Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
UCEPROTECT Fake Reports
New on LowEndTalk? Please Register and read our Community Rules.

UCEPROTECT Fake Reports

randvegetarandvegeta Member, Provider

So our ASN is once again listed by UCEPROTECT.

Decided to check out the offending IP list and I null routed all the IPs (only 8) that were listed and causing me grief.

Null routed over a week ago and not only are all the IPs STILL listed... the report CLAIMS to have impacts in the last 24 hours! How's that even possible? How does a null routed IP engage in SPAM?

To be 100% sure, I shut down the physical servers that's on those IPs, not just null routing. 24 hours later, and I still see NEW reports.

So beware trusting UCEProtect when their listing of IPs can be that of IPs which are not even usable.

Pricks

Comments

  • Did you get listed on U3 level?

  • UCEProtect is an extortion ring and it has been known since the beginning of time.

  • ive been getting same type reports from my shared hosting blacklist monitoring. all of my shared hosting servers including from reputed providers like hostmantis and myw.pt are listed in UCEProtect.

    EVERYTHING IS MUCH BETTER THAN IT WAS 1 YEAR AGO

  • UCEPROTECT is scam, just move on :)

  • LTnigerLTniger Member

    :D uceprotect doing good by protecting users from spam. If you got on L3 at UCE, you were really ignorant and didn't give a shit about abuse reports or even don't have [email protected] mailbox.

    If they were a con artists, internet would eaten them alive. Same goes to spamhaus. For end users these entities are VERY good.

    #!/Bashblog.net | Free Wordpress Hosting | If you can't idle, what's the point?

  • yoursunnyyoursunny Member
    edited April 1

    @LTniger said:
    :D uceprotect doing good by protecting users from spam.

    The only more effective protection would be

    sudo ufw deny 25/tcp
    

    On the other hand, I have

    sudo ufw deny out 25/tcp
    

    on all my servers.
    I send mail on port 465 only.
    No abuse reports have been received so far.

    I have five ≥1GB, ≤$16/year KVM servers. Are you jealous?

  • quagsquags Member

    I have seen tcp syncookies cause a listing at uceprotect. Since UCEprotects changes this year, I have seen it removed from some projects like mailcow, and generally being used less. Don't pay the extortion and forget it.

  • edited April 1

    @LTniger said: If they were a con artists, internet would eaten them alive.

    One is disreputable enough that no one would work with them, the other one works with the FBI to take down DDoS and spam gangs and doesn't run their operation like a scam.

    Thanks for your comment, but I know who to trust.

  • jarjar Provider
    edited April 1

    @LTniger said:
    :D uceprotect doing good by protecting users from spam. If you got on L3 at UCE, you were really ignorant and didn't give a shit about abuse reports or even don't have [email protected] mailbox.

    If they were a con artists, internet would eaten them alive. Same goes to spamhaus. For end users these entities are VERY good.

    Nah they’re a scam, and they’re still around because they probably give kickbacks to mxtoolbox, another famous scam website (like the time they added an RBL that tested every DNS query as true). People still pay their extortion fees. There’s a good reason they don’t provide their data. They don’t have it.

    Spamhaus on the other hand are legit and piss people off because they can’t please them and continue to take a shit on the rest of the internet for profit. Those guys have seen some shit, and if you’re legit and not a dick about it, they’ll show you their work.

  • jarjar Provider
    edited April 1

    Honestly though @randvegeta we all need to strand together against fake RBLs like this and go after the real problem. The real problem is never that they exist. The problem is anyone who uses them. People who use fake RBLs should be considered partners to extortion and blacklisted. There is a pay to play RBL industry and the end users often unaware that they’re part of it. It needs a counter balance.

  • hostsinimohostsinimo Member
    edited April 1

    this conversation make me found this web. Many provider being listed by them at level 3. they too aggressive at mark ip's as spam. Many just ignore them. Make sure you not listed at level 1 and level 2.

  • user54321user54321 Member
    edited April 1

    RBL are useless trash, mine is the only one you need
    You just need two entries to have perfect IP based protection, don't waste your space with thousands of listings other RBLs have.
    0.0.0.0/0
    2000::/3
    Is all you need if you rely on any IP based "protection"
    If you want to get delisted just pay me 1 bitcoin.

