How to rectify UCEPROTECT-Level 3 listing of IP addresses
Our Linode IP addresses are being listen on UCEPROTECT at Level 3 which apparently means that the individual server IP addresses are NOT part of any abusive action but it is the provider which got UCEPROTECT-Level 3 listed.
According to http://www.uceprotect.net/en/index.php?m=3&s=5:
This blacklist has been created for HARDLINERS. It can, and probably will cause collateral damage to innocent users when used to block email.
The current spamscore of our IP addresses is 181.3
UCEPROTECT level 3 automatically lists all IPs assigned to an AS number as soon as its SPAMSCORE is 50 or higher , and (to avoid mini providers being listed because of 1 or 2 spammers) at least 50 impacts of IPs which are assigned to the AS number have been listed in level 1 in the last 7 days.
The current Autonomus System Number of Linode is 63949
The SPAMSCORE is calculated using the following formula:
(Level 1 impacts from this ASN / total IPs in this ASN) * 100000
The resulting number is rounded to one decimal place.
Any advise on how to remedy this situation?
Thank you!
3 Replies
✓ Best Answer
There's an entire thread on this but please don't post there. There really is no solution to this problem, and the consensus seems to be that UCEPROTECT is a scam, and shouldn't be dealt with or trusted.
The entire 198.74.52.0/22 subnet has been blocked by Microsoft and is also on the UCEPROTECT black list. From our experience, this happens frequently with Linode the last 2 years. Just from the security logs on our own linode servers, there are many "research scanners" on linode's network now. They constantly port scan and search all IP addresses for vulnerabilities. This causes large numbers of Linode's IP addresses to be blocked; adversely impacting us real customers who are not sending spam. I have reported the research scanners to linode before, and they do not stop them from scanning, they just say they will give the research scanner my IP address and ask them to not probe it. That doesn't solve the problem as the research scanners probe Microsoft's network and 10's of thousands of other IP addresses every day, and then the IP address range is blocked. I suggest you sign up to use a 3rd party email sending service (thereby using other IP addresses for your email) or move away from Linode as this problem is going to continue happening as long as the research scanners are on their network.
this problem is going to continue happening as long as the research scanners are on their network.
I'll just say scanning is definitely needed to actually test and troubleshoot firewall(s) and isn't just used by legit security researchers or bad actors. That being said obviously some behaviors should make it totally possible to identify the bad actors, such as scanning specific networks like Microsoft or even just scanning a bunch of different networks depending on how strict Akamai wants to be. Also some of what you described could be the result of a compromised vps so it might not always be the person who owns the account (which can still be addressed by Akamai of course).
Also I'm not sure how many skids vs actual security professional or students are actually using that pre-built Kali image…