Mobile router email blocked by Spamhaus

No, I’ve got an account hosted by Gandi and also a Proton account. I now can’t send through those using Thunderbird but I can send via their webmail. About 3 reboots out of 10 can also get a non blocked IP and use Thunderbird as I was up to last week.

Sorry I don’t think You’ve understood the problem. The MR200 router connects with a different IP each time it boots up.  Sometimes I get one that Spamhaus thinks is OK, sometimes they have up  to three listings.

Here’s an example of one of the Spamhaus messages. It’s about an IP that my router wasn’t using at the time of the quoted spam sending:

92.40.213.0 has been classified as part of a proxy network. There is a type of malware using this IP that installs a proxy that can be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem.

The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but also iPads, and Windows computers - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone.
Technical information

Important: If this IP operates as a mail server, it should look and behave like a mail server. The HELO currently used appears to be dynamic and that is behaviour commonly observed in malware/proxy networks.

Recent connections:

(IP, UTC timestamp, HELO value)

92.40.213.0 2024-04-04 19:55:00 host5.datotel.com
 

Thanks for that.

Using webmail worked every time I tried it. Webmail was the suggestion made by Gandi’s help as a temporary workaround for blocked IPs

The problem happens with my MR200 and two different MR6400s and an old iPhone 6 used as a hotspot. One of the routers is brand new. All the devices work OK with multiple reboots given a clean bill of health using my EE SIM which is currently limited to 3G per month. The IPs using the EE card are in a completely different range to those I get with the ID SIM.

I have an analogue doorbell and the only things connected to my router are laptops and desktops running Linux Mint 21.

My best theory is someone else with a TPLink router and an ID SIM is relaying spam via a dodgy doorbell or something and a few days later my one happens to pick their old IP which has been spam listed.

Well, I haven’t received any useful answer on this.

The first time I booted the router this morning I got this listing of spam sends from Spamhaus:

Recent connections:

(IP, UTC timestamp, HELO value)

92.40.213.223 2024-04-09 06:10:00 wp.pl
92.40.213.223 2024-03-21 00:00:00 92.40.213.223.threembb.co.uk
92.40.213.223 2024-03-20 09:10:00 92.40.213.223.threembb.co.uk
92.40.213.223 2024-03-08 17:35:00 142.250.153.26
92.40.213.223 2024-03-05 00:00:00 laptop-c266ij9p

Most of these occurred at times when my system was not even connected - they must have come from someone else running a similar router attached to a compromised device and are definitely nothing to do with me. It’s just that my router picked that IP today.

I rebooted it a second time and got a clean report from Spamhaus and no mail block. That happens about three or four times out of ten. I’ve rebooted multiple times with a Phone Co-Op EE SIM and got a clean Spamhaus report every time.

I’ve looked at my account to see if there’s an option to change the phone number on my plan in case that would do any good but there isn’t one.

There doesn’t seem to be a way to directly contact ID and as other people have said all the Chatbot does is tell you stuff you could have read elsewhere.

Having spoken to a helpful human being by phone at Phone Co-Op, I’ve now upgraded my account with them to 100G per month so I don’t need ID any more.

(And by the way since ID’s wonderful system upgrade I can no longer log in to my account or this forum using Firefox my usual browser, it only works with Chrome and then very slowly)