ISP LINODE-AP Linode, LLC, US/AS63949 is UCEPROTECT-Level3 listed because of a spamscore of 85.4
Any idea what is being done to resolve this issue?
Verizon is just declining email because of the RBL hit.
Reason for listing - Your ISP LINODE-AP Linode, LLC, US/AS63949 is UCEPROTECT-Level3 listed because of a spamscore of 85.4. See: http://www.uceprotect.net/rblcheck.php?ipr=66.228.55.170
Express delisting of AS63949 from UCEPROTECT Level 3
Your abuser / user ratio is exorbitant high, or you react much too slowly or not at all to abuse that originates from your infrastructure.
We expect some minimum standards from soneone claiming to be a professional provider.
Due to the facts that you do not reach our standards, we and many of our users have chosen to no longer allow smtp-traffic from all your IP's and ranges.
See above how much abuse we are willig to tolerate as a maximum by an provider of your size.
In todays Internet it is no longer acceptable to sit down and wait for abuse to happen.
We often get to hear the argument: We are so hugh, and we have so many home users, it is almost impossible to create effective measures to prevent spam.
This statement is simply wrong and an excellent good example for a large but clean provider is DTAG (ASN 3320):
DTAG has about 34 million IP's and the majority of their customers are likely to be home users.
In spite of this size you can nowadays see almost no spam from the DTAG address space.
Let's see DTAG (ASN 3320) here.
An even more stunning example for a large but clean provider is Microsoft (ASN 8075):
Microsoft has about 37 million IP's and they are likely running Windows, which is a primary target for cybercriminals, due to its high distribution.
In spite of this facts you can nowadays see almost no spam from the Microsoft address space.
Let's see Microsoft (ASN 8075) here.
The question must be: If really big providers like DTAG and Microsoft can so effectively prevent that their customers are sending spam, why can you not also do so?
To get escalated to Level 3 is almost always an indicator, that you don't act fast enough on abusers.
To prevent responsible providers to end up in Level 3, we did install a provider protection.
In the case of new listings in Level 1, the 4 hour provider protection first takes effect.
That means no further IMPACT from that IP is initially counted for 4 hours.
This gives the provider 4 hours to disconnect the abuser before further IMPACTS are counted from that IP.
The impact counter can therefore only increase by a maximum of 1 per 4 hours per IP on new Level 1 listings.
Anyway our patience is limited, so if there is still abuse detected from said IP, 24 hours after it was listed in Level 1, the provider protection is reduced to one hour.
Finally we are fed up with it, if the IP is still detected because of abuse after 48 hours in Level 1, so the provider protection is no longer applicable and every impact is counted indefinitely.
You should therefore act immediateley on every Level 1 listing to prevent that even a manageable number of abusive IP's will get your ASN up to Level 3 by skyrocketing the impact counter.
Make sure to keep an eye on the listings in Level 1. You can find a link that gives you a detailed overview of all Level 1 listings and impacts by scrolling to the bottom of this page.
If you want to become an accepted provider with a good reputation, we recommend you should install some preventive measures.
Click here to see what you can do to prevent the big abuse originating from your ranges.
You are at highest risk to lose your customers to your competitors, so you should act immediatley latest now.
How can our total IP-space be removed from UCEPROTECT-Level 3?
After you have fixed your massive problems, listing of your ASN in UCEPROTECT-Level 3 will be removed automatically and free of charge as soon as the causal Level 1 listings and with them their Impacts will expire and decrease below Level 3 escalation limit.
Every IP temporary listed at Level 1 expires 7 days after we have seen the last abusive action originating from it.
Automatic expiration is free of charge, because it does not require manual work.
If you don't want your users to be affected until the free expiration, you can optionally order expedited express delisting if offered, which is charged a total of per ASN and we strongly recommend that you collect these charge from your abusers.
Orders for expedited express delisting are processed by external service providers, therfore it cannot be offered for free.
Please note that it is important that really all problems which have caused the Level 3 listing are fixed in first place, otherwise your complete IP-space might end up in Level 3 again within a short timeframe.
23 Replies
I will echo the sentiments of others who have weighed in on this subject that this looks like a shakedown scheme. It makes absolutely no sense to blacklist an entire ASN in response to a report about a single IP address. None of these RBL services do this:
- zen.spamhaus.org
- cbl.abuseat.org
- bl.spamcop.net
- dnsbl.sorbs.net
What's posted above seems designed to have a single purpose -- extort "express delisting" fees from the ASN owners/operators.
I'll bet the UCEPROTECT marketing staff makes people offers "they can't refuse" too. What makes otherwise normal, intelligent people fall for s*** like this? Oh right…$$$$…or the (mostly false) promise thereof…
IMHO, if Linode is to do anything, it should be to start/join a class action to put these slimeballs out of business. @Chris_the_other_one…the only thing you can do is try to convince Verizon that they've done something really stupid by signing up with UCEPROTECT. Good luck with that…
-- sw
I've had a bit of a problem lately sending mail to a friend with a Hotmail address. Even though I've never had any spamming activity on my server that I can identify, Microsoft won't delist my IP address. I went digging further and found through MXToolbox that apparently the entirety of Linode has been blacklisted by these UCEProtect chuckleheads. Especially troubling was this bit:
Uceprotectl3 Accepts Payments Or Donations
This blacklist does support a manual request to remove, delist, or expedite your IP Address from their database upon Payment or Donation of fees to their organization. Please note the following; 1) MxToolBox does not in any way advocate the paying of removal from any blacklists. 2) Removal requests that are submitted without addressing the core problem will likely result in your IP Address being relisted in the database which can cause subsequent problems and extended listing periods without release.
I found that to be the case under their so-called "whitelisting" page:
Since your IP wasn't directly involved in abuse, you can exclude your IP from neigborhood blocklists as UCEPROTECT Levels 2 and 3 and others that are importing our whitelist, by registering your IP with us.
Registration is available for 1 Month (25 CHF), 6 Month (50 CHF), 12 Month (70 CHF), 24 Month (90 CHF)
If you have no evidence (by your own admission) that my host hasn't been sending spam, why are you shaking me down for money? It's a small wonder that they're charging in a fiat currency; scams of this sort usually want you to send cryptocurrency nowadays.
Legit DNS RBLs have never sought to extort money from anybody. I'm currently using zen.spamhaus.org and bl.spamcop.net to filter my incoming mail, and I've used some of the blackholes.us country blocklists in the past. I think there may have been one instance where I landed on a somewhat obscure blocklist, and even then that was cleared up at no cost to me.
Our IP 50.116.44.96 got listed in their UCEPROTECT-Level3 whole ISP network trap as well. Please do something about them.
This is really unbelievable. Why is Verizon or any large ISP going to listen to only one blacklist database and not an average score?
Probably some employee at Uceprotectl who found a blog post on Linode cloud that he was offended by smh
@xanugu writes:
This is really unbelievable. Why is Verizon or any large ISP going to listen to only one blacklist database and not an average score?
Because the people at Verizon who manage such things wouldn't know a blacklist and spam scores from traffic lights. They're all bean counters…
-- sw
Uceprotectl is a big scam corp, safe to ignore them.
From what I'm seeing, it seems like Microsoft and Verizon, for two, seem to use their blacklist as gospel. I'm not sure how it's safe to ignore them.
@monkeyangst --
You write:
From what I'm seeing, it seems like Microsoft and Verizon, for two, seem to use their blacklist as gospel. I'm not sure how it's safe to ignore them.
I self-host email on Linode and I've never had any problem with Micro$oft…although I rarely send email to microsoft.com though. I send lots of email to domains managed by outlook.com, hotmail.com, msn.com, etc & never had a problem.
I have SPF, DKIM and DMARC correctly implemented for all in-/outbound mail. Since I have some background in email spam defenses, I try to keep on top of the latest trends. postfix(1) makes it pretty easy to drop some-filter-or-other that implements the latest/greatest spam defense in the message-processing pipeline pretty easily.
-- sw
I just sent a message to foo@verizon.com from my self-hosted email on my Linode. It bounced of course…that's what I expected. What I wanted to see is if the message got blocked by UCEPROTECT before it got bounced due to an unknown user. It didn't.
