The migration towards IPv6, which has been made necessary by the expansion of the internet, will make it harder to filter spam messages, service providers warn. The current internet protocol, IPv4, has a limited address space which is reaching exhaustion* thanks to the fast uptake of internet technology in populous countries …
Although single-IP blacklists might struggle, you'll probably find that with IPv6 the bad guys will still often operate out of known bad (or suspect) blocks of IP addresses. Remember, IP addresses are not handed out randomly.
Incidentally, the bad guys seem to be very adept at getting blocks of IPv4 in /24, /23 or even /22 chunks. Once they have destroyed the reputation of these blocks (often permanently) they move on. I wonder how much of the IPv4 address space is currently widely blacklisted?
bad reputation and timeout
Software which compiles blacklists is likely to generate too many false positives if bad reputation resulting from ancient spam doesn't time out. It's easy enough to maintain a real time record of timestamped spamtrap hits for the IP address in question and remove it from the blacklist unless it has generated enough recent bad email.
Re: Bad neighbourhoods
"Incidentally, the bad guys seem to be very adept at getting blocks of IPv4 in /24, /23 or even /22 chunks. Once they have destroyed the reputation of these blocks (often permanently) they move on. I wonder how much of the IPv4 address space is currently widely blacklisted?"
They FUBAR'd the netblock where I have my main SMTP server. Some lists let me whitelist my addy, but SORBS has a jackass reputation for netblocking without any whitelisting option. Jackasses!
I would presume that under IPv6 it will simply be a matter of blocking whole /64 blocks to prevent the zillion IP roulette o' spamming servers. Whitelisting would help for those who actually run respectable servers...
"As an example, the address space is so large that it would be easy for spammers to use a single IP address just once to send a single email,"
Did anyone else think, "One-time unisphere address" from Peter F. Hamilton's Commonwealth books on reading that?
Shotgunning, I believe
I liked the penalties imposed!
Seriously though - move on from blacklist individual IPv4 addresses to blacklist the entire /64 Ipv6 block.
The one time address was not enough
The comms in the commonwealth books also used signing with certificates. A shotgun from an unknown user would have been ignored by most of the population. A shotgun from a grand family memmber... Hmm... Entirely different story.
So, following the same analogy, IPv6 will probably lead us towards the universal acceptance of certificates for email much faster than we think.
I would ignore spam even if it came from Kate Middleton.
I'm still waiting for Google to release u-shadow...
Have they not heard of aggregation?
Surely you just filter the entire /64 the person is spamming from, best practice is for each unique customer to get their own /64, so that shouldn't cause any issues with one customer causing problems for others.
You can then quite easily do a bit of checking and if you build up a large number of /64s you block the containing e.g. /48 or whatever. Given I've just come up with this in about a minute, you'd expect the anti-spam companies to have already sorted it given they've had since 1998 to do so!
As far as I'm aware, the plan is for residential customers to have a /64 block (as that's the smallest block allowed), and anything less would screw around with autoconfiguration.
So immediately spam filtering can be done on 64 blocks, there's *only* 1.8 x 10^19 of them!
IPs assignement and routing
IPs must be:
Without this two operations you can set whatever IP you like to your PC and it won't work.
Until now IP assignment procedures has been pretty lame, spammers has been able to hijack whole blocks (see for example Spamhaus DROP list) while Internet authorities was sleeping and did nothing, and criminal ISP helped spammer to use the hijacked IP blocks.
If IANA, RIRs and other network authorities start to work seriously against rogue IPs is not difficult at all to block criminals and throw bad ISPs out of the Internet. If they believe they can be paid to do nothing like they did till now, well, IP6 will be a spammer & C. panacea.
What a load of FUD.
So what if there's suddenly loads more addresses available? The baddies still need to compromise computers to send the spam and there will be the same number of computers/connections (ok, slightly more due to increasing market; nothing to do with ipv6)... so just block the /64 ranges the same as we currently block single IP4 addresses.
It's not like we're saying that on day x there will be 4.3x10^9 internet devices and on day (x+1) there will be 3.4x10^38
I don't think that even the Chinese can ramp up manufacturing quickly enough for that!
Yes (I think).
IPv6 theoretically allows an astonishing number of distinct device addresses to exist - but they don't have to be allowed to. The size will propbably rise fast as IPv6 is adopted and we stop hiding behind network address translation servers - although maybe you don't want people to know the real addresses of all your devices (but, 192.168.1.1, yo - or whatever the default is) - but not to exhaust the address space.
