Welcome to the Community Site!

You've been redirected here from forum.linode.com. This is your new place to find answers, ask questions, and help others.

Join our Community
X

uceprotect.net has us blacklisted?

I wrote a script a while back to check several of my IPs against many of the most widely used RBL blacklists each day, and it came up with a hit on uceprotect.net these last few days with my linode's IP. I don't know how widely used this blacklist is, though.

So I went to their website, and put my IP in to see why. It's not blacklisted because of my IP, or even the entire subnet(s) that it belongs to. So it's not because of any Linode spammers.

They're listing our subnets because we're under "GNAXNET-AS - Global Net Access, LLC", who has had over 300 spammers in the last week out of over 92,000 IPs. 0.3% spamming?

I work at an ISP. I know it's impossible to catch them all. Particularly with today's trojans, worms, viruses, and not to mention a recent one we've been fighting– hijacked webmail logins for squirrelmail and so forth.

uceprotect claims that we (customers with IPs in these networks) are part of the problem by supporting a carrier that doesn't stop spammers. Bull****. Blacklists that list thousands of innocent mail servers are evil, and the ISP's first priority is to make sure the traffic goes through for their paying subscribers.

If any of you guys are using uceprotect to block spam, I'd recommend against using them. You'll be blocking linode customers.

:)

38 Replies

Thanks for sharing. Can we do something against it? > If any of you guys are using uceprotect to block spam, I'd recommend against using them. You'll be blocking linode customers. Good up to date alternative blacklists are welcome :wink:

Hi,

I don't think this is a blanket wide ban on Linode IP's.

I run two mail servers on different Linodes and neither of the IP's appear to blocked by uceprotect.

The site I use to check my IP's is:

http://www.robtex.com/rbl.html

Cheers

I'm listed..

http://www.uceprotect.net/en/rblcheck.p … .22.124.36">http://www.uceprotect.net/en/rblcheck.php?ipr=64.22.124.36

Their webpage is almost comical on the matter. To quote:

> What means listed at UCEPROTECT-Level 3?

GAME OVER. We and our users have seen enough spam and heared all possible excusions why some lazy providers think to be not responsible for what their customers are doing.

We are not just another blacklist. We really know better. Spam is always a problem tolerated by the provider.

We have very bad news for you: It seems you have chosen the wrong provider.

Your IP 64.22.124.36 was NOT part of a spamrun, but your provider seems to believe that spam is what the internet was made for.

By tolerating your provider doesn't care about spammers you are also supporting the global spam.

If all people would boycott spammerhaevens, spam-friendly providers wouldn't even exist.

I find it funny that they have two massive buttons, PAYPAL and MONEYBROKERS next to the level-3 listing, to allow express removal of it.

It seems that they've blacklisted the entire AS3595, or in sum, 92,160 IPs because they have complaints about 316 of them.

Any RBL with an "accuracy" rate of 0.00343% isn't one that should be used in my book.

The entire RBL seems like a scam to me…

@kbrantley:

Any RBL with an "accuracy" rate of 0.00343% isn't one that should be used in my book.

Any RBL that expands its range to punish innocent people ("don't support people who support spammers") is worthless. Sounds like this list is just the latest pathetic version.

This is an extortion racket along the lines of sorbs.net. This 'anti-spam' service may well be run by spammers - with their strange understanding of legal matters, poor grammar, and payment by PayPal - they sure act like spammers.

@NecroBones:

So I went to their website, and put my IP in to see why. It's not blacklisted because of my IP, or even the entire subnet(s) that it belongs to. So it's not because of any Linode spammers.

So the question should be: If Linodes ranges within GNAX are clean, why does Linode accepts GNAX having so much spammers.

They could also use cleaner datacenters.

@NecroBones:

They're listing our subnets because we're under "GNAXNET-AS - Global Net Access, LLC", who has had over 300 spammers in the last week out of over 92,000 IPs. 0.3% spamming?

That is 0.1% more than accepted by our standards.

So they perfectly match Level3 listing criterias.

@NecroBones:

I work at an ISP. I know it's impossible to catch them all. Particularly with today's trojans, worms, viruses, and not to mention a recent one we've been fighting– hijacked webmail logins for squirrelmail and so forth.

I even worked in an providers abuse department in Switzerland before i was employed by Admins WebSecurity.

I have knowlege what is possible and what is not for providers.

A provider can clean up their act, most of all providers have 0.05 to 0.1 % abusers per 7days comparered to their total ip space.

Having 0.3 % as GNAX is really bad, even a sewer as VERIZON has 0.27%, which means they are cleaner than GNAX compared to their size.