  • alexvolkalexvolk Member

    You won't be able to do anything. This shit is used by big corporations* and they're paying a ton of money for this service to be alive.

    * Microsoft for example.

    Always trying to be negative ^^.

  • @jar said: they probably give kickbacks to mxtoolbox, another famous scam website

    I did few attempts to remove this shitty RBL from many tools. Few were a success. I didn't try any further but I believe if tried persistently the RBL will be useless one day. And here is the response from MxToolBox.

    Shit Response 1(As I don't know what a RBL is and they taught me how to de-list):

    Hi,

    Uceprotectl3 Automatically Delists Entries

    This blacklist does not offer any form of manual request to delist. Your IP Address will either automatically expire from listing after a given timeframe, or after time expires from the last receipt of spam into their spamtraps from your IP Address.

    Uceprotectl3 Accepts Payments Or Donations

    This blacklist does support a manual request to remove, delist, or expedite your IP Address from their database upon Payment or Donation of fees to their organization. Please note the following; 1) MxToolBox does not in any way advocate the paying of removal from any blacklists. 2) Removal requests that are submitted without addressing the core problem will likely result in your IP Address being relisted in the database which can cause subsequent problems and extended listing periods without release.

    Sincerely,
    John Holmes

    Shit Response 2:

    Hi,

    Thanks so much for the list of references! We're keeping an eye on the issue - https://blog.mxtoolbox.com/2021/02/12/recent-spikes-on-uce-protect-level-3/

    I'll meet with our team next week (this week we're still experiencing storm issues) to discuss it again. In the meantime, if it is not affecting your email delivery, ignore them. If it is, let your email recipients know what the issue is so that they can consider removing UCEPROTECT for email delivery decisions. Never pay to be delisted.

    If you have any questions or comments, feel free to reach out directly to me.

    Thanks,

    Stephen

  • jarjar Provider
    edited April 1

    @user54321 said:
    RBL are useless trash, mine is the only one you need
    You just need two entries to have perfect IP based protection, don't waste your space with thousands of listings other RBLs have.
    0.0.0.0/0
    2000::/3
    Is all you need if you rely on any IP based "protection"
    If you want to get delisted just pay me 1 bitcoin.

    Much easier to block actual spam networks than try to keep up with spammers who are using human intelligence to bypass your content filters. AI can’t compete with human intelligence, but you can block millions of spam and nothing else by blocking ServerHub. RBLs are an important part of a larger strategy for anyone who actually knows how to manage mail servers. Typically the only people who fully oppose RBLs are either spammers or people bad at securing their servers that get frustrated at everyone else over it.

    Thanked by 1TheLinuxBug
  • jarjar Provider

    @Boogeyman said:

    @jar said: they probably give kickbacks to mxtoolbox, another famous scam website

    I did few attempts to remove this shitty RBL from many tools. Few were a success. I didn't try any further but I believe if tried persistently the RBL will be useless one day. And here is the response from MxToolBox.

    Shit Response 1(As I don't know what a RBL is and they taught me how to de-list):

    Hi,

    Uceprotectl3 Automatically Delists Entries

    This blacklist does not offer any form of manual request to delist. Your IP Address will either automatically expire from listing after a given timeframe, or after time expires from the last receipt of spam into their spamtraps from your IP Address.

    Uceprotectl3 Accepts Payments Or Donations

    This blacklist does support a manual request to remove, delist, or expedite your IP Address from their database upon Payment or Donation of fees to their organization. Please note the following; 1) MxToolBox does not in any way advocate the paying of removal from any blacklists. 2) Removal requests that are submitted without addressing the core problem will likely result in your IP Address being relisted in the database which can cause subsequent problems and extended listing periods without release.

    Sincerely,
    John Holmes

    Shit Response 2:

    Hi,

    Thanks so much for the list of references! We're keeping an eye on the issue - https://blog.mxtoolbox.com/2021/02/12/recent-spikes-on-uce-protect-level-3/

    I'll meet with our team next week (this week we're still experiencing storm issues) to discuss it again. In the meantime, if it is not affecting your email delivery, ignore them. If it is, let your email recipients know what the issue is so that they can consider removing UCEPROTECT for email delivery decisions. Never pay to be delisted.

    If you have any questions or comments, feel free to reach out directly to me.

    Thanks,

    Stephen

    I’m convinced that mxtoolbox has financial interest in telling people that their email/hosting service is broken.

    Thanked by 1randvegeta
  • CappuccinoCappuccino Member
    edited April 1

    I checked the IPs of all my vps and they are all listed at AS level
    I don't send email or do any other kind of strange stuff, just idling and a few websites on them with barely any visit :neutral:

  • randvegetarandvegeta Member, Provider

    @LTniger said:
    :D uceprotect doing good by protecting users from spam. If you got on L3 at UCE, you were really ignorant and didn't give a shit about abuse reports or even don't have [email protected] mailbox.

    If they were a con artists, internet would eaten them alive. Same goes to spamhaus. For end users these entities are VERY good.

    Are you an idiot? I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    Our IPs are not on any other RBL. It's just UCE. It's a scam when they are listing IPs that are null routed. It's literally IMPOSSIBLE for those IPs to be used for spam.

  • randvegetarandvegeta Member, Provider

    @jar said:
    Honestly though @randvegeta we all need to strand together against fake RBLs like this and go after the real problem. The real problem is never that they exist. The problem is anyone who uses them. People who use fake RBLs should be considered partners to extortion and blacklisted. There is a pay to play RBL industry and the end users often unaware that they’re part of it. It needs a counter balance.

    So what do you suggest? What can be done about it?

  • jarjar Provider
    edited April 1

    @randvegeta said:

    @jar said:
    Honestly though @randvegeta we all need to strand together against fake RBLs like this and go after the real problem. The real problem is never that they exist. The problem is anyone who uses them. People who use fake RBLs should be considered partners to extortion and blacklisted. There is a pay to play RBL industry and the end users often unaware that they’re part of it. It needs a counter balance.

    So what do you suggest? What can be done about it?

    If no one is using their RBL to reject email then do nothing. If your customers are complaining, explain to them that the existence of a list containing an IP, and a website checking that list, is not evidence of a problem unless the purpose of their server is to check itself for null results on a third party list. Drive home the point by making a text file, putting their home IP in it, linking them to it, and asking them if their home internet is suddenly damaged because you put their IP in a list.

    If they can show evidence that someone is rejecting their email because of a listing there then let’s put that company’s IPs on an RBL for participating in an extortion scheme. I run an RBL, you know. People who run mail servers for the purpose of extorting others at the gate to it are malicious and worthy of blacklisting. The price to get off the list? Don’t be malicious, play fair.

    They probably can’t show evidence of that though, and if their emails are being rejected it’s probably due to another reason and they just assumed the first answer they found to “is something wrong” was answered by someone who knew what they were talking about. It probably wasn’t. We have to train customers better than to fall for this stuff, and we can’t let them be unknowingly used as part of an extortion scheme against us. Competitors like to propagate the false information that all blacklists are relevant and that hosts on any of them are inherently bad. We need to be the competing voices exposing this lie.

    I work my ass off to stay off of every RBL, but I still proactively work to educate people on the evil ways RBLs can be used, and attempt to use mine as leverage to prevent such practices. The only reason to gain influence is to leverage it against others using theirs for evil. It’s an arms race too many people ignore. I’ve been on a long term mission to gain power and influence in the mail industry solely to return the power to the users, the people who get screwed over for no reason. It helps that users pay me for it but that just means I work for them full time now.

  • randvegetarandvegeta Member, Provider

    @jar, that's actually not a bad idea.

    So what's your RBL?

    Thanked by 1jar
  • jarjar Provider

    @randvegeta said:
    @jar, that's actually not a bad idea.

    So what's your RBL?

    It’s mxrbl.com. Feel free to use it. Nothing on it is listed lightly without consideration.

  • sdglhmsdglhm Member

    @jar said: It’s mxrbl.com. Feel free to use it. Nothing on it is listed lightly without consideration.

    Is it time to change Jarland is Stupid to Jarland is superman?

    Thanked by 1yoursunny

    I repeat, RAID is not backup | Looking for a developer for your next project? - Hire me

  • estnocestnoc Member, Provider

    @randvegeta said:

    @LTniger said:
    :D uceprotect doing good by protecting users from spam. If you got on L3 at UCE, you were really ignorant and didn't give a shit about abuse reports or even don't have [email protected] mailbox.

    If they were a con artists, internet would eaten them alive. Same goes to spamhaus. For end users these entities are VERY good.

    Are you an idiot? I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    Our IPs are not on any other RBL. It's just UCE. It's a scam when they are listing IPs that are null routed. It's literally IMPOSSIBLE for those IPs to be used for spam.

    they are waiting until you pay for express delisting :) this ucecrap is the most corrupt and money eager sh*thole entity, even worse than our govment.

    Thanked by 1randvegeta

    EstNOC.ee - Hosting and DataCentre services in 35 EU/ASIA/USA locations.

  • LTnigerLTniger Member
    edited April 1

    @randvegeta said: I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block. Maybe malfunction? Contact them: http://www.uceprotect.net/en/index.php?m=8&s=0

    So, chillout mate and take real actions to solve your problem without bashing someone.

    P.S. This looks ominous http://www.uceprotect.org/

    "WARNING: Do not play around here. You have no idea who we really are, and what will happen to you!"

    P.P.S. http://www.uceprotect.org/cart00neys/index.html :D

    #!/Bashblog.net | Free Wordpress Hosting | If you can't idle, what's the point?

  • edited April 1

    @LTniger said: You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block.

    Before calling the provider an "idiot", take a moment to search about UCEProtect they are known to pull this stuff regularly. You will find complaints from many providers, not just this one. They also had a recent incident where they put entire ASNs into their so called RBLs.

    Thanked by 1Daniel15
  • coolicecoolice Member
    • 1 they are incompetent blocking couple of millions OVH IPs

    some of them so clean - (mine) that everything get delivered to Inbox in Gmail and Outlook ...

    Future-Proof Yourself! Buy! Buy!

  • LTnigerLTniger Member

    @stevewatson301 said:

    @LTniger said: You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block.

    Before calling the provider an "idiot", take a moment to search about UCEProtect they are known to pull this stuff regularly. You will find complaints from many providers, not just this one. They also had a recent incident where they put entire ASNs into their so called RBLs.

    In comparison with spamhaus uce has 0 complaints.

    Get me right - I don't defend uce (fuck them, my OVH server is in uce list), just question 'provider' sanity. There is always two sides of story.

    #!/Bashblog.net | Free Wordpress Hosting | If you can't idle, what's the point?

  • jarjar Provider

    @coolice said:

    • 1 they are incompetent blocking couple of millions OVH IPs

    some of them so clean - (mine) that everything get delivered to Inbox in Gmail and Outlook ...

    Ever since they installed network level spam filters they’ve been one of the cleanest networks around for spam.

    Thanked by 1coolice
  • quagsquags Member

    @jar said:
    It’s mxrbl.com. Feel free to use it. Nothing on it is listed lightly without consideration.

    Can you add an entry for 127.0.0.2 for testing purposes.

    Thanked by 1larmarat
  • jarjar Provider

    @quags said:

    @jar said:
    It’s mxrbl.com. Feel free to use it. Nothing on it is listed lightly without consideration.

    Can you add an entry for 127.0.0.2 for testing purposes.

    I can add a wildcard at *.bl.mxrbl.com so it can replicate the intent of mxtoolbox.

    Thanked by 1stevewatson301
  • randvegetarandvegeta Member, Provider
    edited April 1

    @LTniger said:

    @randvegeta said: I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block. Maybe malfunction? Contact them: http://www.uceprotect.net/en/index.php?m=8&s=0

    So, chillout mate and take real actions to solve your problem without bashing someone.

    P.S. This looks ominous http://www.uceprotect.org/

    "WARNING: Do not play around here. You have no idea who we really are, and what will happen to you!"

    P.P.S. http://www.uceprotect.org/cart00neys/index.html :D

    Do you know what null routing does?

    Do you know what cutting power to the server does?

    Tell me what a responsible host should do and why null routing and cutting power is insufficient?

