As World IPv6 Day approaches, it’s time to move off of IP BlacklistsWritten by Ed Fisher on March 17, 2011
On Wednesday, 2011-06-18, some of the largest names in Internet technology, as well as many individuals with an IPv6 connection, will be participating in the first global ‘test flight’ of IPv6, World IPv6 Day. The goal of this organized test of IPv6 is to motivate companies, Internet Service Providers, and all other Internet users to start preparing for the transition to IPv6.
As email administrators, the transition to IPv6 holds some implications for our systems. Over at our sister blog, TheEmailAdmin, I went over some of the implications for Exchange 2010 when moving to IPv6 . As mentioned there, IP Blacklisting is not supported in Exchange 2010 when using IPv6, and even if it was, it probably would not be very effective.
IPv6 increases the total size of an ip.addr from 32 bits, to 128 bits. As each bit doubles the number ofpossible addresses, the total number of available addresses in the new scheme is 3.4 × 10^38. There are so many more IP addresses in IPv6, that blocking spammers based on their source ip.addr might prove to be unmanageable. Blacklists that block network ranges have already proven to be ineffective, with far more legitimate users impacted than spammers blocked. It should be obvious that systems which depend on IP blacklists are going to have to find an alternative.
With World IPv6 day presenting an opportunity to test the new addressing scheme, you should plan to test alternates to IP blacklists on that day. Here are a few alternatives to investigate, which can be added now to your IPv4 based systems, and should work just as well in IPv6.
Sender Policy Framework (SPF)
If you have read more than one of my posts, then you know I am a huge advocate of SPF records. The only thing IPv6 means for SPF records is that you won’t want to specify ip.addrs. You will still mention your MX records, domain names, etc. You can read more about SPF records here.
Domain Keys Identified Mail (DKIM)
DKIM uses RSA keys, published in DNS, to digitally sign email. A receiving system can lookup the public keys in DNS to determine whether a mail is from its purported domain or not. There’s a great write-up on DKIM here.
Bayesian filters work on the content of an email, and have no interaction with the source ip.addr of the message at all. The change from IPv4 to IPv6 will be invisible to systems using Bayesian filters. Click here for an overview of them.
While Exchange 2010 doesn’t currently support this with IPv6, there is no reason to believe that this won’t be addressed in an upcoming service pack or patch, and of course Exchange is not the only game in town. Calculating the reputation of a source address is different from simply blocking email coming from an address on a blacklist, as it takes into account the network, the service provider, and previous messages. There is some great information on IP Reputation in this post.
With IPv6 coming (it’s no longer an IF, it is definitely down to a WHEN) if you are currently dependent upon IP Blacklists, start looking at your alternatives now.