Also very interesting to see 105500 providers are not able to get listed at Level 3 because they stay exteme below 0.2 % abusers per 7 days.

It Is possible that a provider can have VERY clean ranges if he really wants!

@NecroBones:

uceprotect claims that we (customers with IPs in these networks) are part of the problem by supporting a carrier that doesn't stop spammers. Bull****. Blacklists that list thousands of innocent mail servers are evil, and the ISP's first priority is to make sure the traffic goes through for their paying subscribers.

No one paying a sewer is innocent.

Evil are providers not having preventive measures.

A provider hosting webservers should at least have MODSECURITY on all servers.

Doing so makes it almost impossible to abuse weak scripts / unpatched cms / blogs / other crap dumb users might install.

A datacenter not using MODSECURITY is nothing than unprofessional.

You are part of the problem because you have accepted they ignore the problem and even think you must defend them.

@NecroBones:

If any of you guys are using uceprotect to block spam, I'd recommend against using them. You'll be blocking linode customers.

:)

You are ranting at the wrong place. You should have done so at GNAX.

Furthermore you can assume people using Level 3 for blocking do exactly know what they are doing. We have at this time listed providers as VERIZON at Level 3, so i really doubt Level 3 users will care about some webservers hosted at GNAX are also listed.

Level 3 is declared as an draconic list and used by BOFH's and other HARDLINERS out there.

Interesting to see that meanwhile also some providers are blocking at Level 3 and it does not make me whonder.

Why should a super clean provider having installed our 4 steps to prevent mailabuse allow lazy others to wast his resources and flooding his users?

Many people harrass us, because we are running a very hard and unforgiving course at UCEPROTECT-Network.

They are thinking we could be assholes which want to extort their money.

That is not true.

EXPRESSDELISTING IS AN OPTION ONLY, NOT A MUST.

I want to explain how we came to this option called "Expressdelisting".

In UCEPROTECT's early days (August 2001) the blocklists had public "removeme" Buttons, where listees could remove them self.

As spammers were beginning to abuse that with automated scripts we did secure it with a captcha. Then Spammers did hire persons in India and China to remove their listings manually.

That was the point where my predecessor got rid of "selfremovals" and then everyone was required to contact us to get removed before expiration.

If you ever run a public blocklist, you have clue what this means:

You have to read some thousand removal request per day, and all these guys are claiming to be completley innocent, and they all have fixed their problems.

Not necessary to say that 90% of them did find their way back into the list within minutes, because they had indeed NOT fixed their problems.

Somewhere in 2003 my predecessor has chosen that the only way to get out would be automatic expiration. You know what happened next, do you?

Some listees claimed that it would cost them thousands of dollars to be listed for a week, but

they would have fixed their problem and they are so sure that their problem is now fixed that THEY WOULD EVEN PAY FOR IT TO GET OUT IMMEDIATLEY.

Logic says: One would not waste money if he would't have fixed the problems.

You now know why there is an OPTIONAL Expressdelisting at UCEPROTECT.

We also think we have found a good balance between what is acceptable for someone who has really fixed his problems and needs his email and also expensive enough that spammers would not pay for.

Fees are 50 Euro for a single IP (Level 1), 150 for an allocation (Level 2), and 250 for complete ASN's (Level 3).

You have probaly seen that this is a large discount we give on Levels 2 and 3 compared with Level 1, so one can not compare us to BLARS.

And in fact: Most of those who payed have really fixed their problems and learned an unforgettable lesson: NEVER GO ONLINE AGAIN WITH AN INSECURE SYSTEM.

Ok lets come to our reasoning why we run UCEPROTECT-Network.

You know there are many public blocklists available, but they all do it wrong:

Their logic is to just stop infected machines from delivering spam to their users today.

That tactics really sucks because they can be very easy be gamed by spam-friendly providers.

It is nothing new that there are providers which are moving their spammers around in their address-space. They have no interest to block spam, because they want the spammers money as they want the money of regular users too.

Our mission is different. We want to stop all spam on this planet. Finally.

We meanwhile got so much popular that getting listed on Level 3 becomes a serios issue for providers.

I can tell you about 5 providers (within the last month) now blocking port 25 on all their dialups after they did end up in Level 3 and they have seen that we are the wrong persons to play games with.

There are 105898 AS-Numbers known at this time, but only between 250 - 300 or other said less then 0.3% are listed in UCEPROTECT-Level 3.

I guess that should tell you enough about them and their way to work.

Most people hate spam, but have no clue who is reponsible for that.

Our lookup tool is opening their eyes showing them how deep their own provider is involved in the spam problem or if he is one of the clean ones.

Assuming number of our users is growing the way it did in the last 4 years, then every provider ending up in Level 3 can enjoy his very own intranet latest by 2011/2012.