However, I found out that Verizon.com email is hosted by Proofpoint. Proofpoint has an official position on UCEPROTECT that can be found here:
-- sw
I self-host email on Linode and I've never had any problem with Micro$oft…although I rarely send email to microsoft.com though. I send lots of email to domains managed by outlook.com, hotmail.com, msn.com, etc & never had a problem.
To clarify: Your IP is on the "UCEPROTECT Level 3" list like mine is, but you are nonetheless able to send mail to @hotmail.com addresses? Interesting. I would be very interested in speaking further if that's the case.
Our IP has just been added to the "UCEPROTECT Level 3" list with probably less than 100 emails sent altogether (at least 75% of these are internal). How can this be considered SPAM? Couldn't it be that we are missing something in the configuration? I doubt it; we have the spf, dmarc, and dkim files properly configured. It is hard to belive that in today's world we are at the merci of UCEPROTECT®
Here we go again.
Domains hosted on Linode blacklisted on UCEPROTECTL3.
More email deliverability BS that has no justification in reality.
Cheers
Since there does not seem to be a way for Linode to get off of the UCEPROTECT scammers, perhaps you should do what I do and get yourself a low-cost shared-hosting ISP (i.e. we use pair.com… $5/mo.) and use it for in/out email. Set up the MX record wherever your nameservers are and that's that.
And more blocking of our IP address clients cannot send legitimate business email as the subnet our Linode IP is provided from is blocked again it seems.
This time any address @me.com is blocked by proofpoint.
status=deferred (host mx02.mail.icloud.com[17.56.9.19] refused to talk to me: 554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?
I have raised a case but hold out little hope as we are blacklisted on UCEPROTECTL3. Which is the only blacklist we are on from over 200!
Linode can you please find the spammers and ban tehm so the rest of us can get back to work.
Cheers
Spart
As it is well-established that UCEPROTECTL3 is a shakedown scheme operating outside the US, there are probably no spammers to expose and/or shut down. See:
https://www.linode.com/community/questions/20952/linode-blacklisted-on-uceprotect-rbl
-- sw
Email being sent to gmail getting the Spam treatment too.
My email to Gmail is getting through…from the Fremont, CA DC. When UCEPROTECT blocks Linode, they block the whole ASN.
I confirmed that Linode's ASN is, indeed, listed on the UCEPROTECT Level 3 blacklist (seems to be a permanent listing these days). If Gmail were honoring UCEPROTECT Level3, my email would bounce as well. That's not happened…and I've tested this multiple times since I saw your post.
I suspect you may have something else wrong… Gmail is pretty picky about senders conforming to their requirements. I've also read that Google is starting to crack down (impose usage limits) on volume senders using Gmail as a free relay.
-- sw
It seems Linode has been listed in UCEPROTECTL3 again. Can someone from Linode do something or help us?
It seems Linode has been listed in UCEPROTECTL3 again. Can someone from Linode do something or help us?
UCEPROTECT is an extortion racket. Why should Linode pay blackmail? That seems to be the only solution (according to UCEPROTECT).
-- sw
I've had my first email bounce and I think it's because of this.
The email had:
<info@2thdental.co.uk>: host mx01.hornetsecurity.com[94.100.132.8] said: 554
5.5.4 Your IP 109.74.203.221 address has a bad reputation. To unblock visit
http://cloud-security.net/unblock&d=6&e=109.74.203.221-mx-gate81-hz1
(in reply to end of DATA command)
I did raise a support ticket with Linode and have been slightly disconcerted that 18 hours later, I've had no response at all so I searched here to see this post…
I'm not sure whether hornetsecurity use uceprotect to evaluate "bad reputation" or not. I've put in a delisting request, we'll see how long it takes.
Linode's entire ASN (AS63949…according to ipinfo.io, 637696 IP addresses) is listed in UCEProtect. The reason for this is that UCEProtect is an extortion racket and Linode/Akamai won't accede to the blackmail (because, as with all blackmailers, paying the extortion is no guarantee that the situation will be resolved).
-- sw