We are more ready for IPv6 email than we may think

Posted by   Martijn Grooten on   Jun 21, 2018

In email security circles, IPv6 is the elephant in the room.

While the transition from IPv4 to IPv6 is a relatively smooth affair for most of the Internet, and few people will have noticed that a large part of Internet traffic is currently using IPv6, email is still lagging behind: RIPE, Europe's Regional Internet Registry, estimates that in 2017 only around one in nine emails was sent over IPv6.

Emails received over IPv4 and IPv6

Source: RIPE Labs

There are two reasons for this. The first is that, while the roughly three billion usable IPv4 addresses aren't sufficient for the current Internet, they provide more than enough IP addresses to serve the mail servers the Internet needs. There thus isn't a strong incentive to move to IPv6.

The second reason is that there actually is an incentive not to move to IPv6: spam. In particular, the fact that IP-based blacklists play an essential role in just about every anti-spam solution, often as a means to weed out the bulk of botnet spam before the content of the emails are analysed.

Though it is technically possible to run IPv6-based blacklists, and some such lists do exist, the practically infinite address space makes these lists far more difficult to run, while spammers could easily choose new address ranges for every new campaign – something which on IPv4 is simply not possible.

So should we just stop using IPv6 for sending email?

While indeed the need to move to IPv6 isn't very urgent for email, we can actually use this as an opportunity. Google, for instance, requires those sending emails to have a valid PTR record for the sending IP address, and for the email to pass at least one of SPF and/or DKIM.

These are reasonable requirements, and ones that legitimate email can be expected to fulfil, even if, for reasons of backwards compatibility, not all of them do. Spammers typically can't fulfil these requirements without more or less identifying themselves, thus making it easier for their emails to be blocked.

This doesn't mean that by moving to IPv6 we can solve spam (which is a feature of, and not a bug in, the way email works), but I don't think the often expressed fears about being unable to handle it are justified.

In an IPv6-only email world, things will certainly be different. Filtering will rely less on IP-based blocklists, but DNS-based lists of IP addresses and especially domains may actually start playing an even more fundamental role, even if this role may become less about the instant blocking of emails, and more about helping to build a holistic picture of whether an email is legitimate or not.

In particular, this makes such lists more useful in blocking targeted email attacks, whose small scale often allows them to fly below the radar of blacklists, but where properties of the domain (such as its registration date, or its past email history) can actually help spot them. We are certainly seeing a trend towards more of these kinds of email attacks.

So far, not a lot of spam is being sent via IPv6 – a little more than one in 30 spam emails according to RIPE – and anecdotal evidence suggests that most of this is incidental: spam sent from bots that just happen to run on IPv6-connected devices and using software that is agnostic to the IP version.

  RIPE-spam-received.png

Source: RIPE Labs

I don't expect this number to grow any time soon. But if it did, we'd be more ready for it than we may realise.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

Paper: Alternative communication channel over NTP

In a new paper published today, independent researcher Nikolaos Tsapakis writes about the possibilities of malware using NTP as a covert communication channel and how to stop this.

VB2019 conference programme announced

VB is excited to reveal the details of an interesting and diverse programme for VB2019, the 29th Virus Bulletin International Conference, which takes place 2-4 October in London, UK.

VB2018 paper: Under the hood - the automotive challenge

Car hacking has become a hot subject in recent years, and at VB2018 in Montreal, Argus Cyber Security's Inbar Raz presented a paper that provides an introduction to the subject, looking at the complex problem, examples of car hacks, and the…

VB2018 paper and video: Android app deobfuscation using static-dynamic cooperation

Static analysis and dynamic analysis each have their shortcomings as methods for analysing potentially malicious files. Today, we publish a VB2018 paper by Check Point researchers Yoni Moses and Yaniv Mordekhay, in which they describe a method that…

VB2019 call for papers closes this weekend

The call for papers for VB2019 closes on 17 March, and while we've already received many great submissions, we still want more!

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.