If that happens, it will be the ultimate end of spam.

This is what we and people using all our Levels for blocking want to happen.

It does not matter to us:

  • If the complete anti-spam industry goes bankrupt after spam will be history.

  • If spam-friendly providers will loose all their customers.

  • If former spammers will have to search for real jobs.

  • If no one can buy faked viagra or rolexes on the net.

  • If UCEPROTECT is no longer needed in some years.

We had good lifes before spam came, and we will have good lifes after spam will be gone.

So now lets come to the point how i could be helpfull for Linode to get off Level 3:

I think you got the hint within this discussion.

Lever 3 lists ASN's. At this time Linode doesn't seems to have its own AS, thus suffering from GNAX lazyness or incompetence to clean up their mess.

We have no idea how much IP's Linode has, but we know about very small providers owning a /24 only, but having its own AS.

So why does Linode not also do so?

Linode's ranges will fell out of Level 3 automatically, because they would no longer be seens as part of AS 3595.

Claus von Wolfhausen

UCEPROTECT-Network

@kbrantley:

It seems that they've blacklisted the entire AS3595, or in sum, 92,160 IPs because they have complaints about 316 of them.

Any RBL with an "accuracy" rate of 0.00343% isn't one that should be used in my book.

The entire RBL seems like a scam to me…

You should be better informed before posting next time, to prevent you will look like a fool in second place.

How did you came to the consens it would have an accuracy of 0.00343%?

You know AL IVERSON is one of the most respected blocklist experts in the world?

See his stats for UCEPROTECT-Level 3 here:

http://stats.dnsbl.com/uce3.html

In short it said Level 3 blocked 50.8% spam while it blocked 0.8% ham last week.

So even if it lists complete providers, it looks like UCEPROTECT-Level 3 is a very accurate blocklist and producing very low false positives.

I doubt SPEWS was ever such accurate.

Looks like we have listed the most spammiest ASN's in Level 3, and therefore you should now be informed what to be listed there says about GNAX.

Yours

Claus von Wolfhausen

UCEPROTECT-Network

You have to be kidding me, the GNAX network is used among both tranxactglobal.com and netdepot.com dedicated server companies (among others).

We have over 2000 dedicated servers between the two companies listed above. Each server comes with - by default 5 IPs but many have more as they are hosting servers with SSL etc.

Hell 6 servers with a /26 gets black listed out of ~ 5000 servers on our network between dedicated and colo customers and we are a spam shop.

Even if we had 50 full time abuse staff we could never keep it below that - just not possible - unless we were to click on that little paypal link…

@GNAX|Jordan:

You have to be kidding me, the GNAX network is used among both tranxactglobal.com and netdepot.com dedicated server companies (among others).

We have over 2000 dedicated servers between the two companies listed above. Each server comes with - by default 5 IPs but many have more as they are hosting servers with SSL etc.

Wow, you think it is ok for someone having 2000 dedicated Servers resulting in 342 spamming IP's per week, do you?

See here:

http://www.uceprotect.net/en/rblcheck.php?asn=3595

@GNAX|Jordan:

Hell 6 servers with a /26 gets black listed out of ~ 5000 servers on our network between dedicated and colo customers and we are a spam shop.

Even if we had 50 full time abuse staff we could never keep it below that - just not possible - unless we were to click on that little paypal link…

I do not see how what you want to tell me with this 6 Servers ~ 5000 Server's example, but even if you click that paypal button, you would be back in a short timeframe, if you have not fixed your problems in first place.

For my understanding you are a datacenter and having lots of virtual servers on your dedicated servers.

That means you will have also many people as customers which never heared about insecure scripts, mysql injections and similar attacks.

You can not expect those to become security experts.

Hell they are endusers expecting you to protect their servers.

Why do you think you have to wait for abuse to happen and investigating afterwards?

That approach might have worked in 1995 but not in 2007.

You have to install preventive measures, so that your endcustomers lack of competence will not allow spammers to abuse your ranges.

Have you ever heared of MODSECURITY?

What do you think will happen if you install it on all your servers by default?

I can tell you: You might be able to run the abuse-department for 2000 servers as a one or two man show.

Modsecurity filters all kinds of attacks against webservers, even 0 day exploids are no longer a problem.

Even if some lame customers are going to install formmails of 1997 you wouldn't have a problem.

Best of all: MODSECURITY IS FREE!

So running a datacenter without modsecurity is just UNPROFESSIONAL.

Cheers

Claus von Wolfhausen

UCEPROTECT-Network

Face it, blocking thousands of legitimate mail servers does nothing but destroy the credibility of your blacklist. You think you're being hard on spammers but in reality you're being hard on those who would actually use your blacklist, destroying it's usefulness.

