Search code examples
ipv6spamipv4

Will IPv6 help form-spammers?

A large (the major) part of developing a web application is to make it abuse-proof, more specifically spammer-proof.

I've just noticed that today's spambots manage to request a form, fill it in, submit it, and re-submit it (e.g. in case the CMS asks for more information before actually taking in the form data)... all from different IPv4 addresses.

First, two side questions:

  • What techniques do they use to route different requests belonging to the same session (form submission) via different IPs, all within seconds?
  • I could code a IP-based hash to check that the IP requesting the form and the one submitting it are the same; but: is there a legitimate reason why a user (i.e. not a spammer) might want to submit the form from a different IP than the one that requested it?

Then, to the meat of this question:

With its practically limitless number of addresses, will IPv6 make it easier for spammers to make webmasters' and web application developers' lives miserable?

Maybe end users will all have their own, static IPv6, which is a good thing for us because we can more easily block users whose machines are compromised.

Or spammers could continue to attack us from different angles, never using the same IPv6 twice... I am not too sure how it would work technically, especially since I don't even understand how it works with IPv4.

Question asked more or less on the day when IPv4 addresses are exhausted at the top level.

Solution

  • The short answer is that IPv6 probably makes stopping spammers easier, not more difficult.

    To elaborate: while IPv6 allows hosts to cycle through a virtually unlimited number of RFC 4941 privacy addresses from which to make connections to your web application, the good news is that the 64-bit network identifier part of their addresses can pretty reasonably be mapped to a fairly static subscriber identifier.

    Going forward with IPv4 on the other hand, the situation will soon start looking pretty grim. As more Internet service providers start dealing with IPv4 address exhaustion by aggregating subscribers behind large-scale NAT gateways, you're going to lose the ability to treat subscribers as if they each have a unique identifier in their IPv4 address. At some point, spammers will use this to their advantage against you, and your choice will be to cut off vast tracts of innocent IPv4 users coming through NAT gateways where a lot of compromised hosts are located, or to get better about detecting and removing spam after the fact.