    Thanked by 2Daniel15 tech2_AU
  • quagsquags Member

    For testing I'd generally expect 2.0.0.127.bl.mxrbl.com to respond. Like spamhaus

    Name: 2.0.0.127.dbl.spamhaus.org
    Address: 127.0.1.255

  • jarjar Provider
    edited April 1

    @quags said:
    For testing I'd generally expect 2.0.0.127.bl.mxrbl.com to respond. Like spamhaus

    Name: 2.0.0.127.dbl.spamhaus.org
    Address: 127.0.1.255

    I test all day in production but here’s one you can try:

    [email protected]:~# rbladd 1.3.3.7 Apr 01 18:25:08 [bindbackend] Parsing 0 domain(s), will report when done Apr 01 18:25:08 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed Current records for 7.3.3.1.bl.mxrbl.com IN A will be replaced New rrset: 7.3.3.1.bl.mxrbl.com. 600 IN A 127.0.0.2

    LET and pastes never work for me.

  • Daniel15Daniel15 Member

    As far as I know, UCEPROTECT is ran by one person who uses a fake name online (Claus von Wolfhausen), and he's ridiculously sexist:
    http://www.uceprotect.org/cart00neys/2021-001.html

    It's a garbage blacklist that's just used to extort people. Unfortunately Microsoft do appear to use them :(

    Thanked by 2randvegeta skorupion
  • LTnigerLTniger Member

    @randvegeta said:

    @LTniger said:

    @randvegeta said: I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block. Maybe malfunction? Contact them: http://www.uceprotect.net/en/index.php?m=8&s=0

    So, chillout mate and take real actions to solve your problem without bashing someone.

    P.S. This looks ominous http://www.uceprotect.org/

    "WARNING: Do not play around here. You have no idea who we really are, and what will happen to you!"

    P.P.S. http://www.uceprotect.org/cart00neys/index.html :D

    Do you know what null routing does?

    Do you know what cutting power to the server does?

    Tell me what a responsible host should do and why null routing and cutting power is insufficient?

    Care to share few listings here? Specially those "fake" ones.

    #!/Bashblog.net | Free Wordpress Hosting | If you can't idle, what's the point?

  • randvegetarandvegeta Member, Provider

    @LTniger said:

    @randvegeta said:

    @LTniger said:

    @randvegeta said: I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block. Maybe malfunction? Contact them: http://www.uceprotect.net/en/index.php?m=8&s=0

    So, chillout mate and take real actions to solve your problem without bashing someone.

    P.S. This looks ominous http://www.uceprotect.org/

    "WARNING: Do not play around here. You have no idea who we really are, and what will happen to you!"

    P.P.S. http://www.uceprotect.org/cart00neys/index.html :D

    Do you know what null routing does?

    Do you know what cutting power to the server does?

    Tell me what a responsible host should do and why null routing and cutting power is insufficient?

    Care to share few listings here? Specially those "fake" ones.

    Sure.

    FYI, our ASN is AS133398. You can look us up. Our entire ASN is on the their Level3 list.

    http://www.uceprotect.net/en/asn-details.php?asn=133398&accesskey=2263e2d610b47f33380cd614ef8daebb

    Here you can see 8 IPs listed. All the IPs with multiple impacts have been null routed and server shut down. You can see the latest impacts were today and yesterday. And yet all the IPs with multiple impacts were disabled over a week ago. It is simply IMPOSSIBLE for the reports to be genuine.

    Even if they were genuine, the listing affects our entire ASN. We have almost 9,000 IPs under our network, and all are affected because of an alleged 8 IPs sending out spam. And it's not even true. But even if it were true, that's a case rate of less than 0.1%.

    Bloody ridiculous.

    I will not play their games. I will not pay them for express delisting.

  • LTnigerLTniger Member
    edited April 1

    @randvegeta said:

    @LTniger said:

    @randvegeta said:

    @LTniger said:

    @randvegeta said: I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block. Maybe malfunction? Contact them: http://www.uceprotect.net/en/index.php?m=8&s=0

    So, chillout mate and take real actions to solve your problem without bashing someone.

    P.S. This looks ominous http://www.uceprotect.org/

    "WARNING: Do not play around here. You have no idea who we really are, and what will happen to you!"

    P.P.S. http://www.uceprotect.org/cart00neys/index.html :D

    Do you know what null routing does?

    Do you know what cutting power to the server does?

    Tell me what a responsible host should do and why null routing and cutting power is insufficient?

    Care to share few listings here? Specially those "fake" ones.

    Sure.

