Carrier Trick To Save IPv4 Could Help Spammers 124
Julie188 writes "As public IPv4 addresses dwindle and carriers roll out IPv6, a new problem has surfaced. We have to move through a gray phase where the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Multiple-layers of NAT will be required to sustain the Internet for that time, perhaps for years. But use of Large Scale NAT (LSN) systems by service providers will cause problems for many applications and one of them is reputation filtering. Many security filtering systems use lists of public IPv4 addresses to identify 'undesirable' hosts on the Internet. As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt."
Re:Really? (Score:4, Informative)
More to the point, SMTP hosts will be pretty much forced to do something more productive than blocking via IP, which amounts to group punishment. (Something apparently only tolerated on the internet).
Its sad that the most broken of protocols has this much sway over the net. SMTP needs a ground up re-write, and it will need it just as much (if not more) after IPV6 is deployed.
Doesn't follow (Score:4, Informative)
As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt.
That doesn't follow. The folks in dynamic space (the same space that will be served by LSNs) are already considered spammers when they connect to a non-local SMTP server. The only reason they're scored instead of outright blocked is that there's no rigorous list of what is and isn't a dynamic space. It makes no difference to the server whether it filters a range of IPs or a single IP.
Identifying the individual spammer from an abuse report is slightly more difficult, but only slightly. And if you're behaving like a good net citizen, you probably blocked outbound 25 at the LSN box to begin with so you're not getting any reports because your virus-laden customers aren't able to successfully spam.
Re:Trivial if you want to go the extra mile (Score:5, Informative)
How much spam actually is originating through gmail?
Sorry, I can't give you data. Suffice it to say it's a problem.
How does one prevent a spammer from spoofing these headers?
The headers aren't spoofed. When you use Hotmail or Yahoo, your IP is added to a tracking header by the webmail server so that IP reputation systems can pass along the blame as if it were a Received: header (there's more to it than that, but this should give you the principle). Since GMail doesn't do that, there's nothing to be done; the tracking can't go beyond Google's servers.
If a spammer spoofs headers so as to pretend to pass blame on, the trust [apache.org] doesn't extend far enough; the relay used by the spammer to add those fake headers isn't trusted and so the buck stops there. When dealing with real webmail providers, the trust can be extended to the established webmail relays and then followed into the IP tracking header.
We have meandered a bit off topic here ... my point is that this is possible for the nearly identical problem of webmail, so somebody merely needs to figure out how to do it for the IPv6->IPv4 routing process. The simplest solution is the one I outlined above; require a mail relay that speaks both protocols so it can properly record the conversion with a Received header. Modern IP reputation systems (and the clients that poll them) are fully IPv6-ready and will process this perfectly.
+1 funny (Score:4, Informative)
The last time I contacted my ISP about this they told me (again) that they have no plans to implement IPv6.
This was just a few months ago.