be queried. Legacy queries for IPv6 blocklists will use a similar model; the fully expanded IPv6 address is reversed by hex digit and prepended to the zone to be queried. For example, to query the address 2001:DB8:abc:123::42 the IPv6 address would be expanded, reversed and prepended to the zone to be queried, to give an example query of:

2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.2.1.0.c.b.a.0.8.b.d.0.1.0.0.2.zen.spamhaus.org

Really? Then help explain this:

From linode:

[[email protected] ~]$ telnet mx2.comcast.net 25

Trying 2001:558:fe21:2a::6…

Connected to mx2.comcast.net.

Escape character is '^]'.

554 resimta-ch2-02v.sys.comcast.net comcast 2600:3c00::f03c:91ff:fe56:a64 found on one or more DNSBLs, see http://postmaster.comcast.net/smtp-erro … p#BL000001">http://postmaster.comcast.net/smtp-error-codes.php#BL000001

Connection closed by foreign host.

BL000001 supposedly means Zen, and a Comcast tech called me back today and gave me the CSS spiel, and CSS is in Zen.

So … to verify that:

[[email protected] ~]$ host 2600:3c00::f03c:91ff:fe56:a64

4.6.a.0.6.5.e.f.f.f.1.9.c.3.0.f.0.0.0.0.0.0.0.0.0.0.c.3.0.0.6.2.ip6.arpa domain name pointer speakup.octothorp.org.

^^^ easiest way to reverse the address without making a mistake

[[email protected] ~]$ host 4.6.a.0.6.5.e.f.f.f.1.9.c.3.0.f.0.0.0.0.0.0.0.0.0.0.c.3.0.0.6.2.zen.spamhaus.org

Host 4.6.a.0.6.5.e.f.f.f.1.9.c.3.0.f.0.0.0.0.0.0.0.0.0.0.c.3.0.0.6.2.zen.spamhaus.org not found: 3(NXDOMAIN)

Hmmmmmm. Any ideas? Has anyone got an IPv6 address that actually comes back as bad?

If you are a postfix(1) user, you can get around this by setting the following:

### force postfix to use ipv4 (f****** Comcast)
#
inet_protocols = ipv4
###inet_protocols = all

I'm convinced that Comcast is just being incredibly lazy about this… Email service is a loss leader for them so they have no incentive to make it work correctly. Besides, when you have the gold you can make the rules.

-- sw

I just worked on this issue. The problem is related to spamhaus (probably others) blocking slaac assigned (your automatically assigned linode v6 address) ipv6 addresss pools. I requested a /64 from Linode and configured a secondary interface with a /128 subnet mask, that fixed the problem.

Never had any problems whit Spamhaus IPv6 blocking, running mail hosting for over 4 years.

[@Tntdruid] (/community/user/Tntdruid) The /64 my slaac address was assigned from was on their cbl. They wouldn't remove and suggested I get a /64 which fixed the issue.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct