Spamhaus Releases IPv6 Blocklists Strategy

The Spamhaus Project has released a document outlining Spamhaus' strategy with respect to Spamhaus' IP blocklists and their future in an IPv6 enabled world. Entitled "Spamhaus IPv6 Blocklists Strategy Statement", the document focuses exclusively on IPv6 DNS-based blocklists and gives technical details of how Spamhaus plans to implement them.

The document draws attention to a potentially serious problem that can affect DNS caches once the world transitions to using IPv6 for email. The vast size of the IPv6 space means that spammers will be able to obtain huge allocations of IPv6 space to spam from and could then easily do "spread spectrum" spamming, using a different IP address for every message. This risks quickly overflowing DNS infrastructure worldwide. To guard against this, Spamhaus is developing a new robust and sophisticated DNS-based method of publishing blocklists for IPv6, using a 'B-tree' design.

Spamhaus believes the IPv6 DNS cache overflow problem is serious and notes that the problem is not limited to DNS-based blocklists but extends to reverse DNS ("rDNS"), whereby if rDNS is allocated to vast IPv6 networks spammers can easily cause similar problems with DNS caches.

The Spamhaus plan is to implement IPv6 DNSBLs in two stages, designed to allow users to continue using the negative reputation of IP addresses in IPv6 as one of the criteria to reject spam email at the server level, but at the same time also preventing damage to the world's DNS infrastructure.

Spamhaus predicts that email will be among the last of the Internet protocols to move fully to IPv6 and that the move of the majority of email traffic to IPv6 will take many years. This is partly due to the very nature of SMTP's current usage. With mailservers handling email for large communities on relatively small numbers of IP addresses, IPv4 works perfectly and there has never been a need for massive numbers of IP addresses to host mailservers (unless one is spamming, of course).

While today DNS-based blocklists are the work-horses of the spam filtering world, doing the majority of the 'heavy lifting' work before mailservers are burdened with content checks, in the future under IPv6 Spamhaus sees DNS-based blocklists as part of a more sophisticated system of checks. For a number of years Spamhaus has been working on new spam filter systems, which include new IP blocklists, IP "allow-to-the-next-level" lists (neither blacklists nor whitelists), domain blocklists and domain whitelists to be used in conjunction with DKIM.

Though new designs such as IPv6 do present many problems when migrating to them, they can also offer opportunities to design a better way forward. Spamhaus' full strategy for filtering email in IPv6 - covering IP and domain blocklists, new reputation lists, domain whitelists and DKIM signing and reputation - will be detailed in a forthcoming 'strategy for filtering email in IPv6' document.

Online Statement: Spamhaus IPv6 Blocklists Strategy Statement

RFC 6177: IPv6 Address Assignment to End Sites

*"It is no longer recommended that /128s be given out."

"In practice, that means at least one /64, and in most cases significantly more."*