Angel Blazquez

Spam over IPv6

Angel Blazquez

5 min read

0 You have liked this article 0 times.
7

With the increased deployment of IPv6, we were curious to see how much the amount of spam sent over IPv6 increases.


 

We looked at the e-mail system of the RIPE NCC and produced some statistics that could be seen as an indication for the overall trend of spam sent over IPv6.

After we evaluated one week’s worth of data, we observed the following [please note that this excludes messages already rejected by blacklisting and greylisting (more on this below)]:
 

userfiles-spam1(1).png

Figure 1: Number of spam emails received in one week

Figure 1 shows that:

  • Out of the total number of emails received, 14% were received over IPv6, the rest over IPv4.
  • Looking only at the number of emails received over IPv4: 31% were classified as spam, the rest were legitimate.
  • Looking only at the number of e-mails received over IPv6, 3.5% were classified as spam, the rest were legitimate.

If we now take into account the total number of spam emails received, we observe the following:
 

userfiles-spam2.png

Figure 2: Total spam e-mails received  (over IPv4 and IPv6)

Figure 2 shows, that out of the total number of spam emails, 1.89% were received over IPv6, the rest were received over IPv4. The data above shows that the percentage of spam in IPv6 is much smaller than the percentage of spam in IPv4 (not surprisingly). We will observe how the relation between IPv4 spam and IPv6 spam evolves over time. In order to achieve this, we produced the graph (Figure 3) that shows in real-time the number of spam emails received over IPv4 compared to those spam e-mails received over IPv6.

 

userfiles-spam3.png

Figure 3: Amount of spam received over IPv4 vs. spam received over IPv6

The graph in Figure 3 is produced by looking at the total number of spam emails received in five minutes for both IPv4 and IPv6.

  • IPv4: An average of nine spam emails were received within five minutes
  • IPv6: An average of nearly zero spam emails were received within five minutes

The graph above shows a period of three weeks, although we will be examining longer periods of time in the future. It will be interesting to see the evolution of spam over both IPv4 and IPv6 over a longer period of time (months and years).

It might also be interesting to note that we did not observe any spam sent over 6to4 or Teredo.

 
Methodology 

Our measurements of spam sent over IPv4 appear to be much lower compared to other sites. This is because our measurement methodology does not include spam that:

  • Is on DNS Blacklists

The RIPE NCC mail system rejects spam sent from hosts listed on the DNS blacklists (no further SMTP is carried out), including multiple spamming attempts.

  • Is sent to non-existent email addresses

Our mail system refuses connections trying to deliver spam to non-existent email addresses within the ripe.net domain. Since we wouldn’t have received the email anyways, we don’t take these spam emails into account in our measurements. 

  • Is Greylisted

We use a method of greylisting for a subset of our email addresses (see: http://en.wikipedia.org/wiki/Greylisting for a description of this method). Using greylisting also filters out a significant portion of spam.

Additionally, our statistics only take our primary MX system into account (and not email sent from the secondary MX system to the primary).

We are not the only ones looking into this.  After a discussion on the IPv6-ops mailing list , Tim Chown of the University of Southampton did some measurements on his campus network and presented the results at UKNOF in May 2008 (see " IPv6 Experience at a campus site "). However, we are not aware of any recent statistics on spam and IPv6.

 
Future Developments 

We will continue to collect these statistics to track the increase in spam sent over IPv6, and potentially whether this means that the amount of spam sent over IPv4 decreases. DNS blacklists (DNSBLs) are one of the counter-measures used extensively to block spam sent over IPv4, though not without controversy [see (1) and (2) ].

The effectiveness of DNSBLs to block spam sent over IPv6 is even more controversial because the probability of false positives is higher [see a recent discussion about this here ]. 

At the moment, the only DNSBL for IPv6 we are aware of is http://virbl.bit.nl . The idea for this interesting initiative was born during RIPE 48 (Note that it was actually created to list viruses, not spam).

We expect to see the amount of spam sent over IPv6 to grow over the next few years. The use of reputation systems in general, and DNSBLs in particular, are not widely used yet in IPv6, because of the concerns mentioned above. Also, with the number of addresses available in IPv6 (also for spammers), the use of DNSBLs is not seen as effective enough.

This means that we might have to adjust the reputation based mechanisms such as DNSBLs to the particular characteristics of IPv6. Depending on how this adaption evolves and how effective it proves to be, we might have to rely more on email content scanning and less on reputation-based mechanisms to counter the expected increase of spam in IPv6.

At the moment these are open questions. We will follow the developments and will keep you informed about this topic on RIPE Labs.

0 You have liked this article 0 times.
7

You may also like

View more

About the author

Comments 7