New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
UCEPROTECT Strikes Again
randvegeta
Member, Host Rep
in General
Despite my never having interacted with UCE Protect in the past, it's interesting to see what they have publicly listed on their RBL listing.
http://www.uceprotect.net/en/rblcheck.php?asn=133398
(Once opened, push the Star Testing button).
You'll see in the right hand column, they say "Randvegeta has declared to dislike expedited expressdelistings."
Evidently, the guys at UCE Protect are lurking this forum. Apparently my disapproval of their practices has warranted a an update to their listing which includes my (screen) name. That's a MANUAL process for sure.
Just how unprofessional is this organization?
Comments
I think you need to clean up your shit.
https://cleantalk.org/blacklists/as133398
lol, they listed you in level 3 so complete ASN just to fuck with you. How do people even use this shit?
They even added custom message just to annoy you because you exposed them last time as a scam which caused many providers to ignore and remove them from relevant positions of power.
they click on all rbl in oppshied cpgurad
Personal insult in blacklist reason
oooo, you woke up a dragon.
Good resources. But it's not exactly showing the correct abuse ratio. We have ~9K IPv4 addresses on our ASN. CleanTalk lists 23 SPAM active IPs. Meaning 0.3% of our network. Not the suggested 21%.
I know! It's actually kindof funny.
I checked his entire ASN and ranges in abuseipdb and its as clean as it gets except some individual IPs few months ago to be honest.
-removed
They also like to believe that women cannot work in tech, so the comment about you is hardly the most unprofessional one.
http://www.uceprotect.org/cart00neys/2021-001.html
Yeah some IPs are leased to resellers, and they get abuse. It's not always as simple when dealing with resellers. Our resellers tend to attract more abuse than we do directly, but it's not cool for a provider to just kick the reseller for still relatively few abuse cases.
We're trying to take more action, but it's not labour free. They tend to get batched to save time.
The /24s marked red are either trying to send spam to MXroute servers or brute forcing with a botnet that uses computer names like these: ubezChHTF, AijHZXiD, qV7l7kR, zsAvjizN, etc.
If being listed bothers your customers, they should keep their systems cleaner. If they do, they'll fall off the list organically. After reviewing their data twice now I'm now finding that UCEPROTECT is accurate. I don't see the problem unless being listed there is just offending you. There is zero wrong with running a blacklist that actively and correctly takes into account systems that are trying to attack yours. Some of your IPs are on my RBL as well, and I have no recollection of adding them which means they were automated adds based on significant volumes of attempted spam.
Despite my past rants against them, I have been unable to actually find fault in their listings now that I have a large enough data set to compare them against.
@jar
Im not actually complaining about their listing.
Im pointing out that their listing now contains my Screen Name directly, and they no longer even offer express delisting (not that i would ever pay).
Who does that?
UCEProtect is one of the less reliable lists out there. Their tendency to ask for money in exchange for delisting isn't ideal.
I mean it’s funny though right? They just told you they’re listening. You can’t use express delisting they say, humorously, to someone who doesn’t want to use it.
I’m sorry but I’m really coming around here. Their express delisting is just to speed up the process for impatient people, you can’t buy whitelisting from them (now that would be shady). So if you paid it and didn’t clean up the IPs, you’d be gifting them money for no gain.
The more my infrastructure grows the more I’m coming around on people I thought poorly of before. I really hated these guys too but:
It’s a private list and no one is required to use it.
I can’t find a case of them making false claims about IPs, and now that I’ve grown I can verify it from my own records.
Yeah they’re dicks but when someone thinks I owe them a delisting from the list I use to protect my servers, simply because they’re offended at the suggestion that they stop attacking my servers, I start to look like the same dick to the same people.
I have people asking for delisting from MXRBL from residential IPs with compromised IoT devices in their homes, that aren’t even running mail servers, just because they have been incorrectly told on WHT, Reddit, or some other amateur forum that the mere existence of an IP on a private blacklist is interfering with their activity.
I wanted to hate them. But every year I change based on the information in front of me, and I’ll be damned if 2021 wasn’t the year I understood UCEPROTECT.
It would be fine if it was a respected player like SpamHaus, but siding with unprofessional dicks will also make you look like an unprofessional dick. Personally I find MXRoute amazing and having the best IP reputation around even when compared to high end providers. Your stance of siding with scammer establishment really hurts this trust, but you probly won't care about your image in one person's eyes though.
There are enough evidence about this past year of them suddenly listing multiple decent sized networks in hopes of getting fast de-listing ransom money. And thats exactly how it turned out. They were called out as scam operation cause of this by multiple respectable players. Even if they now supposedly act based on facts, thieves will do it again. Funnily enough, after getting their money nothing changed in those networks. There was no policy updates or any visible change in amount of abuse at cleantalk and abuseipdb.
"Just pay the money and we won't list you again for fraudlent reasons?".
I did something (compared claims of wrongful listing with my logs) to test them and I found their information stood up to my tests. Their delisting does not guarantee that you won’t be relisted, so it’s best to speed up delisting IF you already took care of the cause. I took action to see if my bias met with reality and it didn’t. What action have you taken to make a factual counter statement?
My opinion changes with information. To change it, you need to feed me new information. If choosing the information in front of me over emotion renders me untrustworthy, so be it. Personally I thought it a point of personal growth that I threw out my opinion when the facts I had contradicted it, but everyone is entitled to their own perspective.
