Spamhaus IPv6 blocking issues impacting Linodes

This weekend one of our Linodes started being denied by Comcast's SMTP servers, but only via IPv6. Seems Comcast is rolling out IPv6 blocking with Spamhaus. I won't go into how frustrating it was to find out what was going on, since both Comcast and Spamhaus have no public facing search or removal tools that will accept input of IPv6 addresses. So if you get blocked, good luck figuring that out until they decide to fix that.

Anyway, with the help of a direct contact at Comcast I learned that the IPv6 address of the Linode in question was included on the Spamhaus IPv6 CSS (and therefore in Zen). Why? Because its part of an IPv6 /64 allocation that Spamhaus was listing. See the problem? Collateral damage. Kinda feels like 2002 all over again.

Spamhaus considers Linode's policy of assigning /128s (single IPs) to be "unusual" and told me to have Linode issue us our own /64 that we can move into. I'll be opening a ticket to bring this issue to the attention of the powers that be, but be aware that this can happen to you too.

4 Replies

Yes, the default SLAAC address space has ended up on some blacklists or been subject to rate-limiting. There are some prior forum topics discussing this issue and its solution (obtaining an address pool assignment). The Linode guide should probably mention this as a reason why someone would want to request an address pool.

I had the exact same problem. It is nice to know the root cause of the problem. The explanation by gbcx also explains why Comcast and Spamhaus considers my ipv6 address to be a "dynamic ip address".

I did open a ticket with Linode and their solution was to disable IPv6 support for sending email. I did not have time to question that solution, so that is what I did.

Now that a pattern has been established, it will be interesting to see what the proper solution will be.

@gbcx:

I won't go into how frustrating it was to find out what was going on, since both Comcast and Spamhaus have no public facing search or removal tools that will accept input of IPv6 addresses.
You should be able to search using nslookup or dig

http://www.spamhaus.org/organization/st … -statement">http://www.spamhaus.org/organization/statement/012/spamhaus-ipv6-blocklists-strategy-statement says

Querying IPv6 blocklists

IPv4 blocklists are queried by prepending the reversed decimal quad address to the zone to be queried. Legacy queries for IPv6 blocklists will use a similar model; the fully expanded IPv6 address is reversed by hex digit and prepended to the zone to be queried. For example, to query the address 2001:DB8:abc:123::42 the IPv6 address would be expanded, reversed and prepended to the zone to be queried, to give an example query of:

2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.2.1.0.c.b.a.0.8.b.d.0.1.0.0.2.zen.spamhaus.org

@sweh:

@gbcx:

I won't go into how frustrating it was to find out what was going on, since both Comcast and Spamhaus have no public facing search or removal tools that will accept input of IPv6 addresses.
You should be able to search using nslookup or dig

http://www.spamhaus.org/organization/st … -statement">http://www.spamhaus.org/organization/statement/012/spamhaus-ipv6-blocklists-strategy-statement says

Querying IPv6 blocklists

IPv4 blocklists are queried by prepending the reversed decimal quad address to the zone to be queried. Legacy queries for IPv6 blocklists will use a similar model; the fully expanded IPv6 address is reversed by hex digit and prepended to the zone to be queried. For example, to query the address 2001:DB8:abc:123::42 the IPv6 address would be expanded, reversed and prepended to the zone to be queried, to give an example query of:

2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.2.1.0.c.b.a.0.8.b.d.0.1.0.0.2.zen.spamhaus.org

Really? Then help explain this:

From linode:

[[email protected] ~]$ telnet mx2.comcast.net 25

Trying 2001:558:fe21:2a::6…

Connected to mx2.comcast.net.

Escape character is '^]'.

554 resimta-ch2-02v.sys.comcast.net comcast 2600:3c00::f03c:91ff:fe56:a64 found on one or more DNSBLs, see http://postmaster.comcast.net/smtp-erro … p#BL000001">http://postmaster.comcast.net/smtp-error-codes.php#BL000001

Connection closed by foreign host.

BL000001 supposedly means Zen, and a Comcast tech called me back today and gave me the CSS spiel, and CSS is in Zen.

So … to verify that:

[[email protected] ~]$ host 2600:3c00::f03c:91ff:fe56:a64

4.6.a.0.6.5.e.f.f.f.1.9.c.3.0.f.0.0.0.0.0.0.0.0.0.0.c.3.0.0.6.2.ip6.arpa domain name pointer speakup.octothorp.org.

^^^ easiest way to reverse the address without making a mistake

[[email protected] ~]$ host 4.6.a.0.6.5.e.f.f.f.1.9.c.3.0.f.0.0.0.0.0.0.0.0.0.0.c.3.0.0.6.2.zen.spamhaus.org

Host 4.6.a.0.6.5.e.f.f.f.1.9.c.3.0.f.0.0.0.0.0.0.0.0.0.0.c.3.0.0.6.2.zen.spamhaus.org not found: 3(NXDOMAIN)

Hmmmmmm. Any ideas? Has anyone got an IPv6 address that actually comes back as bad?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct