Mobile router email blocked by Spamhaus

Having started this topic and searched around to find out what’s going on I have to say I’ve had virtually no help.

As I see it, the trouble is this is not a Spamhaus problem or a Gandi problem, or directly an ID or Three network one either, it’s an interaction between them which no-one wants to own.

I think the Spamhaus approach is a little out of date. What they’re doing is monitoring spam sent from various IP addresses and compiling blocklists which responsible providers like Gandi apply. In the past when everything used fixed IPs this would have been a good policy but now most things such as phones or mobile routers get assigned a dynamic IP when they connect. Some sort of irresponsible operator is sending or relaying spam using the block of IPs assigned to ID, maybe because it’s so cheap to connect. The IPs they’ve used get logged by Spamhaus and put on blocklists but what they’re doing is playing ‘whack-a-mole’ with the spammers. By the time the IP gets listed the spammer has moved on but the IP has gone on the blocklist for 12 months and if your router or phone is the next thing to pick that IP it’s you that gets blocked. As more and more IPs get blocked maybe eventually someone will do something about it. There seems to be something odd going on anyway as if you look at the alleged spam send in your problem 92.40.204.246.threembb.co.uk that appears to have come directly from the Three network mail server. According to their policy that should have been impossible - Hutchinson 3G actually say “You may not send emails directly from the Three network” from IPs in this range so I wonder how it even happened.

Anyway as I see it you’ve got at least three options:

1. Operate through a VPN so you will present a different IP to the outside world. A friend of mine on ID has done this and it works.
2. Register with SMTPGO https://www.smtp2go.com/ and send from their SMTP server instead of Gandi’s. You’ll have to add some lines to your Gandi DNS which you can get from SMTPGO’s Help. That’s free as long as you send less than 1000 emails a month.
3. Dump ID and use a more expensive provider with proper help and a different IP range. I’m now using the EE network on a contract SIM with a Vodafone PAYG SIM as a backup with absolutely no problem so far.

Good Luck!

No, I’ve got an account hosted by Gandi and also a Proton account. I now can’t send through those using Thunderbird but I can send via their webmail. About 3 reboots out of 10 can also get a non blocked IP and use Thunderbird as I was up to last week.

Sorry I don’t think You’ve understood the problem. The MR200 router connects with a different IP each time it boots up.  Sometimes I get one that Spamhaus thinks is OK, sometimes they have up  to three listings.

Here’s an example of one of the Spamhaus messages. It’s about an IP that my router wasn’t using at the time of the quoted spam sending:

92.40.213.0 has been classified as part of a proxy network. There is a type of malware using this IP that installs a proxy that can be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem.

The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but also iPads, and Windows computers - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone.
Technical information

Important: If this IP operates as a mail server, it should look and behave like a mail server. The HELO currently used appears to be dynamic and that is behaviour commonly observed in malware/proxy networks.

Recent connections:

(IP, UTC timestamp, HELO value)

92.40.213.0 2024-04-04 19:55:00 host5.datotel.com
 

Thanks for that.

Using webmail worked every time I tried it. Webmail was the suggestion made by Gandi’s help as a temporary workaround for blocked IPs

The problem happens with my MR200 and two different MR6400s and an old iPhone 6 used as a hotspot. One of the routers is brand new. All the devices work OK with multiple reboots given a clean bill of health using my EE SIM which is currently limited to 3G per month. The IPs using the EE card are in a completely different range to those I get with the ID SIM.

I have an analogue doorbell and the only things connected to my router are laptops and desktops running Linux Mint 21.

My best theory is someone else with a TPLink router and an ID SIM is relaying spam via a dodgy doorbell or something and a few days later my one happens to pick their old IP which has been spam listed.

I have had a problem for a week which appears to be the same.

I have two ID Mobile SIM only accounts. One iPhone 6s connects to ID Mobile (they use the Three network) and provides the WIFI for my house. My other iPhone 6s is used as a portable phone in the normal way.

I  always connect to my Gandi email service via secure ports and not port 25.

I normally use a small Asus laptop for web and email via the house WIFI.

I had several exchanges with Gandi support but it did not appear to be something they could help with.

Initially I restarted the WIFI iPhone each time I got the problem but this no longer appears to work.

I have a visitor with two Apple devices but switching off all Apple devices except the WIFI iPhone does not help.

I don’t have a landline or broadband.

I would be happy to switch off all outbound port 25 if I knew how to do it without introducing further equipment.

My latest error message when attempting to send email is:

“Sending of the message failed.
An error occurred while sending mail. The mail server responded:  
Service unavailable; Client host [92.40.204.239] blocked using xbl.spamhaus.org; Listed by XBL, see https://check.spamhaus.org/query/ip/92.40.204.239.
 Please check the message recipient ‘name@gmail.com’ and try again.”

Following the link produces:

“Recent connections:

(IP, UTC timestamp, HELO value)

92.40.204.239 2024-05-04 23:25:00 92.40.204.246.threembb.co.uk”

Any help would be appreciated.

Seems odd that the dates shown in your post are from nearly one month ago? 

Hopefully Phone Co-op are the answer.