Then again... if my nearly-invented IPv6 cell phone is supposed to connect to my home wireless network with the phone's own constant IP address, and if the device itself also can change that address to any unused address, then it does become slightly more difficult for the good guys to find out where the spam is coming from.
"The IPv6 address space is so large it wouldn't be scalable from the bad-guys perspective"
Whoever would need more than 64k or memory? I mean, tch!
Let's not panic here...
While statements asserting the vastness of the IPv6 address space are completely true, the conclusion that this means IPv6 reputation is impossible completely misses the point. IPv4 reputation tracking techniques would certainly fail to translate directly into IPv6, but why is that the only option? That's like replacing a wood house with a steel-frame house, but building it using exactly the same architectural plans. A different underlying technology gives the opportunity to innovate and establish an environment where carriers can get the IP-based reputation information they need. I’ve got some more thoughts on the topic in a blogpost. Google “MessageSystems blog” if you’re interested.
Cloudmark advocates what?
>"Cloudmark advocates that ISPs do not initially need to be able to receive mail from IPv6 addresses (on inbound) except from their own customers (known as outbound),"
Err, what? They're saying that ISPs don't need to be able to receive any inbound mail except for the outbound mail?
> Paton explained.
An "explanation" is supposed to make the meaning of something clearer, not mangle it in overly-verbose gibberish...
@Cloudmark advocates what? → #
Hotmail, Gmail, Yahoo, BT, AOL, VirginMedia have no reason to accept IP6 from each other.
That's several hundred million email addresses sorted. or do you belive when you send an email via gmail to a hotmail account, it is sent from your pc to your mates?
And why not?
Why shouldn't they accept IPv6 from each other? Give me a SINGLE good reason! Gmail isn't going to be blacklisting Yahoo! any more than Hotmail, so it has nothing to do with this wannabe story anyways. Between DNSSEC, DKIM, and SFP, there's a pretty good chance that "This IPv6 connection that says it is Gmail" is probably #@*$ Gmail! Who cares if it's IPv4, IPv6, or DECnet for all that matter!
Why make life difficult?
Right now very few - if any - email servers are on IPv6. I bet there's precious little SMTP traffic on there. Email servers don't pop up every five minutes so chances are very good that they can be restricted to IPv4. Since that will help alleviate a problem we might as well do it.
Your response implies that you think there's a problem with this idea. I don't see it bothering anyone except a few bad guys. For genuine users it's a non-issue.
Seems to me like low hanging fruit worth picking.
IP filtering is often evil anyway
Maybe I'm biased because I've been using ISP's which sometimes ended up in IP based filters, but I think this is a bonus and not a con. There are too many, IMO ignorant or arrogant, lists out there which will easily enter IP's which belong to an ISP itself, merely because some of its customers have caused issues (or may have).
And so they deem it necessary to simply block the entire ISP and because of that all of its customers.
Sure; I know: "tell the ISP so they can contact the list and so....". Yeah right. With good ISP's that will work out, no problem. But who will eventually be paying for the overhead costs of all that? And as such; many ISPs I'm familiar with block port 25 and you can get one open by paying an extra fee.
I understand the need, don't get me wrong, but I do think that it also goes to show you that in a lot of cases IP blocking is plain out evil and ignorant.
@IP filtering is often evil anyway
Wholeheartedly agree ShelLuser, I use several ISPs some of whom are very good at getting blocks lifted, but because there are so many block lists this can take multiple days in some cases - and in that time you can lose a lot of business.
I am under the impression there are a lot of feasible methods out there to effectively stop spam dead, but because we are having to deal with so many disparate attempts to do the same thing and there is a lack of effective management of the entire net, that we will be forever losing to spammers.
I am under the impression that too many big companies are making good money selling antispam.
I look forward to the day when we can ditch email for the un-secured piece of s**t it has become.
"many ISPs I'm familiar with block port 25 and you can get one open by paying an extra fee."
Good! That's best practice to fight against zombie machines. What is the problem with having your local SMTP server relay all outgoing email to your ISP's SMTP server to then handle? That's how it should work anyhow!
How about when you don't want to use the ISP provided e-mail address?
Nobody *sane* uses an ISP provided e-mail address - what about when you want to change ISP, your ISP goes under or some other drama? Suddenly you have to change e-mail addresses, and if you're foolish enough to be a business that's using an ISP's e-mail address not only do all your contacts have to change your e-mail address but you have to reprint stationary as well...
