New IPv6 protocol could complicate e-mail spam filtering
March 9, 2011
The Internet's emminent migration towards the IPv6 protocol, which has been made necessary by the rapid expansion of the network, will make it a lot more difficult to efficiently filter e-mail spam messages, Internet service providers and hosting companies from all over the globe warn.
The current Internet core system, the IPv4 protocol, has a limited address space which is reaching exhaustion thanks to the rapid expansion of modern Internet technology in large countries such as India and China, and the more widespread use of smartphones.
On the other hand, the new IPv6 protocol promises 3.4 x 1038 addresses compared to the paltry 4.3 billion IP addresses offered by IPv4. So while this expansion allows far more devices to have a unique IP address, it also creates a whole range of new issues for Internet security service providers, who have long used complex databases of known bad IP addresses to regularly maintain blacklists of junk mail bots and spammers.
E-mail spam-filtering technology typically uses these blacklists as one key component in a multi-stage junk mail filtering process that also involves examining message content. "The primary method for stopping the majority of email spam used by service providers today is to track bad IP addresses sending email and blocking them right at the source–- a process known as IP blacklisting," explained Stuart Paton, a senior solutions architect at spam-filtering firm Cloudmark.
"With IPv6 this technique will no longer be possible and could mean that email systems would quickly become largely overloaded if new approaches are not quickly developed to address this," added Paton.
Other Internet security technologies also track IP addresses for various purposes, including filtering out sources of DoS (denial of service) attacks, click fraud scams and search engine manipulation, among other things. Tracking a vastly expanded IP address space will make life a lot more complicated for network defenders, Paton warns.
And there are other Internet security firms that agree with him. "As an example, the address space is so large that it would be easy for email spammers to use a single IP address just once to send a single email," he said. "All they would need to implement is an automated system that would remember from which IPv6 address that single email was sent from, and not use it again, but instead using the next available one, and so on and so forth. This could in fact literally open the flood gates to catastrophic amounts of spam we have not even seen yet," Paton suggested.
The information security industry, cloud hosting providers and ISPs need to closely collaborate on working efficient solutions on how to resolve this issue in order to make sure inboxes are not filled up with even more junk mail than with IPv4, caused by the introduction of the new IPv6.
Meanwhile, Cloudmark suggests that interim restrictions might need to be quickly applied to preserve existing systems. "Cloudmark actually advocates that ISPs do not initially need to be able to receive mail from IPv6 addresses on inbound except from their own customers known as outbound," Paton explained. "This would ensure business continuity for ISPs. This measure will also protect the IPv4 reputation system that is currently in place and is working very well, after all the work and the vast resources that have been deployed so far."
Paul Wood, an anti-spam expert at Symantec Cloud (formerly MessageLabs), confirmed that other Internet security firms are also considering whether to apply much stricter controls on mail flow from IPv6 networks. "IPv6 is definitely a real area of concern in the anti-spam community, and opinion varies greatly on whether businesses should accept mail on IPv6 or not for this reason-- at least the first year that the new system will be rolled out," Woods said.
"I'm of the opinion that at least for the moment they shouldn't, unless the connections are from a trusted source," he added.
"Unlike Web browsing, Internet email is a two-way communications protocol, so legitimate IPv6 mail servers, outside of academia and testing environments, will still need to support IPv4 for quite a few years in my opinion. Relatively speaking, there are very few real mail servers in the world, so the starvation of IPv4 will not affect them much since there will for a very long time be a resale market in the IPv4 address space," Wood added.
Although the move to IPv6 is a headache for email spam-filtering, it might also make life harder for hackers hoping to take advantage of open relays to distribute spam or mount other types of security attacks as well-- an added benefit if this can be termed as such.
"However, while the arrival of IPv6 is likely to eliminate the usefulness of traditional IP-based blacklists, it is also likely to reduce the issues that arise from port-scanning of open relays and other security vulnerabilities, at least for now. The IPv6 address space is so large it wouldn't be scalable from the bad-guys perspective. So the returns will diminish over time," said Wood.
And although the last large blocks of IPv4 addresses were allocated from ARIN just a few weeks ago in February, there is still plenty of assigned but unused addresses-- between one to two billion in fact, estimated to be as high as 50 percent of all IPv4 addresses originally issued, some experts say.
That simply means that the resale market for IPv4 addresses is likely to last several years at a minimum, Wood and others are saying.
Last September, Cisco Systems started serving up content from its main website that supports the IPv6 protocol, the long-anticipated upgrade to the Internet's older IPv4 network system. The transition is significant given that Cisco has been selling IPv6-enabled routers, switches and related network equipment to ISPs, carriers and enterprise customers for many years.
But on August 23, Cisco began testing the IPv6 protocol on an alternative Web site (ipv6.cisco.com) instead of its main site, www.cisco.com.
The networking giant is maintaining a dual IPv6 and IPv4 approach for its external Web presence so that all of its customers can access the Web site reliably and without any issues.
"Of course, we could start with a translating proxy server to give an IPv6 presence with an IPv4 back end, but since the end goal is native IPv6 anyway, we have decided to take this time to get our applications steadily moved to IPv6 natively rather than translating," explains Mark Townsley, network engineer at Cisco.
Source: Symantec Cloud.
You can link to the Internet Security web site as much as you like.