    FYI, our ASN is AS133398. You can look us up. Our entire ASN is on the their Level3 list.

    http://www.uceprotect.net/en/asn-details.php?asn=133398&accesskey=2263e2d610b47f33380cd614ef8daebb

    Here you can see 8 IPs listed. All the IPs with multiple impacts have been null routed and server shut down. You can see the latest impacts were today and yesterday. And yet all the IPs with multiple impacts were disabled over a week ago. It is simply IMPOSSIBLE for the reports to be genuine.

    Even if they were genuine, the listing affects our entire ASN. We have almost 9,000 IPs under our network, and all are affected because of an alleged 8 IPs sending out spam. And it's not even true. But even if it were true, that's a case rate of less than 0.1%.

    Bloody ridiculous.

    I will not play their games. I will not pay them for express delisting.

    Took a quick look at your asn. 185.36.81.0/24 is marked as still growing in reports. And seems asn had hundreds of listings from few different subnets. Uncontrolled level 1 brought you to level 3. To slow to react at spam. This means properly unsupervised network.

    You can't delist with express while your reports are still growing. Monitor your network activities.

    #!/Bashblog.net | Free Wordpress Hosting | If you can't idle, what's the point?

  • randvegetarandvegeta Member, Provider

    @LTniger said:

    @randvegeta said:

    @LTniger said:

    @randvegeta said:

    @LTniger said:

    @randvegeta said: I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block. Maybe malfunction? Contact them: http://www.uceprotect.net/en/index.php?m=8&s=0

    So, chillout mate and take real actions to solve your problem without bashing someone.

    P.S. This looks ominous http://www.uceprotect.org/

    "WARNING: Do not play around here. You have no idea who we really are, and what will happen to you!"

    P.P.S. http://www.uceprotect.org/cart00neys/index.html :D

    Do you know what null routing does?

    Do you know what cutting power to the server does?

    Tell me what a responsible host should do and why null routing and cutting power is insufficient?

    Care to share few listings here? Specially those "fake" ones.

    Sure.

    FYI, our ASN is AS133398. You can look us up. Our entire ASN is on the their Level3 list.

    http://www.uceprotect.net/en/asn-details.php?asn=133398&accesskey=2263e2d610b47f33380cd614ef8daebb

    Here you can see 8 IPs listed. All the IPs with multiple impacts have been null routed and server shut down. You can see the latest impacts were today and yesterday. And yet all the IPs with multiple impacts were disabled over a week ago. It is simply IMPOSSIBLE for the reports to be genuine.

    Even if they were genuine, the listing affects our entire ASN. We have almost 9,000 IPs under our network, and all are affected because of an alleged 8 IPs sending out spam. And it's not even true. But even if it were true, that's a case rate of less than 0.1%.

    Bloody ridiculous.

    I will not play their games. I will not pay them for express delisting.

    Took a quick look at your asn. 185.36.81.0/24 is marked as still growing in reports. And seems asn had hundreds of listings from few different subnets. Uncontrolled level 1 brought you to level 3. To slow to react at spam. This means properly unsupervised network.

    You can't delist with express while your reports are still growing. Monitor your network activities.

    Fake reports cant be remedied.

  • jarjar Provider

    @LTniger said: 185.36.81.0/24

    Good bit of brute force from those recently:

         114 185.36.81.174
         231 185.36.81.21
         585 185.36.81.39
           4 185.36.81.58
           3 185.36.81.98

    Just from a quick run of:

    darun grep 185.36.81. /var/log/exim/mainlog \| grep Incorrect | awk '{print $9}' | sed 's/\[//' | sed 's/\]//' | sed 's/\://' | sort | uniq -c

    Runs against the DA servers.

  • jarjar Provider
    edited April 1

    Yeah I’m gonna have to say looking at the ASN that’s the /24 that they report as still growing, and I have brute force attacks from it today. From an IP that I can presently ping (185.36.81.21).

    Then from the others:

    45.125.65.63 brute force on 3/28 and 3/29

    91.224.92.142 - 1 today

    91.224.92.155 - A few on 3/29 and 3/30

    91.224.92.140 - A bunch on 3/30

    So I guess these are actually all accounted for in the last 2-3 days. All SMTP brute force which means that if they are successful elsewhere, they’re sending spam. The randomized EHLO statements are familiar, this is a common botnet.

