on IDN and bad reporting
James Seng explained in his blog why the IDN "exploit" is nothing new or interesting. The issues related to homographs have been known for years and are not a peculiarity of IDNs, so this is nothing more than PR for a "security" group and was not worth even a slashdot story.
The mutt upstream maintainer commited an option to disable IDN support, but I have no plan to rush adding the code to the Debian package. Spoofing email headers does not require using IDNs...
Andre Luis Lopes totally missed the point about timeouts in name resolution: there is nothing wrong with 2.6 kernels, except that until recently all kernels used to automatically install an IPv6 default route even if no router was detected. The real problem is that BIND versions precedent to 9.3 did not correctly implement timeouts for queries to name servers with both A and AAAA records and kept trying to query unreachable addresses if IPv6 connectivity is configured but not working.
The correct workarounds are upgrading BIND to 9.3, upgrading the kernel or installing a default unreachable route with a low metric (like ip -6 route add unreachable default dev lo metric 1400). And BTW, alias module off is not a valid syntax for modprobe.conf.
Wouter Verhelst instead showed a complete misunderstanding of how spamming works nowadays: sending junk traffic to spam sources would not harm spammers, because almost all relevant spam sources are either compromised computers or the mail hubs of large ISPs. And the few spammers spamming from their own IP addresses can be easily filtered.