Webmail is, of course, the answer to many problems and as dubious as some find them, gmail, hotmail, yahoo mail, etc do provide a non ISP specific e-mail address and the upshot is that you don't have to use a local mail client as well.
"Good! That's best practice to fight against zombie machines."
You mean the lazy way.
The problem is that a lot of spam filters take one look at the headers and see the relay and block you.
Lucky a lot of hosts setup a different port so you can bypas the block.
Most clueful users will be using SSL to a submission port anyhow. And clueful admins will have this set up for their users to access.
Go do some research.
>How about when you don't want to use the ISP provided e-mail address?
How about you learn how SMTP works?
Using your ISP's outgoing SMTP server doesn't mean you have to use an email address they have provided. All it does is - perhaps - obfuscate the sender information since you are effectively hiding behind someone else' server.
The only reasons not to use your ISP's SMTP server are:
* You want to implement effective SPF.
* Your ISP's server keeps being blacklisted.
Pick a better list
I find IP address blacklists to be extremely useful. There's a lot of address space that is completely unmaintained or owned by criminals. A blacklist is not only efficient to implement, but pressures the network into cleaning up or going out of business. If there are too many false positives you can use a less aggressive blacklist.
Content filtering is a losing game. The CPU power in hijacked networks always beats the CPU power in your analyzer. Finding ways to beat your filter is trivial and of no cost to the spammer.
Yes port 25 should be blocked for most residential ISP IP addresses.
If you need to send SMTP from your home, either send via submission (SMTP+TLS+SMTPAuth (SASL)) to your mail server at your colo (Also works with Google and Yahoo). Or get business class service where if there isn't a public record of how to send the torches and pitchforks to your home, they can atleast take them to your ISP.
As for the can't blacklist. FUD. Greylisting kills most of the garbage. Yes there are idiot mail sources that don't work with greylisted recipients (FedEx, Google, Messagelabs). But they are fairly well known and there are read to use whitelists for them, some of them even have information on how to pull the SPF records to generate the white lists.
@AndrueC / Go do some research. #
So before you start on the personal attacks, think about it first...
You are right about the reliability, SPD and your ISP's server getting blacklisted, but this is only part of the problem
Do you know how many ISPs only allow their own addresses through and nothing else? Some do allow anything but many block anything except their own addresses.
As others have said, it's really easy to block the entire /64 subnet. Done and done! This is just pure FUD.
I also have the "This measure will also protect the IPv4 reputation system that is currently in use and working well." quote. WHAT IPv4 reputation system? I'm not liable to trust an IPv4 IP any more than I am an IPv6 one!
It's not all about addresses
IPV6, if done correctly, provides the basis for a more reliable and, in theory at least, a safer (for a a given value of safe) infrastructure. As this requires network admins who know what they're doing I'll agree that this is promise is unlikely to be fulfilled.
Anyway, botnets are the way forward. With or without quadrillions of addresses you can't rely on blacklists for them.
/64 is still much bigger than IPv4.
If you're blocking hacked customer IPs, then going from blocking an IPv4 /32 (single IP) to blocking an IPv6 /64 (home network) is still squaring the problem you have.
Spamhaus' PBL, which lists domestic dynamic IP ranges that aren't supposed to host MTAs, is going to become much more important than their SBL, for example.
Personal Mail Servers
"Relatively speaking, there are very few real mail servers in the world"
Does that include the one sitting under my desk at home?
it is quite unusual for an individual to have a static IP or 2, presuming you are running a webserver with it's own nameserver set ..
point is that even webservers handling 1000s of websites may have only 2 static IPs and a single mailserver handling all the @website.tld addresses
I doubt mailservers are taking even 0.5% of IPv4 addresses .. very large mailservers might be handling 100,000s of customer addresses each ..
if you are troubled by spam
go here and get yourself an account. Virtually spam free email.
I'm sure Marty will gladly tell you how it is done, quite simply and very effective. IPV4 or 6, no problem
signed, a happy customer
Not a problem for good IP reputation services
There are a bunch of ways to do this. As I just blogged - http://threatstop.wordpress.com/2011/03/08/ipv6-and-ip-reputation/ - our IP reputation system works just fine with IPv6 /64s (or even /48s or whatever other net block size is required).
Although the address space of IPv6 is much larger, addresses are given out in blocks... It doesn't matter if a spammer is using a million different addresses if they are all part of his /64 block, you can just blacklist the block itself.
