We are more ready for IPv6 email than we may think

Posted by   Martijn Grooten on   Jun 21, 2018

In email security circles, IPv6 is the elephant in the room.

While the transition from IPv4 to IPv6 is a relatively smooth affair for most of the Internet, and few people will have noticed that a large part of Internet traffic is currently using IPv6, email is still lagging behind: RIPE, Europe's Regional Internet Registry, estimates that in 2017 only around one in nine emails was sent over IPv6.

Emails received over IPv4 and IPv6

Source: RIPE Labs

There are two reasons for this. The first is that, while the roughly three billion usable IPv4 addresses aren't sufficient for the current Internet, they provide more than enough IP addresses to serve the mail servers the Internet needs. There thus isn't a strong incentive to move to IPv6.

The second reason is that there actually is an incentive not to move to IPv6: spam. In particular, the fact that IP-based blacklists play an essential role in just about every anti-spam solution, often as a means to weed out the bulk of botnet spam before the content of the emails are analysed.

Though it is technically possible to run IPv6-based blacklists, and some such lists do exist, the practically infinite address space makes these lists far more difficult to run, while spammers could easily choose new address ranges for every new campaign – something which on IPv4 is simply not possible.

So should we just stop using IPv6 for sending email?

While indeed the need to move to IPv6 isn't very urgent for email, we can actually use this as an opportunity. Google, for instance, requires those sending emails to have a valid PTR record for the sending IP address, and for the email to pass at least one of SPF and/or DKIM.

These are reasonable requirements, and ones that legitimate email can be expected to fulfil, even if, for reasons of backwards compatibility, not all of them do. Spammers typically can't fulfil these requirements without more or less identifying themselves, thus making it easier for their emails to be blocked.

This doesn't mean that by moving to IPv6 we can solve spam (which is a feature of, and not a bug in, the way email works), but I don't think the often expressed fears about being unable to handle it are justified.

In an IPv6-only email world, things will certainly be different. Filtering will rely less on IP-based blocklists, but DNS-based lists of IP addresses and especially domains may actually start playing an even more fundamental role, even if this role may become less about the instant blocking of emails, and more about helping to build a holistic picture of whether an email is legitimate or not.

In particular, this makes such lists more useful in blocking targeted email attacks, whose small scale often allows them to fly below the radar of blacklists, but where properties of the domain (such as its registration date, or its past email history) can actually help spot them. We are certainly seeing a trend towards more of these kinds of email attacks.

So far, not a lot of spam is being sent via IPv6 – a little more than one in 30 spam emails according to RIPE – and anecdotal evidence suggests that most of this is incidental: spam sent from bots that just happen to run on IPv6-connected devices and using software that is agnostic to the IP version.

  RIPE-spam-received.png

Source: RIPE Labs

I don't expect this number to grow any time soon. But if it did, we'd be more ready for it than we may realise.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2018 paper: Analysing compiled binaries using logic

Constraint programming is a lesser-known technique that is becoming increasingly popular among malware analysts. In a paper presented at VB2018 Thaís Moreira Hamasaki presented an overview of the technique and explained how it can be applied to the…

Virus Bulletin encourages experienced speakers and newcomers alike to submit proposals for VB2019

With a little less than a month before the deadline of the call for papers for VB2019, Virus Bulletin encourages submissions from experienced speakers and newcomers alike.

VB2018 paper: Internet balkanization: why are we raising borders online?

At VB2018 in Montreal, Ixia researcher Stefan Tanase presented a thought-provoking paper on the current state of the Internet and the worrying tendency towards raising borders and restricting the flow of information. Today we publish both his paper…

The malspam security products miss: banking and email phishing, Emotet and Bushaloader

The set-up of the VBSpam test lab gives us a unique insight into the kinds of emails that are more likely to bypass email filters. This week we look at the malspam that was missed: banking and email phishing, Emotet and Bushaloader.

VB2018 paper: Where have all the good hires gone?

The cybersecurity skills gap has been described as one of the biggest challenges facing IT leaders today. At VB2018 in Montreal, ESET's Lysa Myers outlined some of the things the industry can do to help address the problem. Today we publish Lysa's…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.