Sorry, I'm not buying your arguments.

@NecroBones:

Face it, blocking thousands of legitimate mail servers does nothing but destroy the credibility of your blacklist. You think you're being hard on spammers but in reality you're being hard on those who would actually use your blacklist, destroying it's usefulness.

Sorry, I'm not buying your arguments.

Why do you assume that it would be thousands of legitimate mail servers in a datacenter?

Expirience tells me that most servers found in datacenters by today are nothing than webservers.

They have MTA's installed because almost every distribution does so by default, not because they would be really needed.

No one reasonable would use an vserver in a datacenter to send important mails, because he would always be at risk to end up in point blocklists as SPAMHAUS, SORBS, SPAMCOP or even UCEPROTECT-Level 1, as soon as one of the other customers hosted on that machine installs a 1997 formmail and spammers abuse it.

So what important mail can we expect to come from a datacenter which has such a bad reputation that it got listed at Level 3?

I have not seen a single one up till today, but lots of spammails instead.

So the facts are that we are listing thousands of webservers where more than 300 of them have massive security holes.

As said an MTA from the default installation doens't make an Webserver a legitim Mailrelay.

Cheers

Claus von Wolfhausen

UCEPROTECT-Network

> No one reasonable would use an vserver in a datacenter to send important mails, because he would always be at risk to end up in point blocklists as SPAMHAUS, SORBS, SPAMCOP or even UCEPROTECT-Level 1, as soon as one of the other customers hosted on that machine installs a 1997 formmail and spammers abuse it.

Given that each virtual machine has its own IP address, why would linode1 on hostA cause linode2 on hostA to appear in the black list? 1.2.3.4 is different to 1.2.3.5 and whether they're physically different colocated boxes or virtually colocated boxes makes no difference.

Unless the blacklist expands to cover the /24, /16, /8…

Oh wait. That's your model.

@sweh:

Given that each virtual machine has its own IP address, why would linode1 on hostA cause linode2 on hostA to appear in the black list? 1.2.3.4 is different to 1.2.3.5 and whether they're physically different colocated boxes or virtually colocated boxes makes no difference.

Unless the blacklist expands to cover the /24, /16, /8…

Oh wait. That's your model.

Ok lets see the facts:

It was told to me that each of the dedicated servers would come with 5 IP's. You want to tell me that every vserver there has it's own IP?

You should also see the advantage given to you from UCEPROTECT (free of charge) :

Finally GNAX seems to have cleaned up their act after they got listed at UCEPROTECT-Level 3.

The daily expiration routine has delisted them about 1 hour ago, because there are only 85 abusers left where 184 would trigger a Level 3 listing.

That is not clean, but it is a beginning.

http://www.uceprotect.net/en/rblcheck.php?asn=3595

I guess they will better watch out next time, so you should now have better chances than ever to get your mails delivered to the world, even if you would use your webservers to do so.

Cheers

Claus von Wolfhausen

UCEPROTECT-Network

> You want to tell me that every vserver there has it's own IP?

YES every Linode has its own IP, and most of us use our Linodes for all kinds of server-y stuff, especially and including sending mail.

Your ridiculous assumptions about what people should do with their server presences is as asinine as Verisign assuming that the Internet is just for surfing the Web.

I'm not going to get into the fact-throwing nonsense, but I will say that Uceprotect is doing the wrong in this situation.

@Claus von Wolfhausen:

Ok lets see the facts:

It was told to me that each of the dedicated servers would come with 5 IP's. You want to tell me that every vserver there has it's own IP?

Umm, GNAX didn't mention vservers at all. (and he mentioned 5 by default, with others having more).

You mentioned vservers. This is linode. On linode every vserver gets its own IP address.

@JDM:

I'm not going to get into the fact-throwing nonsense, but I will say that Uceprotect is doing the wrong in this situation.

Of course he is. He's been laughed at all through nanae. We won't convince him that he's in the wrong (and I wish he hadn't come here to bring his fight to this place).

Fortunately anyone who uses his RBLs aren't serious about getting their mail delivered, so I don't care. I just laugh at them, and maybe try to educate them. Fortunately all the clued people I know also laugh at him.

@sweh:

Of course he is. He's been laughed at all through nanae. We won't convince him that he's in the wrong (and I wish he hadn't come here to bring his fight to this place).

Fortunately anyone who uses his RBLs aren't serious about getting their mail delivered, so I don't care. I just laugh at them, and maybe try to educate them. Fortunately all the clued people I know also laugh at him.

