IPv6 and the trouble with being happy

October 28th, 2013 by

A few days ago we unveiled our IPv6 Health Check tool, and it very quickly proved its worth.

There are plenty of other IPv6 website checkers already out there that do a cursory check to make sure that you have some IPv6 addresses for your website, nameservers, and mail servers. Our checker attempts to dig a little deeper. Do your webservers actually respond over IPv6? On all addresses? Do all your MXs have working IPv6 reverse DNS? Are your DNS entries dependent on other zones that don’t have IPv6 nameservers?

One user pointed us towards the results for one of the Regional Internet Registries, initially because it broke the checker. A few bug-fixes (both in our code, and in CPAN modules) later, and we’d determined that there was a real problem behind it: www had two AAAA records, both servers were up, but only one was accepting connections on its IPv6 address. Connections to the other server eventually timed out.

Although this issue would cause real problems to an IPv6-only user, this is exactly the kind of problem that the Happy Eyeballs (aka Fast Fallback) algorithm does a perfect job of masking. If you pick the duff IPv6 server out of the DNS, it’ll almost immediately and silently fall back on an IPv4 server. Even if you use a tool like SixOrNot to show you what connection got used, it may not be obvious that something is amiss, as falling back to IPv4 becomes part of normal operation.

Even in a dual-stack world, such a problem isn’t without side effects, as it would likely lead to an imbalance in the load spread between the two web servers.

We’re continuing to broaden the range of tests performed by the tool in order to help catch the less obvious problems that can occur when IPv6-enabling your site.

Are you ready for IPv6?

October 23rd, 2013 by

Ever wondered whether users would get to your website in an IPv6-only world? Well, now you can find out. Our IPv6 Health Check tool checks not only that your web and mail servers are accessible via IPv6 addresses, but also that you can obtain those addresses from DNS using IPv6.

You can try it out by entering a domain name below:

Domain:

Should you care? Well, typing domains for a few well-known websites into the checker reveals that the IPv6 Internet isn’t currently a very exciting place, so it’s going to be a little while before not having an IPv6 presence becomes a problem. On the other hand, there’s a growing number of users with both IPv4 and IPv6 connectivity, with the latter being preferred. Google recently announced that over 2% of their traffic was now over IPv61, so if you’re going to list IPv6 addresses for your servers then it’s important that they work.


1. Although you still need an IPv4 connection to find Google in the first place.

Update on spam from Communicado Ltd.

October 22nd, 2013 by

I’ve been keeping an eye on the effectiveness of the blacklist that we recently installed to block spam from Communicado Ltd.

The number of messages directed at our servers seems to vary significantly, but we’ve seen close to 1,000 in a single day rejected by the filter. Whilst not a huge number in the grand scheme of things (our servers reject several connections per second using IP blacklists), it’s a pretty significant number to be spread amongst a relatively small number of customers.

What we have noticed is that the domains that we’re now seeing have been registered increasingly recently, suggesting that the older domains are becoming unusable due to people blocking them. So, we have an arms race between our ability to keep our blacklist up to date, and their ability to keep buying and deploying domains. This is actually a good thing because the domains cost the spammers at Communicado real money, so if enough people use the blacklists and keep them up-to-date then sending spam in this way will become uneconomical. In the meantime, the only consolation of the spammers chucking all this money at Nominet, is that we occassionally get to drink it.

I did some mining of our mail logs, and identified another half dozen Communicado domains. Martin fed these into his Nominet search tool yielding another 1,000 or so domains, so we’ve now got over 5,000 on the list.

If you run a mail server and aren’t already using it, please add the blacklist to your configuration and keep it up-to-date.

The endless war on spam

October 16th, 2013 by

We’ve just put in place a new spam blacklist. What’s unusual about this list is that it’s a list of sender domains. Filtering on sender domains is not normally something we’d consider since standard operating procedure for spammers is to use a fake sender address containing a legitimate domain.

In this case, it seems that a particular company, Communicado Ltd, has gone to the trouble of registering a very large number of UK domains specifically for the purposes of spamming. We first noticed this in response to a customer complaint last week, and the thing that got my interest was that the various different domains had valid SPF records. For example:

$ host -t txt hurvabne.co.uk
hurvabne.co.uk descriptive text "v=spf1 a mx ip4:76.73.88.0/24 ip4:76.73.91.0/24 ~all"

SPF isn’t the world’s greatest anti-spam measure, but a pass on a record with specific IPs is generally a pretty positive indicator, as you have to either compromise the mail server or the DNS server – or own the domain.

What I didn’t twig was just how many domains were involved, or that they were all owned by the same company, until one of my colleagues came across Martin A. Brooks’ blog post, which identifies over 4,500 domains owned by this single outfit.

Martin has kindly shared his list of domains and we’re now filtering using it.

For what it’s worth, those domains will have cost them the best part of £17k for a year’s registration (somehow, I don’t think they’ll be renewed).