Also a single ISP will only get a single /32 block, unlike the current situation where an abusive ISP can get a number of completely different IPv4 ranges that spammers can use, making it much easier to block a rogue ISP.
Second most clueless IPv6 FUD so far
This is the second dumbest FUD about IPv6 I've yet seen - the worst being the guy on Slashdot assuring me that we should all rush to adopt IPv6 because it makes it impossible for viruses to spread.
Right now, spammers like the outfit on wrmN.com (with a rotating number for the N to evade crude blocklists) get themselves their own netblock - a /21 in this case - and spread their spammy antics across it. So, I plug 126.96.36.199/21 into my MTA's filter list and they're reduced to a few log entries each day. In IPv6, maybe they'd get themselves a /48 or bigger - same problem, same solution.
OK, it'll require other MTA's to get the same filtering ability mine has - but they should have it anyway, the feature just becomes more useful this way. Or, of course, we get our upstream providers to null-route 'pink' netblocks and those who provide them with transit, which would be nice...
I agree. Spammers change tactics, spam fighters adapt, wash, rinse, repeat.
ISPs and smart hosts should give up on port 25 for client to server communication and instead move to AUTH SMTP over 587 or SSL over 465. Mail servers should have proper reverse dns and not dynamic or no rdns at all. I drop mail dead without DNS I like on the servers I run, kills tons of spam from bots running on peoples home computers. Rarely an issue, and most big ISPs like ATT do this already.
New tools and methods may have to be applied to IPv6, but it's not really anything compared to what we're doing already
As usual, the wrong approach
Why isn't anyone doing research into why spam is profitable? Somebody out there is clicking on those links, buying that viagra, and sending money to Lagos. Consistently remove the buyer from the market and useless spam disappears (leaving only phishing, which is easier to defend against).
Actually, I think it might be too late for open email. The future, to me, feels like web-of-trust email, where every sending address is blocked unles it is explcitly permitted by you. For example, 'accept mail from my Facebook buddies'.
Challenge response messaging
No traffic without return traffic. Want to send an e-mail, the relay server and/or receiving mail server issues a challenge, your PC computes an answer, it accepts the answer and passes the message. No messages can be sent that can;t be reverse verified. Messaged that don;t support this system get sent a return message the user has to manually reply to, and the original message is held in quarantine until that process is completed, or never delivered at all.
its a simple system, and validates both sender and receiver e-mail address and IP routing. In order for a home PC to send spam, your router will have to allow incoming SMTP traffic to your PC on a port the virus opened... not likely to happen...
This was proposed more than a decade ago, but the legitimate spam companies and businesses who send tons and tons of e-mail objected that is would cost too much server power to compute those automated answers and replies. Guess what folks, still would have cost less than stamps and snail-mail marketing or telemarketing. We let them control the industry, and now we suffer for it. Impose challenge response e-mail and other messaging systems, and we can end most spam.
Something about suckers and minutes.
Look, dude, if we could treat the underlying disease behind the symptoms (of which spam is only one of many, and is exactly why it is successful) then we wouldn't have war, poverty, racism, sexism, religious extremism, rape or murder. I'm serious. Spam is insidious (and equally brilliant) because it preys on people's insecurities and neuroses. Smart people get taken in by spam all the time.
Further, I take contention with your assertion that phishing is easier to defend against. If it was then there'd be no such thing as espionage. It's all a confidence and trust game. Sure, it might be on a computer, but the tactics are no different than they were a hundred years ago. How do you propose to prevent granny from responding to an e-mail from what looks to be her bank asking for her username and password?
As far as web-of-trust e-mail goes... welcome to 2002 (most likely earlier). Web hosts and software packages have long been offering this. You know this, right? And in regards to "accept mail from my Facebook buddies..." Man, seriously? So, you're saying that Facebook, which is EASILY hackable/phishable, is a better/more secure form of e-mail? What happens when your buddy's Facebook gets hacked and he sends you a well designed scam? You're more likely to trust it coming from someone you explicitly gave permission to e-mail you, your friend, so is it really anymore secure?
The best (only, really) defense against spam is a well trained Bayesian filter combined with a well maintained ISP/host-level blacklist. Also, knowing what not to do, what not to click on, etc. Even then, shit happens. That's why we have laws. Time to write better ones and then start enforcing them. Criminals get smarter, skirt the law. Rinse and repeat.
Address blacklists are just a kludge
They're something that's cheap and simple to implement but ultimately they're pointless because addresses are easy to forge.
