We are more ready for IPv6 email than we may think

Posted by   Martijn Grooten on   Jun 21, 2018

In email security circles, IPv6 is the elephant in the room.

While the transition from IPv4 to IPv6 is a relatively smooth affair for most of the Internet, and few people will have noticed that a large part of Internet traffic is currently using IPv6, email is still lagging behind: RIPE, Europe's Regional Internet Registry, estimates that in 2017 only around one in nine emails was sent over IPv6.

Emails received over IPv4 and IPv6

Source: RIPE Labs

There are two reasons for this. The first is that, while the roughly three billion usable IPv4 addresses aren't sufficient for the current Internet, they provide more than enough IP addresses to serve the mail servers the Internet needs. There thus isn't a strong incentive to move to IPv6.

The second reason is that there actually is an incentive not to move to IPv6: spam. In particular, the fact that IP-based blacklists play an essential role in just about every anti-spam solution, often as a means to weed out the bulk of botnet spam before the content of the emails are analysed.

Though it is technically possible to run IPv6-based blacklists, and some such lists do exist, the practically infinite address space makes these lists far more difficult to run, while spammers could easily choose new address ranges for every new campaign – something which on IPv4 is simply not possible.

So should we just stop using IPv6 for sending email?

While indeed the need to move to IPv6 isn't very urgent for email, we can actually use this as an opportunity. Google, for instance, requires those sending emails to have a valid PTR record for the sending IP address, and for the email to pass at least one of SPF and/or DKIM.

These are reasonable requirements, and ones that legitimate email can be expected to fulfil, even if, for reasons of backwards compatibility, not all of them do. Spammers typically can't fulfil these requirements without more or less identifying themselves, thus making it easier for their emails to be blocked.

This doesn't mean that by moving to IPv6 we can solve spam (which is a feature of, and not a bug in, the way email works), but I don't think the often expressed fears about being unable to handle it are justified.

In an IPv6-only email world, things will certainly be different. Filtering will rely less on IP-based blocklists, but DNS-based lists of IP addresses and especially domains may actually start playing an even more fundamental role, even if this role may become less about the instant blocking of emails, and more about helping to build a holistic picture of whether an email is legitimate or not.

In particular, this makes such lists more useful in blocking targeted email attacks, whose small scale often allows them to fly below the radar of blacklists, but where properties of the domain (such as its registration date, or its past email history) can actually help spot them. We are certainly seeing a trend towards more of these kinds of email attacks.

So far, not a lot of spam is being sent via IPv6 – a little more than one in 30 spam emails according to RIPE – and anecdotal evidence suggests that most of this is incidental: spam sent from bots that just happen to run on IPv6-connected devices and using software that is agnostic to the IP version.

  RIPE-spam-received.png

Source: RIPE Labs

I don't expect this number to grow any time soon. But if it did, we'd be more ready for it than we may realise.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 paper: Fantastic Information and Where to Find it: A guidebook to open-source OT reconnaissance

A VB2019 paper by FireEye researcher Daniel Kapellmann Zafra explained how open source intelligence (OSINT) can be used to learn crucial details of the inner workings of many a system. Today we publish Daniel's paper and the recording of his…

VB2019 paper: Different ways to cook a crab: GandCrab Ransomware-as-a-Service (RaaS) analysed in depth

Though active for not much longer than a year, GandCrab had been one of the most successful ransomware operations. In a paper presented at VB2019 in London, McAfee researchers John Fokker and Alexandre Mundo looked at the malware code, its evolution…

VB2019 paper: Domestic Kitten: an Iranian surveillance program

At VB2019 in London, Check Point researchers Aseel Kayal and Lotem Finkelstein presented a paper detailing an Iranian operation they named 'Domestic Kitten' that used Android apps for targeted surveillance. Today we publish their paper and the video…

VB2019 video: Discretion in APT: recent APT attack on crypto exchange employees

At VB2019 in London, LINE's HeungSoo Kang explained how cryptocurrency exchanges had been attacked using Firefox zero-days. Today, we publish the video of his presentation.

VB2019 paper: DNS on fire

In a paper presented at VB2019, Cisco Talos researchers Warren Mercer and Paul Rascagneres looked at two recent attacks against DNS infrastructure: DNSpionage and Sea Turtle. Today we publish their paper and the recording of their presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.