I find it amusing, in a way, that he's come to the forum of a service filled largely with clueful people (clueful due to the nature of how linode works), to defend blocking a large fraction of us, despite us not being spammers. There's a sort of tragic irony in that.

@Claus von Wolfhausen:

Expirience tells me that most servers found in datacenters by today are nothing than webservers.

Then maybe you are looking at the wrong datacentres.

What makes a vserver any different than a physical server? Today's technology allows 40 vservers to run on one physical server. Tomorrow we'll be running 400 vservers on a single server. The big iron guys have already demonstrated thousands of vservers on a single machine.

The physical servers of today will certainly be (and are already) replaced by vservers. We use our vservers for our company mail, cvs repositories, ipv6 tunneling and sometimes web servers.

Think about it.. where are mail servers hosted? My ISPs mail servers all sit in a datacentre. My company's mail server sits in a datacentre. In fact most mail servers sit in a datacentre.

–deckert

They have us blacklisted again.

@NecroBones:

They have us blacklisted again.
Hardly anybody cares - they are totally irrelevant - their bizarre policies and extortionist business model causes sensible providers to ignore them.

Kind of interesting thread you revived from the dead though… it shows that they care more about mud slinging then actually giving good answers (his post on the first page saying that there is only one ip per host… if he's going to walk into a companies forum, you would think he would do some research first

There are much much better ways of combating spam than with blacklists actually. Blacklists are reactionary and as demonstrated with this joker at UCEProtect destructive to your business if you actually use them. It goes down to behavior and patterns in the actual email, much like how anti-virus is done now days.

My two bits for what it's worth ;)

Some blacklists are ok though, like Spamhaus' PBL… that list stops a lot of malware infested Windows boxes from getting spam through.

@mwalling:

Some blacklists are ok though, like Spamhaus' PBL… that list stops a lot of malware infested Windows boxes from getting spam through.

The problem is not some hundret hacked boxes, the problem is that your UPLINK GNAX is hosting a major spammer with some hundret IP's at this time.

Have a look at the IP's which are causing the problem and see what you get as PTR's:

http://www.uceprotect.net/en/rblcheck.php?asn=3595

Scroll down complete to see the IP's which got listed at Level 1 and so causing the problem.

So lets see some of the IP's and decide what it is:

63.247.64.65 mail1.awesomemktg.net

63.247.64.66 mail2.awesomemktg.net

and so on some hundrets more of that one..

Now lets look to whom you can say THANK YOU for being listed:

Domain Name: awesomemktg.net

Registrar: Name.com LLC

Expiration Date: 2009-04-28 00:00:00

Creation Date: 2008-04-28 16:06:07

Name Servers:

ns1.awesomemktg.net

ns2.awesomemktg.net

REGISTRANT CONTACT INFO

Inet Advertising

Domain Administrator

234 Morrell Rd.

Suite 160

Knoxville

TN

37919

US

Phone: +1.6155126750

Email Address: inetadvertising.admin@gmail.com

63.247.64.100

and let's see who is that:

Domain Name: differentmktg.net

Registrar: Name.com LLC

Expiration Date: 2009-04-28 00:00:00

Creation Date: 2008-04-28 16:06:08

Name Servers:

ns1.differentmktg.net

ns2.differentmktg.net

REGISTRANT CONTACT INFO

Inet Advertising

Domain Administrator

234 Morrell Rd.

Suite 160

Knoxville

TN

37919

US

Phone: +1.6155126750

Email Address: inetadvertising.admin@gmail.com

Lets pick another IP from that space …

63.247.95.100 mail4.mailingsforconsumers.net

Domain Name: mailingsforconsumers.net

Registrar: Name.com LLC

Expiration Date: 2009-04-13 00:00:00

Creation Date: 2008-04-13 16:33:56

Name Servers:

ns2.mailingsforconsumers.net

ns1.mailingsforconsumers.net

REGISTRANT CONTACT INFO

Inet Advertising

Domain Administrator

234 Morrell Rd.

Suite 160

Knoxville

TN

37919

US

Phone: +1.6155126750

Email Address: inetadvertising.admin@gmail.com

If you will do the work and have a look to that list above then you will find that GNAX did lease some hundret IP's to a well known spammer.

Claiming they would not have known about that is futile.

The PTR's given should have been warning enough to know that it will be no brave customer.

All of the domains within the complete Listings were registered less than 3 month ago and for only one reason - spamming.

Spammers lie and so does GNAX.

GNAX wants YOUR money, but they also want spammers money.

They did exactly knew that they will end up in UCEPROTECT-Level 3 again if they will give complete /24 Networks to spammers again as they did it one year ago too.

It might be a good idea if Linode would search for a better uplink instead.

Companies using our lists do exactly know why they are using UCEPROTECT and you will not get them to drop us, because UCEPROTECT works for them.

Have a look at AL IVERSON's independant staistics:

http://stats.dnsbl.com/uce3.html

That translates to: UCEPROTECT-Level 3 (which lists complete providers) has blocked about 40% spammails, but less than 0.3% false positives

Could that mean that those some hundret providers which manage to end up in Level 3 are responsible for 40% of the global spam, but less than 0,3% real mail came from their networks and ranges?

Wow… look who crawled out of his hole in the Iraqi desert…

Claus, its a small forum, you don't need to post the same propaganda twice. And, since you seem hellbent on attacking GNAX, http://www.linode.com/forums/viewtopic.php?t=3447 is actually referring to a HE IP address.

I still find it amazing that he's coming here, trying to convince us that it's OK to block us because of spammers that are at least two steps removed from us.

Take the hint, it's not our problem, because we have no control over this whatsoever. If you were to extend the same logic all the way up the chain, you might as well add the entire internet to your blacklist, because it's the whole world's responsibility to combat spammers.

@NecroBones:

you might as well add the entire internet to your blacklist, because it's the whole world's responsibility to combat spammers.
Sound like UCEPROTECT-Level 4 just got invented ;)

You'll be safer with UCEProtect Level 5 - stops those Martian and Venusian spammers dead in their tracks.

Lets let the sponsors of UCEPROTECT know what we think of who they sponsor. The list of sponsors can be found here. http://www.uceprotect.net/en/index.php?m=11&s=0

AUSTRIA

AT-Mirror 2 - Foltec GesmbH

CANADA

CA-Mirror 1 - Admins WebSecurity GbR

CA-Mirror 2 - iWeb Technologies Inc.

FRANCE

FR-Mirror 1 - Cisneo.fr

GERMANY

DE-Mirror 1 - Blindi Net Project

DE-Mirror 2 - Cosimo GmbH

DE-Mirror 4 - I-NetPartner GmbH

HUNGARY

HU-Mirror 1 - Nordtelekom Ltd

MEXICO

MX-Mirror 1 - Suavemente Networks

PHILLIPINES

PH-Mirror 1 - Bitstop Network Services

SWITZERLAND

CH-Mirror 1 - Your-Web GmbH / Swiss Computer Services AG

USA

US-Mirror 1 - Net Services Group

US-Mirror 2 - AntiSpamTech

US-Mirror 3 - Cari.net

US-Mirror 4 - Cari.net

US-Mirror 5 - VIRTBIZ Internet Services

US-Mirror 6 - Suavemente Networks

US-Mirror 7 - Egihosting

US-Mirror 8 - Sprocket Networks, Now powered by AppServe Technologies, LLC

US-Mirror 9 - Singlehop.com

US-Mirror 10 - Marlin eSolutions

US-Mirror 11 - Netriplex

US-Mirror 12 - Wholesaleinternet.com

US-Mirror 13 - CPC Technology

Also "thank you" to Phil Marsh, Snowdon Consultants Ltd for proofreading and correcting the English version of the website.

To Whom It May Concern:

The company you are sponsoring has several people trying to get together and file a class action lawsuit against this company due to their methods of operation. Listed below is several comments including UCEPROTECT on their methods of operations along with comments on what people think of this company.

From UCEPROTECT themselves…

People that use UCEPROTECT (BACKSCATTERER) go with level 1 or level 2 of filtering because level 3 is to aggressive by blocking out entire IP blocks instead of specific IP addresses as they should do. (http://www.uceprotect.net/en/index.php?m=3&s=5) They themselves gave this warning about level 3. …This blacklist has been created for HARDLINERS. It can, and probably will cause collateral damage to innocent users when used to block email….

Here is a list of IP addresses currently being blocked by them. I pasted them into Microsoft Excel to see how many are black listed and it went way beyond Microsoft Excel’s limit of 65,536. You can find the list here. (http://wget-mirrors.uceprotect.net/rbld … rer.org.gz">http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz)

Here are some links of people’s comments on BACKSCATTERER along with some quotes about their tactics of extorting money which I myself have paid also. ($74.97, which I found out after paying they want on a monthly basis. I should consider myself lucky because I found out that they used to charge $200 per month) There are people rallying out there to bring up a class action lawsuit against them.

http://www.webhostingtalk.com/showthread.php?t=713833

…We used to use uceprotect but we found waaay too many false positives because of very large, blanket listings We had to remove it from our list of used RBLs…

http://forums.contribs.org/index.php?topic=44585.0;wap2

http://www.smartertools.com/forums/p/21852/58371.aspx

…I actually was using the exact same set of RBL's, but after a while I found out that UCEPROTECT1 repeatedly listed the smtp servers of some major ISP's here (NL). Of the unique hits of this RBL (not in any of the others), about 50% was a false positive, so I removed it. I have not yet encountered similar problems with Zen, Spamcop and PSBL….

