As World IPv6 Day approaches, it’s time to move off of IP Blacklists

Written by Ed Fisher on March 17, 2011

On Wednesday, 2011-06-18, some of the largest names in Internet technology, as well as many individuals with an IPv6 connection, will be participating in the first global ‘test flight’ of IPv6, World IPv6 Day. The goal of this organized test of IPv6 is to motivate companies, Internet Service Providers, and all other Internet users to start preparing for the transition to IPv6.

As email administrators, the transition to IPv6 holds some implications for our systems. Over at our sister blog, TheEmailAdmin, I went over some of the implications for Exchange 2010 when moving to IPv6 . As mentioned there, IP Blacklisting is not supported in Exchange 2010 when using IPv6, and even if it was, it probably would not be very effective.

IPv6 increases the total size of an ip.addr from 32 bits, to 128 bits. As each bit doubles the number ofpossible addresses, the total number of available addresses in the new scheme is 3.4 × 10^38. There are so many more IP addresses in IPv6, that blocking spammers based on their source ip.addr might prove to be unmanageable. Blacklists that block network ranges have already proven to be ineffective, with far more legitimate users impacted than spammers blocked. It should be obvious that systems which depend on IP blacklists are going to have to find an alternative.

With World IPv6 day presenting an opportunity to test the new addressing scheme, you should plan to test alternates to IP blacklists on that day. Here are a few alternatives to investigate, which can be added now to your IPv4 based systems, and should work just as well in IPv6.

Sender Policy Framework (SPF)

If you have read more than one of my posts, then you know I am a huge advocate of SPF records. The only thing IPv6 means for SPF records is that you won’t want to specify ip.addrs. You will still mention your MX records, domain names, etc. You can read more about SPF records here.

Domain Keys Identified Mail (DKIM)

DKIM uses RSA keys, published in DNS, to digitally sign email. A receiving system can lookup the public keys in DNS to determine whether a mail is from its purported domain or not. There’s a great write-up on DKIM here.

Bayesian Filtering

Bayesian filters work on the content of an email, and have no interaction with the source ip.addr of the message at all. The change from IPv4 to IPv6 will be invisible to systems using Bayesian filters. Click here for an overview of them.

IP Reputation

While Exchange 2010 doesn’t currently support this with IPv6, there is no reason to believe that this won’t be addressed in an upcoming service pack or patch, and of course Exchange is not the only game in town. Calculating the reputation of a source address is different from simply blocking email coming from an address on a blacklist, as it takes into account the network, the service provider, and previous messages. There is some great information on IP Reputation in this post.

With IPv6 coming (it’s no longer an IF, it is definitely down to a WHEN) if you are currently dependent upon IP Blacklists, start looking at your alternatives now.

Comments

Francis Turner March 18, 2011

Yes the current Vixie RBL blacklist is dead with IPv6.

But in my (biased) opinion the correct answer is tp look at IP reputation instead (not that I’m against SPF and/or DKIM for spam). If you use the right IP Reputation service, one that can distribute network reputation as well as address reputation, then IP reputation can replace an RBL quite effectively. And it can be run on the firewall rather than the mail server thereby reducing the load on the latter.

I blogged about this recently – http://blog.threatstop.com/2011/03/08/ipv6-and-ip-reputation/

Ed Fisher March 22, 2011

Nice blog Francis, thanks for the link. As I mentioned a few weeks back, in Exchange 2010 the Protocol Analysis agent doesn’t compute the sender reputation level (SRL) for messages that originate from IPv6 senders, but I’m hoping to see a patch fix that BEFORE SP2. Going with a third party add-on may be the faster path though.

  • (required)
  • (required)