Spammers are in constant need of new IP addresses for sending spam and phishing emails. But IPv4 addresses are in short supply. Spammers have various ways of getting new IP addresses to spam with, including hacking legitimate websites. But one of their most sneaky techniques is hijacking unused IP address ranges, often ranges that were distributed in the early years of the internet before ARIN was founded.
In order to send spam, spammers need IP addresses. The problem is that no one wants spammers to have access to IP addresses, and so every time a blacklist provider or email provider notices spam coming from an address, they block it. Blocked addresses are useless to spammers, so they need to constantly replenish their supply.
When the IP address system that’s used to route packets around the web was first devised, the early internet pioneers had no conception of the number of devices that would eventually need an address. The IPv4 address space has room for around 4 billion addresses, give or take a few hundred million reserved addresses. That sounds like an awful lot of addresses, but it’s nothing compared to the number of devices that want to connect to the internet — a number that is rapidly growing as the Internet of Things evolves. IPv6 has a much larger address space, but for various reasons, spammers prefer IPv4 addresses, and IPv4 addresses are in short supply.
But spammers have a trick up their sleeves. Large numbers of IP addresses are unused. Many of them were handed out before formal mechanisms were put in place to regulate IP address allocation, so no one is paying for these addresses, even though they have theoretical control of them.
In essence, the internet works on trust. Routers on the web know who “owns” an IP address via the Border Gateway Protocol. An edge router between large networks uses BGP to announce that a set of IP addresses have been assigned to it, and that announcement is propagated to other routers. In some circumstances, it’s possible for a rouge router controlled by spammers to announce that they have been assigned IPs, and have the rest of the internet take them seriously. The result: hijacked IPs that criminals can use for spamming.
The first legitimate owners of these IPs know about it is when spam hunters come knocking at their door to accuse them of using their registered IPs to send torrents of unwanted email. Because the IPs are being used for spam, they’ll eventually be added to blacklists, and the spammers will once again have to replenish their supply.
As you might imagine, hijacking IPs is not easy and it requires the cooperation of an ISP or an rogue insider in an organization with similar capabilities, but for any organization with blocks of unused IPs, hijacking is a potential risk.
About the Author
Ciara Noonan works as a tech writer for MailChannels, a provider outbound email filtering and email delivery solutions for service providers. Follow MailChannels on Twitter at @mailchannels and check out their blog, http://blog.mailchannels.com/.