http://www.linode.com/forums/archive/o_ … index.html">http://www.linode.com/forums/archive/ot/t2863/start_0/index.html

…This is an extortion racket along the lines of sorbs.net. This 'anti-spam' service may well be run by spammers - with their strange understanding of legal matters, poor grammar, and payment by PayPal - they sure act like spammers….

http://www.jvfconsulting.com/blog/59/UC … rtion.html">http://www.jvfconsulting.com/blog/59/UCEPROTECTNetworkSpamListIsThis_Extortion.html

…JVF has never heard about UCEPROTECT until now. Their practices are bordering on extortion. Ourselves, as well as others in our same situation, feel that a class action lawsuit should be brought against them. Their method of blocking the entire ISP's IP range just because of a similar users IP is unacceptable and against every rule in the spam book. Below you can see the hoops we have been jumping through to get our IP address removed from their blacklist….

…OK, so we're listed on their blacklist, this is not the first time we have had to remove an IP address we manage that has been incorrectly added to a blacklist, so what is the process? As you can see in the screenshot below, they want us to pay 150.00 € Euro's (EUR) to process our request and remove our IP address. That's almost $200 dollars! This is totally unacceptable, and quite possibly illegal! We are aware that some IP addresses are definitely more suspicious than others, but you wouldn't want to filter mail from them without a little further evidence (like seeing some spam from them)….

…It is borderline extortion. The only people who pay are the admins that dont know any better….

…These people are crooks and probably run by the same people that create spam. No respectable hosting company should use them for blacklists.

They have no legitimate reason for listing an IP and can offer no proof or information for fixing the so called offence (even if you pay 150$ for it).

There are many scams on the Internet and UCEPROTECT is one of them….

http://www.dnsstuff.com/forum/index.php?topic=1366108.0 (This quote came from UCEPROTECT themselves when they visited the forum to defend themselves. If no reasonable person should use level 3 then why offer it???)

…This means no reasonable Person should use Level 3 for BLOCKING….

http://www.dnsbl.info/forum/viewtopic.php?f=6&t=1020

Here is a comment from my tech support on UCEPROTECT which powers BACKSCATTERER. MIPSPACE also uses BACKSCATTERER.

. . . Hello,

While the server is listed at UCEPROTECT, there is very little we as a company can do. They run their blacklists only as an effort to make money. We've tried to work with them before and it all comes down to them wanting money to do something that is automated in the first place. We have repeatedly asked them for logs/evidence/proof and they adamantly do not provide any. Armed with this information, upper management refuses to deal with such unscrupulous companies. . . .

Thank you for your time,

Michael

I don't think that it is a coincidence that right after I voiced my opinion on UCEPROTECT that they blacklisted me on level 1, 2, and 3.

What do you think? This DEFINATELY shows questionable behavior!

Michael

He doesn't seem to understand that we're not GNAX's customers either.

I have no business relationship with GNAX. I rent a VPS from Linode, and Linode hosts their hardware at NAC.

It's like saying "We do not allow customers from Canada because of an action taken by a citizen of the United States. You're on the same continent as them, your continent supports this sort of action, so your country should choose a different continent."

lol someone got bent enough to make this: uceprotect.wtf

I feel bent too. We have 13 servers with Linode. All of the IPs are blacklisted with UCEPROTECT.NET (dnsbl-3.uceprotect.net).

This has become a major problem for us as a service we use with the email provider INTERMEDIA is detecting that we are this blacklist and therefore not whitelisting our IPs to send email from web servers.

Intermedia itself monitors our email sending and has from time to time detected an errant form that was penetrated by spammers. We have then fixed the issues. But this is rare event. We run a full security suite for all of these WordPress site, and use AKISMET which knocks down 99.9% of bad form submissions. These servers simply aren't spamming and yet the IP on listed with UCEPROTECT - but no other blacklists.

I don't know why some providers use include them in their blacklist checks, but I will lobby Intermedia to remove it.

I realize that Linode cannot control this uceprotect blackhat behavior, I just wanted to contribute our experience.

Best,
James
Director, Colophon New Media, LLC

This thread is 14 years old. There are a couple of other threads on this topic. You can search for them…

These servers simply aren't spamming and yet the IP on listed with UCEPROTECT - but no other blacklists.

