The Spamhaus Project


The conundrum that is the modern use of NAT at a carrier grade level

Modern NAT, including Carrier Grade NAT (CGNAT), complicates tracking by hiding multiple devices behind one IP, akin to a circus full of clowns. This anonymity facilitates spamming and malware distribution. ISPs can mitigate this by clarifying CGNAT usage and filtering outbound port 25, reducing support costs and spam.

by The Spamhaus TeamJanuary 08, 20246 minutes reading time

Jump to


The modern use of NAT poses a problem for both users and reputation vendors alike. Network Address Translation (NAT) is simply a way of hiding a number of devices behind a single IP. Most home routers do this transparently and many users will not even be aware this is happening.

Carrier Grade NAT (CGNAT) is just NAT on a much larger scale. Instead of one customer, one public IP and many devices, there is a public IP pool and a much larger number of customers: so many that there is no longer a one-to-one correlation. It is not possible to say, "this IP belongs to Mister X." If this reminds you of the dialup pools of yesteryear, you are not wrong and the similarities do not end there.

Not only does Mister X not have that IP, he has just one port on one IP for the duration of that connection and not a moment after. That same application, be it a browser, mail client or game, may show up on a different port on a different IP at the same time.

An analogy, using clowns.

Starting with the dialup era and progressively getting worse with each generation, the internet clown infestation has always been a problem. Ever since they started letting clowns on the internet, they have engaged in their hobby of sending mail to anyone and everyone. Back in the dialup days, it was possible to point and say, "At this time, there was a clown here on this dial-up IP, and he was not funny. See to it." and the ISP would be able to look it up and stick the clown in the penalty box. No longer.

The advent of widespread use of Network Address Translation (NAT) in 2004 enabled a whole new layer of tomfoolery. Instead of just one clown in the ring at a time, now there is a whole clown alley in the clown bus - why, it's almost a truck! With NAT it became impossible to tell from which part of the circus tent (ISP) a clown came from. In many parts of the civilised world, the clowns are not allowed to leave the circus (ISP) at all: this is also called "outbound port 25 blocking". With the advent of outbound port 25 blocking, clowns were effectively silenced in those areas of the world. However, much of the internet is not as enlightened, and for this reason, the "Spamhaus Pierrot Block List" (Spamhaus Policy Block List - PBL) exists. If the internet is visualised as a map, the PBL would be little signs all over the place warning of: "spontaneous clowns!"

Why NAT enables clowns

It is utterly unclear who is talking when all you can see is a bus that appears to be full of clowns. You wonder, could there be actual regular people inside? From outside the circus tent, one can only hear the noise - is that a spamware clown, residential proxy clown, or worse, a malware clown? Could it be a real person trying to send real mail? Who knows? From the outside, NAT functionally reduces a whole household or apartment building to one IP, and since there's no way to see inside, it is safest to assume that it's all clowns all the time.

But what has this to do with Carrier Grade Network Address Translation (CGNAT)?

"Clown Grade" NAT takes NAT to a whole new level - that small circus tent with the little clown alley in it, and upgrades it all the way to a complete clown college. The Clown Grade version has a pool of public IP addresses and significantly more households behind that. There is now zero accountability and the quantity of clowns becomes simply "more than one,". Instead of one clown showing up to entertain your child on their birthday, the entire clown academy arrives. And no one wants their house overrun like that!

Okay, enough clowns. Now for some real talk.

This entire arrangement is an extension of the mobile phone world, where the users neither know nor care what their IP address is: these users do not use mail in the traditional sense, they use an app, it does everything for them and they do not care how.

This technology has now been extended to fixed internet, where users are less mobile and often providers are not even telling their customers that this is what they are using. In our experience, many a detection is caused by this neglect, and the customer is often surprised or outraged to learn that they are behind address translation without their knowledge or consent.

In the distant past, when dialup was the problem, a spammer could dial in, start spamming and then disconnect when he had finished. Should he get blocked during his spam run, he could simply disconnect, reconnect with a new IP and return to business as usual. This is what spammers on certain large cloud providers do today - for exactly the same reasons. Get blocked, get a new IP, continue merrily spamming. (The PBL evolved to list these dialup ranges for this very purpose. Even now, the PBL applies reasonably well to cheap cloud hosting.)

These days with CGNAT, the spammer doesn't just have one IP at a time, he has the whole pool to spam from, funnelled through a single IP that is shared with a lot of innocent victims of their ISP's policy. Every connection the spammer makes comes from a different IP in the pool and before you know it, everything is listed. To add insult to injury, many modern applications include slyly hidden residential proxies under the hood, and these are busy selling your connectivity for their own gain. For "free!"

What can providers do about this?

It would help if ISPs would make it clear in their DNS that these IPs are CGNAT. For reasons unclear, many providers seem to prefer not to assign rDNS to their CGNATs at all.

The most effective way to stop CGNATs being spam cannons and avoid getting them listed is to filter outbound connections to port 25 from their CGNAT pools. Modern users do not need port 25 open; they should all be using SMTP Authentication with port 587 or 465. Port 25 is only needed by mail servers and access to it should be restricted by default. Limiting access to port 25 prevents all the infected devices behind the NAT from being able to successfully distribute their spam and malware-laden emails, and with the exponential rise in residential proxy networks, this becomes ever more important. Closing port 25 will not fix their residential proxy problems, but it will definitely reduce support costs, reduce the spam load in the world and also reduce the spread of malware.

It's a simple, low cost effort that has a lot of bang for the buck.