Which is probably the one area v6 scores in. IPv6 in theory prevents people from hiding behind addresses. Which is both a good and a bad thing. Its good because you should be able to tie the source of the packet to the packet itself so you can quickly identify forged or unwanted packets. Its bad because now the powers that be can identify exactly who sourced what traffic....your address can become your signature...
Actually, this makes things better....
If you take a blinkered "apply the same technology in the same way" approach, then of course it will not work as effectively.
However, as many above have pointed out it is all about aggregation.
Individual organisations will generally be allocated a /48, which is 2^80 addresses. (That's what I have routed to my house....)
Although this is 2^48 times the size of the IPv4 Internet, it does not matter. Bad net behaviour from any IP address in the /48 reflects upon that organisation, and there is no need to be any more granular that this.
An ISP will get addresses in blocks of /32 (2^96 addresses). This will be allocated out in 65536 /48's to individual organisations, and THIS is where things actually get better than they are now. If an ISP is Spammer-friendly and tends to attract spamming customers, then entire /32's start to look dodgy. So we blacklist poorly behaving /32's. That finally gives us a statistical view of what an ISP is like. They're not going to be given multiple /32's until they have filled their first one. And that finally gives a tool to make even Spammer-friendly ISPs less attractive - because their network range gets blacklisted. Isn't this a win-win?
It just takes a bit of slightly more than superficial thought about the problem as a whole.
Wood explained. "The IPv6 address space is so large it wouldn't be scalable from the bad-guys perspective – the returns will diminish over time." ®
Distributed scanning is already being used by some of the C&C nets; this just means they would have to update their algorithms.
eg. your statement is false.
IP black lists have never been a valid method of network security. Just a method used by lazy people.
Let's start stirring people up about running out of MAC-48/EUI-48 address spaces! Never mind EUI-64.
Don't accept unsigned IPV6 email
Once it starts to make sense to accept IPV6 email it will make sense to accept it much more selectively than for IPV4 email. The problem with technologies similar to DNA/CSV or DKIM is that you can't reject on the basis of non adoption in IPV4 world and because of this there is too little incentive for admins to adopt these sender verification technologies. As IPV6 email adoption is so small anyway, it costs you very few false positives if you have a much more stringent acceptance criteria for IPV6 email.
That means that admins with enough of a clue to implement IPV6 have no reason not to DKIM sign all outgoing messages and install the relevant DNS records. Those who implement IPV6 without DKIM or something equally good for establishing the responsible domain will learn the hard way not to do this by having all or enough outgoing rejected.
Then you can accept/reject/defer reliably enough based upon domain reputation and simply ignore the client IPV6 address.
Once better spam accept/reject decisions are made using IPV6 email the other kind will die rather quickly.
Why not start an IPv6 whitelist and advertise appropriately. That way we can easily accept mail only from legit sources and then block spammers by removing them immediately. For that matter I'd imagine IPv4 whitelist would be smaller than the current blacklists.
Alternatively, surely we could set the system up to scan the worlds DNS servers for MX records and only accept mail from something with a valid entry? there's no reason you'd mail directly out from anything without an MX record - any device you own can route back to a company mail server first.
Just because there's a ridiculous pool of addresses has no impact on the fact that they're still being DOLLED OUT, in blocks. It will be easy to simply block all traffic from unassigned IPv6 blocks, international routers won't carry the traffic, they can;t just pick any-old IP address, they have to pick one that's been ENABLED.
Each home/residence/ small business/whatever will get a block, device manufacturers will also likely get blocks, setting the default IP of devices (think mobile phones, where all VZW phones of a certain make all use a predictable (though random enough) range of IPs, no different then we assign phone number or SIM IDs in series today).
hackers can't simply snag an IP and spam away, something has to know of that IP block and allow it to communicate, otherwise it's just a local address in a local network no router will pass traffic for... No matter how many IPs they make up behind your IPv6 home router, the ISP sees a single address range, and can quickly block the entire thing. You can;t just go grab any random public IP from your ISP, it has to be provisioned, from an available address block. IPv6 is no different. The number of addresses in use won't dramatically change (in terms of routable endpoints).
10 years on and this is *just* a problem?
Icon says it all.
- Crawling from the Wreckage Want a more fuel efficient car? Then redesign it – here's how
- Apple SILENCES Bose, YANKS headphones from stores
- Flesh-flapping, image-zapping app Snapchat NOW ad-wrapped
- Vid NASA eyeballs SOLAR HEAT BOMBS, MINI-TORNADOES and NANOFLARES on Sun
- TV Review Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots