Wednesday, August 08, 2012 by Andrew Conway
A couple of weeks ago the Grum botnet was taken down. There were some extravagant claims made about the impact this would have, but in practice there was nothing that would be noticed by end users. Although Grum had about a hundred thousand zombies sending spam, all of those zombies quickly found themselves on IP address blacklists like Cloudmark Sender Intelligence, or blocked by local policy thresholds for sending emails too frequently. This would block them at connection time, so in many cases their pernicious outpourings did not even make it through to a spam folder.
IP filtering is fast and cheap, and as such it makes a good first line of defense against spam. But if it is the only defense you have then you will soon be inundated by snowshoe spam, and spam from free webmail services whose IPs you cannot block without risking false positives (legitimate messages which are incorrectly identified as spam).
IP addresses are just one of the many identifying characteristics that Cloudmark targets in detecting and filtering spam. What’s more, IP filtering is going to get a lot harder in the next few years, as the five hundred pound gorilla that is IPv6 knuckle-walks onto the Internet landscape.
“The IPv6 address space is big. You just won’t believe how vastly, hugely, mind-bogglingly big it is. I mean, you may think it’s a long way down the road to the chemist’s, but that’s just peanuts to IPv6.“
There are 4,294,967,296 IPv4 addresses (though some are reserved for special purposes), and 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses (ditto). An IPv6 address is split into two parts, 64 bits for the network and 64 bits for the individual computers, but since an individual computer can use as many different ephemeral addresses as it wants within the network, that still leaves potentially 18,446,744,073,709,551,616 addresses for each machine. If spam stays at its current daily volumes that’s enough addresses available to a single machine to give each piece of spam it’s own address… for the next half a million years. Multiply that by the number of different networks that Grum zombies were on at the height of the infection and you will see that the IP address filtering that was so effective against Grum will simply not be feasible in an IPv6 world.
My colleagues at Cloudmark have already written about the challenges of IPv6 and published a white paper of recommendations but the bottom line is that traditional IP address filtering will no longer be effective in the IPv6 world, and the broader based filtering and validation techniques used by Cloudmark will become even more important against spammers and rogue ISPs.
 From The Hitchhikers Guide to IPv6