Nearly every Internet user has a mailbox. The number of emails exchanged daily is staggering. A large majority of these emails are SPAM (more than 70%) and never make it to people's inbox. If we are not careful, sending emails over IPv6 could kill email if all this SPAM is allowed to reach people's mailboxes. The anti-spam techniques used over IPv4 are not all portable to IPv6 because a database recording IPv6 addresses can become extremely huge quickly, it would be easier and more portable if the email identifier is a domain rather than an IP address...
11. SMTP metrics and challenges:
3.3+ Billion Mailboxes in the world
247+ Billion emails per day
70%+ is SPAM
91% of targeted attacks involve spear-phishing emails.
http://www.email-marketing-reports.com/metrics/email-statistics.htm
http://www.email-marketing-reports.com/iland/2009/08/8-email-statistics-to-use-at-parties.html
http://www.zdnet.com/worldwide-spam-rate-falls-2-5-percent-but-new-tactics-emerge-7000025517/
Trend Micro Report: “Spear-Phishing Email: Most Favored APT Attack Bait”, 2012
13. No Rush!
Not hard to get one IPv4 for a mail server
Email servers need to have IPv4 to send
emails between each others
If SPAM is not handled people mailbox will
be unusable
14. No Rush!
Not hard to get one IPv4 for a mail server
Email servers need to have IPv4 to send
emails between each others
Not hard to get one IPv4 for a mail server
Email servers need to have IPv4 to send
emails between each others
If SPAM is not handled people mailbox will
be unusable
15. Mandate requirements
before anything goes
If you start to send email over IPv6 and the emails are not delivered
then the problem is on the sending side
If you start to receive emails over IPv6 and the emails are not delivered
then the problem is on the receiving side
VS
17. Fight SPAM with low cost
solution:
DNSBL
DNS based Blacklist
18. DNSBL
DNS based Blacklist
IP: spamhaus, spamcop, sorbs…
Blocks about 66% of spam at connection time
Domain: spamhaus, surbl, uribl…
Used mainly for links in emails, but should not be
http://www.dnsbl.com/2007/03/how-well-do-various-blacklists-work.html
19. RBLDNSD
Support IPv6 at /64 since
June 2013
http://www.corpit.ru/pipermail/rbldnsd/2013q2/001169.html
20. Fewer domains than IPv6
/64 networks
Domain allocation is more
granular and portable than
IP space allocation
/64 block likely to do
collateral damage
24. SPF: Is this IP allowed to
send email for this domain?
DKIM: Is this email linked to
this domain?
25. What if we could mandate
SPF or DKIM over IPv6?
26. Additional guidelines for IPv6
The sending IP must have a PTR record (i.e., a reverse DNS of the
sending IP) and it should match the IP obtained via the forward DNS
resolution of the hostname specified in the PTR record. Otherwise, mail
will be marked as spam or possibly rejected.
The sending domain should pass either SPF check or DKIM check.
Otherwise, mail might be marked as spam.
https://support.google.com/mail/answer/81126
Google bulk sender
guidelines
27. What if we could mandate
SPF or DKIM over IPv6?
28. Can we get IPv6 emails to
fallback to IPv4 instead of
marking them as SPAM by
default?
29. Can we get IPv6 emails to
fallback to IPv4 instead of
marking them as SPAM by
default?
Can we get IPv6 emails to
fallback to IPv4?
30. RFC5321: pick MX in order of preference
RFC6724: Pick AAAA before A
Problems:
- Cannot see the A on a dual stack host
- Complains if host is IPv6 only
- IPv6 and IPv4 are different stacks, which one is really better for me?
Need better guidance…
First: host selection
SMTP target host selection in Mixed IPv4/IPv6 environments
http://datatracker.ietf.org/doc/draft-martin-smtp-target-host-selection-ipv4-IPv6/
32. - Does not necessarily mark the email as spam
- Does not deliver it in the junk folder by default
If SPF or DKIM pass, then we have a domain. We don’t need
to base our decisions on the IP address.
If SPF and DKIM do not pass, then we go back to the usual
IPv4 based blocking or reputation measures.
Why Fallback?
33. A DMARC policy allows a sender to indicate that their
emails are protected by SPF and/or DKIM, and tells a
receiver what to do if neither of those authentication
methods passes - such as junk or reject the message.
DMARC removes guesswork from the receiver's handling of
these failed messages, limiting or eliminating the user's
exposure to potentially fraudulent & harmful messages.
DMARC also provides a way for the email receiver to report
back to the sender about messages that pass and/or fail
DMARC evaluation.
Get Feedback with DMARC!
34. SMTP target host selection in Mixed IPv4/IPv6 environments
http://datatracker.ietf.org/doc/draft-martin-smtp-target-host-selection-ipv4-
IPv6/
SMTP IPv6 to IPv4 Fallback: An Applicability Statement
http://datatracker.ietf.org/doc/draft-martin-smtp-ipv6-to-ipv4-fallback/
Domain-based Message Authentication, Reporting and
Conformance (DMARC)
https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/
References: