Forgot your password?
typodupeerror
Networking Spam The Internet Technology

Carrier Trick To Save IPv4 Could Help Spammers 124

Posted by Soulskill
from the routed-into-a-corner dept.
Julie188 writes "As public IPv4 addresses dwindle and carriers roll out IPv6, a new problem has surfaced. We have to move through a gray phase where the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Multiple-layers of NAT will be required to sustain the Internet for that time, perhaps for years. But use of Large Scale NAT (LSN) systems by service providers will cause problems for many applications and one of them is reputation filtering. Many security filtering systems use lists of public IPv4 addresses to identify 'undesirable' hosts on the Internet. As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt."
This discussion has been archived. No new comments can be posted.

Carrier Trick To Save IPv4 Could Help Spammers

Comments Filter:
  • Because when one of our university email account gets hacked and starts spamming, other providers block our SMTP server, effectively knocking out communications between us and that ISP. NATing wouldn't change that, unless spammers use their own SMTP server behind a NAT router.

    Bring on DNSSEC and DKIM.

    • by AvitarX (172628)

      They wouldn't need to hack the server anymore.

      • Re:Really? (Score:4, Informative)

        by icebike (68054) on Friday December 17, 2010 @08:08PM (#34595084)

        More to the point, SMTP hosts will be pretty much forced to do something more productive than blocking via IP, which amounts to group punishment. (Something apparently only tolerated on the internet).

        Its sad that the most broken of protocols has this much sway over the net. SMTP needs a ground up re-write, and it will need it just as much (if not more) after IPV6 is deployed.

        • by dimeglio (456244)

          All that's required is a more creative solution to prevent spamming. Only one of many system may become problematic with ipv6. That's all. I'm looking forward to having my fridge order groceries automatically when we're about to run out.

        • Re:Really? (Score:4, Insightful)

          by afidel (530433) on Friday December 17, 2010 @10:17PM (#34596190)
          Actually, we will just ban or greatly increase the spam score of anything coming from these NAT pools just like we do today with dialup and consumer broadband IP pools today. People with real servers will continue to have dedicated IP addresses that aren't behind these NAT pools and so we will judge them individually based on reputation (or lack thereof).
        • by grahammm (9083) *

          It is interesting that even now we are still using Simple Mail Transfer Protocol. With spam, phishing etc, maybe it is time to replace SMTP by either a plain Mail Transfer Protocol or even a Complex Mail Transfer Protocol.

        • by mibus (26291)

          More to the point, SMTP hosts will be pretty much forced to do something more productive than blocking via IP, which amounts to group punishment. (Something apparently only tolerated on the internet).

          Not really. By the time you're talking about LSN/CGN, you're talking about customers that send mail via their ISP's mailserver, not directly. Business customers wanting to send mail direct to the Internet without worrying about NAT making "their" IP look worse, will undoubtedly be able to buy a non-NATted IP.

          (D

          • That solves it for email, but think of the trolling concerns. Forums, wikis and IRC channels would no longer be able to ban individuals by IP address, only massive blocks of translated addresses. Just imagine Wikipedia getting persistantly trolled by one person vandalising pages, and having no way to stop it short of banning every Comcast customer in a major city.
            • by mibus (26291)

              But that already happens in numerous situations - governments run large NAT gateways / proxies, some 3G carriers use 10.0.0.0/8 and NAT/proxy, etc.

              It's a perfectly valid issue *today*, not just in the future. Sure, it'll get worse, but at least there's now a solution in sight (ie., move to IPv6 to get better service).

        • by flonker (526111)

          What would you change about SMTP that would have an effect on spam? (And why can it not be done as an extension for SMTP?)

        • SMTP needs a ground up re-write, and it will need it just as much (if not more) after IPV6 is deployed.

          SMTP isn't the problem and is not in need of a ground up rewrite. The problem is social, between spammers and suckers, their victims. As has been shown via NNTP, instant messaging, and Facebook spam et al, there is no technology immune to spam. Spam will be with us as long as suckers exist, and there are people willing to exploit those suckers. Yes, basically for eternity.

          There will start to be IPv6 dnsbls and mail OPs will start keeping IPv6 local block lists. It's the same old game with a new numberi

    • by JSG (82708)

      Are you seriously telling me (us) that your Uni doesn't check outgoing as well as incoming mail? At the very least, pass it through ClamAV.

      I hope your IT staff don't teach "mail relaying 101"

      You *do* check incoming mail, don't you?

      Cheers
      Jon

    • I like how efnet bans all ip ranges for virgin mobile broadband because someone was spamming email (not even affecting efnet!) from one of them. Maybe this will change that :)

  • I'm sure if we wait just a little while some spammer will send us the 'magic bullet' for this problem via their preferred delivery method.
  • IP filtering has always been useless from a security standpoint. Same goes for MAC address filtering.

    Anyone anywhere can change both easily. Blocking addresses is only a matter of convenience.

    This "news" just means that tons of "security" software and filtering hardware (Barricuda, anyone?), is being exposed as the useless, inflexible crap that they are, and the companies behind them are trying to point fingers at large network operators while simultaneously touting their next version, which will have IPv

    • by butlerm (3112)

      IP filtering has always been useless from a security standpoint. Same goes for MAC address filtering. Anyone anywhere can change both easily

      Unless you have unfiltered BGP access to a major backbone, you have no hope of conducting a real conversation over the Internet using someone else's IP address, because the return packets will be routed back to them, not to you.

  • inb4 NAT (Score:2, Funny)

    by Anonymous Coward
    Keep all your bullshit about NAT saving the world in this thread where it can be ignored by people who actually know what they are talking about please.
    • I still think the best way to handle this would have been by high bit extension in each octet field.

      Yeah, I know, the theoretical non-constant numeric address length would have been a serious pain to predict the hardware for back in the '80s, when (ergo, I wish) they might have had the foresight to reserve the high bits at each level for possible other uses.

      But it would have been nice if an ISP could have, by definition, its own extendable address space to allocate out of, and any customer could further ext

  • by windcask (1795642) on Friday December 17, 2010 @07:38PM (#34594686) Homepage Journal

    Welcome back, Gopher.

    • Re: (Score:3, Insightful)

      by windcask (1795642)

      First rule of Slashdot...never be in such a hurry to make a joke as to expose your own ignorance about a topic. IGNORE.

  • end user customer networks (the ones most likely to go this route) are already on various "mail shouldn't be coming from here" blacklists, and those customers also should be already using the isp's mail servers for outgoing mail. it's a small incremental step, nothing more. Those running servers will necessarily get unique addresses and not be affected by reputable blacklists that are correctable.

    • by tepples (727027)

      end user customer networks (the ones most likely to go this route) are already on various "mail shouldn't be coming from here" blacklists, and those customers also should be already using the isp's mail servers for outgoing mail.

      I assume you're talking about end users connecting on port 25 (MTA-to-MTA communication), not port 587 (MSA-to-MTA). Otherwise, what should people do when the monopoly broadband ISP has unreliable mail servers, or when they're using mail on a laptop temporarily connected to an ISP other than their own?

      • by vanyel (28049) *

        authenticated mail (which can be done on port 25, it doesn't have to be 587, but should be these days because of port 25 filtering) is not normally subjected to blacklist filtering, and is thus not affected.

        The vast majority of people don't run their own mail servers though, so their mail clients are configured to use their isp's mail server. Again, not affected.

        If your isp has unreliable mail service, then find another one --- there is no shortage of options there. For practical purposes, in that case, y

        • authenticated mail (which can be done on port 25, it doesn't have to be 587, but should be these days because of port 25 filtering) is not normally subjected to blacklist filtering

          Authenticated mail on port 25 is subject to port 25 blocks by those ISPs that don't deep-packet-inspect to distinguish unauthenticated SMTP from authenticated SMTP (RFC 2554) or encrypted SMTP (RFC 2487). But I guess ISPs are far less likely to block 465 or 587.

          If your isp has unreliable mail service, then find another one --- there is no shortage of options there.

          Find another what? Did you mean find another mail service, aka a "smarthost"? That's difficult if your ISP blocks the ports that smarthosts use. Find another ISP? In a lot of cases, it's either the one broadband ISP in your area or dial-up.

  • by Khopesh (112447) on Friday December 17, 2010 @08:00PM (#34594978) Homepage Journal

    I work for an IP reputation company (and am not representing it in this post).

    This is not a complicated issue. The LSN portals will merely have to add a tracking header to all mail they process (and block anonymous direct mail if they want to escape DNSBLs' wrath). This is already an issue with webmail (e.g. Google doesn't add the tracking header, so it's MUCH harder to trap spam originating through GMail than it is through providers like Hotmail who do provide this extra tracker).

    • by fbartho (840012)

      How much spam actually is originating through gmail?

      How does one prevent a spammer from spoofing these headers?

      • by Khopesh (112447) on Friday December 17, 2010 @09:41PM (#34595938) Homepage Journal

        How much spam actually is originating through gmail?

        Sorry, I can't give you data. Suffice it to say it's a problem.

        How does one prevent a spammer from spoofing these headers?

        The headers aren't spoofed. When you use Hotmail or Yahoo, your IP is added to a tracking header by the webmail server so that IP reputation systems can pass along the blame as if it were a Received: header (there's more to it than that, but this should give you the principle). Since GMail doesn't do that, there's nothing to be done; the tracking can't go beyond Google's servers.

        If a spammer spoofs headers so as to pretend to pass blame on, the trust [apache.org] doesn't extend far enough; the relay used by the spammer to add those fake headers isn't trusted and so the buck stops there. When dealing with real webmail providers, the trust can be extended to the established webmail relays and then followed into the IP tracking header.

        We have meandered a bit off topic here ... my point is that this is possible for the nearly identical problem of webmail, so somebody merely needs to figure out how to do it for the IPv6->IPv4 routing process. The simplest solution is the one I outlined above; require a mail relay that speaks both protocols so it can properly record the conversion with a Received header. Modern IP reputation systems (and the clients that poll them) are fully IPv6-ready and will process this perfectly.

        • by fbartho (840012)

          So what you're saying is that Google has decided to fully claim reputation-ownership of the mail their users are sending. They're staking their reputation that their users don't generally spam. If it was a big enough problem you would blackhole all of gmail, right now you're upset because due to the large volume that gmail sends, any percentage of spam is a problem.

          I don't mean to attack or defend anyone here, just curious.

          I think the deal is just that anything that comes through gmail needs a more heuristi

          • So what you're saying is that Google has decided to fully claim reputation-ownership of the mail their users are sending. They're staking their reputation that their users don't generally spam.

            Google Groups is a major source of Usenet spam.

            • by fbartho (840012)

              I could have sworn we were talking about "email"

              I totally have experienced the google-groups spam. I'm hoping this is a symptom of an improving spam service and this will eventually go away.

            • by Arlet (29997)

              Google Groups is a major source of Usenet spam.

              And Google has shown no willingness to filter Groups spam. I used to read Usenet through Google Groups, but it's now totally unusable.

      • How much spam actually is originating through gmail?

        From my perspective of a small website, if I drop the ban on *@gmail.com I start getting spam registrations within minutes.

  • Not just spammers (Score:5, Interesting)

    by Todd Knarr (15451) on Friday December 17, 2010 @08:02PM (#34595010) Homepage

    It's not just spammers. A lot of on-line games, for instance, record the IP address used to log in to a game in the account's history. Customer Support then uses that to help determine eg. whether a claim of a hacked account is valid or bogus. Large-scale NAT is going to mess with that by confusing the record: one computer may appear to be using a different IP address for each login, and multiple unrelated computers can appear to have the same IP address. And with a lot of games moving towards RMT, a hacked account can mean the loss of real money for the player. When CS tells that player "Sorry, the login where the items were sold/transferred came from one of the IP addresses you normally log in from, the problem's on your end." and the player learns that that's because his ISP is NATing their entire network, he's not going to be happy.

    • by jamesh (87723) on Friday December 17, 2010 @08:24PM (#34595256)

      and the player learns that that's because his ISP is NATing their entire network, he's not going to be happy.

      </reality>... and he goes to forums where such things are discussed and finds out that other users are using IPv6 and don't have problems like that and asks his ISP why they don't support IPv6. The ISP listens to their customers and makes rolling out IPv6 their #1 priority. IPv6 gets everywhere, world peace is finally achieved, and we enter a golden age of the internet.<reality>

      • +1 funny (Score:4, Informative)

        by reiisi (1211052) on Friday December 17, 2010 @09:48PM (#34595986) Homepage

        The last time I contacted my ISP about this they told me (again) that they have no plans to implement IPv6.

        This was just a few months ago.

        • by Ant P. (974313)

          Mine doesn't even know what IPv6 is. A few months ago they force-upgraded us to ADSL2 and sent everyone a replacement Netgear piece of trash with non-upgradable firmware and no debug mode backdoor.

      • Assuming the game & its servers support IPv6...

        • by DarkOx (621550)

          Easy enough solution to that. Just run a local 4to6 NAT. You can do SNAT from as many v4 192 addresses as you need to translate to the 6 hosts you want to connect to remotely. Then just use the 192 address in your app. It will be an extra step and you might have to set up the NAT on both the client and the server but it should work.

    • by Anonymous Coward

      It's not just spammers. A lot of on-line games, for instance, record the IP address used to log in to a game in the account's history. Customer Support then uses that to help determine eg. whether a claim of a hacked account is valid or bogus. Large-scale NAT is going to mess with that by confusing the record: one computer may appear to be using a different IP address for each login, and multiple unrelated computers can appear to have the same IP address. And with a lot of games moving towards RMT, a hacked account can mean the loss of real money for the player. When CS tells that player "Sorry, the login where the items were sold/transferred came from one of the IP addresses you normally log in from, the problem's on your end." and the player learns that that's because his ISP is NATing their entire network, he's not going to be happy.

      I'm not sure what the likelihood of the hacker winding up behind the same NAT as you is going to be. Generally the hackers will be in a different country from you. So while this may have the potential to cause that problem I think they will be very
      few and far between.

    • by mewsenews (251487) on Friday December 17, 2010 @10:02PM (#34596088) Homepage

      When CS tells that player "Sorry, the login where the items were sold/transferred came from one of the IP addresses you normally log in from, the problem's on your end." and the player learns that that's because his ISP is NATing their entire network, he's not going to be happy.

      I understand the point you are trying to make, and I agree with you. I just have to be pedantic and point out that currently, for WoW accounts that have been tampered with, it doesn't matter that the activity was on the same IP address.

      If it did matter, there would be a lot of guys with neglected girlfriends that would be unable to get their characters restored.

      • by mcrbids (148650)

        When CS tells that player "Sorry, the login where the items were sold/transferred came from one of the IP addresses you normally log in from, the problem's on your end." and the player learns that that's because his ISP is NATing their entire network, he's not going to be happy.

        Further missing the point: the NAT referenced here isn't the kind of NAT that you are thinking, between an IPV4 public address (EG: 208.39.22.13) and a non-routable IPV4 address. (EG: 192.168.1.19)

        The NAT being referenced here is between IPV4 (which doesn't understand IPV6 address space) and IPV6. All connections coming from an IPV4 address to an IPV6 address will have to involve NAT, where the ISP has a NAT gateway so that internally hosted IPV6 addresses initiate connections through NAT to the IPV4 networ

    • and blizzard is already adressing this problem through the use of 2nd channel Authentication. If you've got a Blizzard account, simply spend the $7.00 U.S and buy their stand-alone authenticator and configure your account to use it. Problem solved and cheaply at that.

  • So, why not just have a public database of LSNs and have them run extended ident service? (I.e., you supply it with local-remote port pair and it will tell you the IPv6 address of the NAT'd peer. Then you just use that for the peer identification from then on.)
  • by asm2750 (1124425) on Friday December 17, 2010 @08:16PM (#34595172)
    Seriously, IPv6 is there to replace IPv4. Tell everyone who whines 'tough shit' switch over already. If I have to pay an extra 5 dollars a month for a year to my ISP for that to happen then I would. Just stop trying to extend the life of IPv4 when there is a suitable replacement already available.
    • by Khopesh (112447)

      Seriously, IPv6 is there to replace IPv4. Tell everyone who whines 'tough shit' switch over already.

      Are you trying to create the massive failures we were supposed to have for Y2K? IPv6 compliance is a rather low priorities for most companies and is not being taken seriously to the level that Y2K was. You're asking for a lot of "tough shit" to come your way even if you and your immediate provider are fully IPv6-compliant.

      If I have to pay an extra 5 dollars a month for a year to my ISP for that to happen then I would. Just stop trying to extend the life of IPv4 when there is a suitable replacement already available.

      You want to pay $5/mo in order to stick it to those who don't think like you? This is a capitalist system -- use it: discount customers five dollars a month to be stuck without IPv4

    • My requests have been meeting deaf ears for years.

      Unfortunately, the alternative ISPs are doing the same thing here. (But I should check again soon. I'm getting tired of these guys since the legacy monopoly here bought them out.)

    • Fine. You are the first to switch, though (IPv6 only, otherwise it is pointless).

  • Having been intimately involved with spammers over the years I can say that this change will only escalate the ongoing game of use / burn / blacklist / move on. Yes, more poor commercial entities will unknowingly and unwillingly have to call in Wally the IT guy to help them get off some blacklist somewhere so their mail will flow, but in the grand scheme this will not change the processing power of the mail bots or tilt the scales in a significant manor. IMHO.
    • by skids (119237)

      I'm beginning to think there's only one way to stop email spam. Develop some new flashy service that "replaces" email. Then get everyone who is stupid enouh to fall for aPhish or to answer a UCE to switch to this new-fangled fad. Then once only people smart enough to never reply to spam are using email, there will be no motivation to spam.