This is because UCEPROTECT is an extortion racket. Instead of blacklisting single IPs or subnets, they blacklist entire ASNs. My Linode has two IP addresses: IPv4 and IPv6. Yours probably does as well. For my Linode:

  • it's IPv4 network contains 16384 addresses; and
  • it's IPv6 network contains 1267650600228229401496703205376 IP addresses.

Linode's ASN has a 131 networks in it. If all of them are similar to these two, you can see that blocking more IP addresses than there are stars in the galaxy for one instance of spamming is just ridiculous. UCEPROTECT wants money for Linode to be de-listed from their blacklist…with no guarantee that, after the ransom is paid, Linode's ASN won't land right back on UCEPROTECT for violating their state-secret criteria for determining if a sender's IP address is spamming. It's a clear instance of extortion…

Consequently, Linode won't pay the ransom. Linode's ASN goes on and falls off UCEPROTECT periodically (right now it's on). No one in their right mind should use or pay attention to UCEPROTECT. None of the big email operators pay any attention to them, you shouldn't either. Maybe if their income stream dries up, they'll crawl back into the ooze from which they emerged and leave the world alone.

UCEPROTECT is not about stopping spam…it’s about generating income for the operators.

-- sw

I have two servers on Linode - not a lot compared to most of you. Both IPs are in subnets listed in their Level-3 BL. The only thing I can do is pay about 50CHF every 6mo to have one of them whitelisted and use it as a mail relay. Since I have one server running as a spam filter gateway, that is the one I white listed.

It appears that Microsoft uses uceprotect.net for black listing. Without the whitelist I am blocked from sending email to any microsoft domain. The automated removal from the MS black list is always denied, and I push for escalation. Never get a response. uceprotect.net LEVEL 3 is the only black list I am on, and that is not even related to me.

Personally, I see what their doing as extortion. It is ridiculous that we are being strong armed using criteria that isn't even attached to our provider. It is like paying the mafia for protection.

@netzarim --

Personally, I see what they're doing as extortion.

Yep. It's a scam.

It appears that Microsoft uses uceprotect.net for black listing.

Correlation != Causation.

M$ does not use UCEPROTECT. Periodically, UCEPROTECT will blacklist Office 365 IP addresses (looking for a big payday I suppose). Why would M$ initiate something like that?

More likely, you're caught in M$s "bad IP reputation" black hole (the details of which are a Redmond state secret).

The automated removal from the MS black list is always denied

You're just a puny user to M$. I'll bet if you waved, say, $500K (US) in front of them, you'd get a response pretty quickly. That's not to say M$ would resolve your problem, but you would get a response.

and I push for escalation. Never get a response.

Your requests are probably going into one of the many dead receptacles for this kind of stuff. M$ knows all and knows best. They don't care what you think or want. They only care about $$$.

The operators of this nonsense are in India somewhere and they have to justify their existence to the mothership in Redmond periodically…so idiot stuff like this is the norm -- not the exception. The facility (whichever one it is) also staffed largely by junior people (all of whom seem to be no lower in the hierarchy than Senior Vice President) and contractors. Neither group can tie their shoelaces without emailing Bill Gates first to ask how. Neither group could make a decision to abandon a sinking ship if that's what was called for. Got the picture yet?

uceprotect.net LEVEL 3 is the only black list I am on, and that is not even related to me.

Welcome to the club! EVERY Linode IP address is on UCEPROTECT. Part of their scam is to block Linode's ASN (autonomous system number -- every address in every network Linode operates). Look how long this thread has been in existence…nearly 15 years. This gives you an idea of how long this has been going on.

My only suggestion is to try IPv6 to send the emails you want. My Linode's IPv6 address is not on UCEPROTECT. However, your experience with M$ may be exactly the same. You could also ask Linode support for their intercession with M$…that seemed to work the last time (it took quite awhile however). Linode won't deal with UCEPROTECT because it's an extortion racket. You shouldn't either. You shouldn't even contact them.

-- sw

I have managed to get Microsoft to remove my server from their blacklist several times. Each time this happens the entry is removed from UCEPROTECT at the same time. This is suspicious.

As for how to accomplish this, I have no idea. It's pure 1% luck that the right service agent gets your request and processes it. Even then it will eventually reappear on the blacklist so what's the point.

I have all but given up which is exactly what the big profit mail providers want. I have even tried collecting IP addresses that are not on any blacklist at all and even if they are never used for anything, given some time they magically appear on UCEPROTECT. I believe the act of checking an IP address against UCEPROTECT is enough to get it listed. I wouldn't rule out collusion but nobody seems to care or understand the issues involved. This scam has been going on for far too long.

To be fair, I do see cases where a server is not on any blacklist at all and Microsoft (or whoever) still blocks it. This is the pain.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct