Managing Spam Under IPv6

Abstract

DNS Blacklisting (DSNBL) is a fast and efficient method to detect spam messages. Relying on IP addresses, it can be used by mail servers to filter emails at the early stage of the SMTP connection - that is, without needing to retrieve the message content - which provides a considerable saving in terms of bandwidth and computational power. High detecting rate and low false positive ratio is insured provided that DNSBLs are updated in near real time. Under IPv4 this is not a problem but things will radically change when mail servers will start using IPv6. Spammers will very likely use the immense number of available IPv6 addresses to defeat DNSBLs. Behavioral blacklisting is an alternative spam filtering technique consisting in using network-level features of messages to differentiate spams from legitimate messages. Even though good results were achieved, the method has never been deployed because DNSBLs always outperformed it. This work aims at evaluating whether behavioral techniques will be negatively affected by a future IPv6 transition. The lack of relevant data made the task complicated but it has been discovered that some features (like the AS number of the sender's IP address) seem particularly promising for an IPv6 usage, while others will more likely become useless.