Spammers Love Mobile Phone IP Space. Here’s How to Fix That.

Spamhaus removals tickets often seem to arrange themselves in patterns. For a while, we will see a lot of the same type of ticket, then they fade away, and after some time, start again.

One such pattern right now is an upswing of removal requests from upset mobile phone users. We have a glut of tickets from people who are unable to send mail from their mobiles, and who are trying everything to resolve it - but they cannot, because the real problem is not being addressed. To wit: they are victims of their own ISP's policies and decisions.

ISP’s are still using port 25

Although many ISPs no longer support port 25 for the transmission of email by their residential Internet customers, many still do. But, why is this a problem? A large proportion of port 25 traffic is generated by devices that have been infected with proxyware or malware and are sending spam over port 25 without the user's consent or knowledge.

Making SMTP authentication mandatory and simultaneously closing outbound port 25 for end users can prevent such infected devices from freely transmitting spam and malware over the Internet - including mobile devices.

Proxyware and malware on mobile devices

The problem of mobile devices - phones, laptops, tablets - being infected with proxyware and malware is increasing exponentially. There are literally hundreds of millions of these devices already out there, and more are being added at a terrific rate. As a result, the decision to leave outbound port 25 open on mobile IP pools is now backfiring spectacularly.

This is very frustrating! As an industry, we have spent the last 30 years working to eradicate the open relay and spam botnet issue, and we had mostly succeeded. Yet, now we are facing the same problem again, only bigger, “better,” faster, more!

What have we been seeing?

Using 3UK as an example - 3UK has at least one /15 allocated to mobile IPs (131,072 IPs!). It is not clear whether these are dynamically assigned to single users, or if they are CGNAT, but what is unequivocally clear is that they have left outbound port 25 open on that IP pool. Why?

We see the results in our CSS and XBL lists: many of the IPs have been listed because this policy effectively turns their mobile IP pools into spam cannons.

How to fix it

THE END USERS CANNOT FIX THIS SITUATION. ONLY THE ISPS CAN. ISPs, PLEASE:

1. List your dynamic/mobile/CGNAT ranges in PBL to protect the internet from port 25-relayed spam.
2. Close port 25 outbound for end users, and reserve it only for SMTP servers.

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) published their recommendation: "Managing Port 25 for Residential or Dynamic IP Space - Benefits of Adoption and Risks of Inaction."

ISPs, PLEASE! This would be a win all around:

• The email generated from the spambots and proxies will try to go out of port 25 and be blocked.
• Your support teams will get fewer tickets.
• You will help make bad people sad. The spammers lose a resource!

There’s a Corollary

Some ISPs are using Spamhaus data against their own users that are in this situation. This is an unsupported use of our datasets: users that are correctly using SMTP authentication should not be denied access to smarthosted mail relays.

1. Use CSS/XBL/PBL only for INBOUND mail, not for outbound!
2. List your dynamic/mobile/CGNAT ranges in PBL to protect the internet from port 25-relayed spam
3. You may want to throttle listed IPs more aggressively on your smarthosts.

This is the open relay conversation from 30 years ago, redux - we fixed this once by working together. Let's fix it again!