      • > Develop some new flashy service that "replaces" email.

        Perhaps we could call it "Facebook" or "Twitter".

        • by skids (119237)

          Nah it has to be work-friendly-sounding. You have to be able to use it for job related things.

          LinkedIn might work.

  • by Skapare (16644) on Friday December 17, 2010 @08:47PM (#34595488) Homepage

    ... lists of public IPv4 addresses to identify "undesirable" hosts ...

    Legitimate mail servers will still need an IP address, whether that is IPv4 or IPv6. Their outbound SMTP connections can just use that same IP address. The real issue involves all those end user (broadband and dialup) IP addresses, which more and more will be multiple users sharing them for outbound connections, with no inbound. Make those have zero reputation. Let the IP addresses which are associated with real mail servers have the reputation earned by its behavior.

    One big difficulty will be mail servers stuck only on IPv6 trying to deliver mail to those on IPv4, and visa-versa. But this is at least a substantial subset of the IP space. That means it can hold out for a while on IPv4, until enough IPv6 is deployed to make a "mad rush to IPv6 for email" can happen. But in the mean time, those who can do mail exchange between servers on IPv6 will be pretty much spam free, for at least a while. When spammers get on IPv6, then we know IPv6 is "happening".

    To encourage IPv6, those who are on it can do things like adding extra goodies to IPv6 users. I do know a lot of porn is already there. Maybe extra features on web sites can be made to work on IPv6, too.

  • Maybe as all mail behind NATs get blocked by spam filters the network administrators will actually start blocking mail from infected hosts in their network so that legit mail is accepted again. Wishful thinking?
  • Doesn't follow (Score:4, Informative)

    by Spazmania (174582) on Friday December 17, 2010 @09:22PM (#34595806) Homepage

    As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt.

    That doesn't follow. The folks in dynamic space (the same space that will be served by LSNs) are already considered spammers when they connect to a non-local SMTP server. The only reason they're scored instead of outright blocked is that there's no rigorous list of what is and isn't a dynamic space. It makes no difference to the server whether it filters a range of IPs or a single IP.

    Identifying the individual spammer from an abuse report is slightly more difficult, but only slightly. And if you're behaving like a good net citizen, you probably blocked outbound 25 at the LSN box to begin with so you're not getting any reports because your virus-laden customers aren't able to successfully spam.

  • If your mail server supports IPv6, the mail will go sender's client to sender's MTA to your MTA, all via IPv6, with full headers. So the problem only affects recipients who are slow getting their mail servers IPv6 enabled, who force senders to reroute their mail through an IPv6 to IPv4 gateway. So seems to me it's a good reason to hurry up and get your servers on IPv6.
  • You shouldn't be running a "server" at home anyways. The internet was created so that you could buy services from large companies like your ISP. Running your own server at home is socialist. Think of the children!
  • Many IT professionals including myself feel that IPv6 is a joke and is unnecessary in most practical scenarios. Arguments I tend to throw out on face value are "why not IPv6?" and "we're running out of IPv4 addresses". Keep NAT'ing IPv4 until the cows come home - no one except tech geeks will really care if we do.

    • Oh, the non geeks will care a lot when they suddenly cannot download new releases via P2P of the day, because there are no seeders.

    • by kobaz (107760)

      The biggest problem with everyone staying on ipv4 and natting until the cows come home (which will be never... these cows will *not* come home for ipv4) is that all of a sudden you have thousands, millions of end-users on nat going through overloaded 4 to 6 proxies.

      And if no one switches to v6, only rich content providers will be able to afford direct ipv4
      And then, due to the fact that end users will certainly not have a public ip address:
      - streaming media of any kind will eventually be unusable due to over

  • Many security filtering systems use lists of public IPv4 addresses to identify 'undesirable' hosts on the Internet. As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt."

    In other words, as IPv4 dies, using IPv4 for stuff won't work as well.

    Using an IP address to determine the content of a message is a bad idea anyway.
    It's like determining what cars are carrying drugs by looking at the license plates, and then punishing the car dealer for selling the car.

    Your IPv4 black list is broken. IPv6 makes it more broken. Cry me a river.

    • Using an IP address to determine the content of a message is a bad idea anyway.

      and what are your suggested alternatives to blocking website spammers? I block by IP address because the only thing coming to my website from certain areas of the world is spam.

        rd

I have ways of making money that you know nothing of. -- John D. Rockefeller

Working...