    So @LTniger was right, and despite my dislike for them I had no reason to rant against them in this thread.

  • randvegetarandvegeta Member, Provider

    @jar said:
    Yeah I’m gonna have to say looking at the ASN that’s the /24 that they report as still growing, and I have brute force attacks from it today. From an IP that I can presently ping (185.36.81.21).

    Then from the others:

    45.125.65.63 brute force on 3/28 and 3/29

    91.224.92.142 - 1 today

    91.224.92.155 - A few on 3/29 and 3/30

    91.224.92.140 - A bunch on 3/30

    So I guess these are actually all accounted for in the last 2-3 days. All SMTP brute force which means that if they are successful elsewhere, they’re sending spam. The randomized EHLO statements are familiar, this is a common botnet.

    So @LTniger was right, and despite my dislike for them I had no reason to rant against them in this thread.

    I don't usually null route or shutdown servers with a single report. Interesting though that 45.125.65.63 shows up. This was null routed over a week ago now, and server shut down a few days ago.

    Can you still send out spam from an IP if only inbound traffic is being blocked?

    I cannot understand how spam could be getting through with a null route in place.

  • randvegetarandvegeta Member, Provider

    Its a handful of IPs. Not sure that's really worth of blacklisting an ASN with >8K IPs. All null routed now any way.

  • jarjar Provider

    @randvegeta said: Can you still send out spam from an IP if only inbound traffic is being blocked?

    Yeah. I don't know how this botnet works but I assume it's every action isn't commanded externally, it's probably given the code to run independently and triggered to start running from external command.

  • randvegetarandvegeta Member, Provider

    @jar said:

    @randvegeta said: Can you still send out spam from an IP if only inbound traffic is being blocked?

    Yeah. I don't know how this botnet works but I assume it's every action isn't commanded externally, it's probably given the code to run independently and triggered to start running from external command.

    UDP technically doesn't need a return path, but how do you do a brute force, or do any kind of smart exploit when you have no return packets? So DDoS, sure, it works. But brute force? I can't figure that out.

  • @jar said:

    @user54321 said:
    RBL are useless trash, mine is the only one you need
    You just need two entries to have perfect IP based protection, don't waste your space with thousands of listings other RBLs have.
    0.0.0.0/0
    2000::/3
    Is all you need if you rely on any IP based "protection"
    If you want to get delisted just pay me 1 bitcoin.

    Much easier to block actual spam networks than try to keep up with spammers who are using human intelligence to bypass your content filters. AI can’t compete with human intelligence, but you can block millions of spam and nothing else by blocking ServerHub. RBLs are an important part of a larger strategy for anyone who actually knows how to manage mail servers. Typically the only people who fully oppose RBLs are either spammers or people bad at securing their servers that get frustrated at everyone else over it.

    We dropped here any IP related stuff completly and go only for Text patterns and heuristics on attachments. Sure it is more effort at the start than simply asking a RBL and you need enough email income to adapt, but the benefit of a lot less false positives plus you can deliver from everywhere is big.
    I have no problem if Spamhaus, UCE and all the others would disappear for ever, their idea worked in the 2000, now they are completly useless.

    Thanked by 1quicksilver03
  • jackbjackb Member, Provider
    edited April 2

    @randvegeta said:

    @jar said:

    @randvegeta said: Can you still send out spam from an IP if only inbound traffic is being blocked?

    Yeah. I don't know how this botnet works but I assume it's every action isn't commanded externally, it's probably given the code to run independently and triggered to start running from external command.

    UDP technically doesn't need a return path, but how do you do a brute force, or do any kind of smart exploit when you have no return packets? So DDoS, sure, it works. But brute force? I can't figure that out.

    I think his point is the host was already compromised and the C&C sends spoofed packets to the compromised hosts to hide its location.

    Afterburst - Awesome OpenVZ&KVM VPS in US+EU

  • @randvegeta said:
    Its a handful of IPs. Not sure that's really worth of blacklisting an ASN with >8K IPs. All null routed now any way.

    Some of those IP addresses are also listed in AbuseIPDB. The 185.36.81.98 has been reported 479 times to AbuseIPDB and the most recent report was 3 hours ago. You might have to check if hosts at those IPs were compromised before you remove the null routes.

Sign In or Register to comment.