The point was that second mass of text above, and while it may seem proper now, the sudden mass listing cashgrab operation after being integrated into bigger services, certainly was not.
I’m unable to speak to that, but certainly happy to review anything surrounding it. The topic interests me so it’s not a waste of time to give me any reading.
GoDaddy (100kIP)
Contabo (223kIP)
Velia_net (110kIP)
M247 (967kIP)
Trend Micro (Unknown amount of IPs)
Gandi (Unknown amount of IPs)
Linode (Their entire ASN on Level 3)
Amazon (Unknown amount of IPs)
Zoho (Unknown amount of IPs)
And god knows how many more.
Isin't it funny how seemingly at the same time, all of them get listed there with majority of their IPs?
https://securityboulevard.com/2021/02/uceprotect-when-rbls-go-bad/
https://success.trendmicro.com/solution/000236583-Emails-being-rejected-by-RBL-UCEPROTECL-in-Hosted-Email-Security-and-Email-Security
https://news.gandi.net/en/2021/03/gandis-email-service-impacted-by-uceprotect-blacklisting/
https://blog.mxtoolbox.com/2021/02/12/recent-spikes-on-uce-protect-level-3/
https://www.e-shot.net/insights/help/half-of-the-internet-is-blacklisted-uceprotect
https://www.inmotionhosting.com/support/news/uceprotect-rbl-scam/
https://www.linode.com/community/questions/20952/linode-blacklisted-on-uceprotect-rbl
http://kontech.net/uceprotect-blacklist-scheme-2020/
https://help.zoho.com/portal/en/community/topic/zoho-blocked-by-uce-protect-spamlist
https://www.titanhq.com/blog/warning-ignore-pay-for-de-listing-blacklist-service/
https://notdan.medium.com/when-whitehats-break-bad-uceprotect-other-malicious-rbls-realtime-blacklists-f691d48170e2
Theres plenty more articles from all kinds of companies and sources. Just google.
Will give those a read, thanks! Some of those top ones you mentioned though, I actively see attacks from those frequently. Especially M247. I actually blocked them for a while too just to drop server loads.
My criteria for them being legitimate would be that they did in fact see malicious traffic, just as a heads up for how I will go into it.
I'm, not a provider, just a 'simple' user who have (rent) a lot small, medium (resources) VPS. But I like to keep clean "my" IP addresses, and try to prevent the problems so I check the IP blacklists - at the moment - via Hetrixtools. In the last half year I received some blacklist notifications (for example: to "my" OVH/Kimsufi IP, etc..) - "OMG what happened? something went wrong with my VM? I must check it ASAP" - and when I checked the details, it was always an UceProtect rbl, (dnsbl-3.uceprotect.net) and my IP was clean, they simple marked the full IP range.. After the 8-10. "fake" blakclisted/unlisted notification I simple ignored this blacklist. I partly understand they attitude, but on the other side, it's really annoying (because my IP is clean, I'm not affected directly, and the full IP range - included my clean IP - has been marked 'malicious').
And I think there is where we can train the next generation of admins to think differently as well. We’ve over hyped blacklisting as a whole to the point where new admins come in and think being listed on one is a problem that must be solved. I’d like to train new admins to instead say “if I can’t prove or at least reasonably suspect that this blacklisting is preventing my use case, I should consider it irrelevant.”
It’s just such an easy thing to fall back on. You didn’t do anything, there’s an accusation that you did, you’re having unspecified problems, therefore the problem is the accuser. It’s to the point where a Wordpress user going OOM might accuse their provider and an RBL of the cause being related to IP reputation, simply because they went in search of an answer and that was the first one they found.
I applaud people trying to find problems to fix but these easy “input your site here and we’ll tell you what’s wrong” scanners and the people who recommend them are a hurdle to learning how to troubleshoot. They also make support tickets harder because customers start out so convinced that you have to explain to them in detail why they’re looking at the wrong thing before they’ll even tell you the problem they started with.
+1
The "personal touch" is a problem, though. This looks like revenge and attempts to silence an opponent and "teach a lesson to others" "because we can". Reminds me of someone.
I have also ranted against them, but the automatic part of it doesn't look bad. The ransom is another issue, but as long as they get delisted automatically after a while, compared to other lists, is a strong plus. I wouldn't use them due to the escalation policy (now with the number of hits extra flavour even as it is strongly mitigated by the hourly limits) but that is my personal decision. Level 1 seems safe.
The whole email spamming thing is a real PITA!
Obvious spam finds its' way into my inbox/junk on a daily basis.
Auto-generated WHM/DA server messages get blocked/marked as spam.
E-commerce account/order/updates get blocked by the likes of AT&T/sbcglobal, though their respective IPs don't appear on any other blocklists.
UCEPROTECT fluctuates between level 1, 2 and delisted, on a couple of primary VPSes (with multiple IPs).
WHM/cPanel diligently sends out some emails via the main IP, rather than a client's dedicated IP, even though they are set to (MXroute) external email.
SPF, DKIM, DMARC and rDNS are all enabled.
Yet, the spammers still spam, with ease and in some cases with apparent immunity.
If uce is so bad whymajority of email administrators use them?
Majority? I don't think so.
Me neither, but they are included in some aggregated lists, some very reputable.
They are included, because they are doing a decent job for stoping spam. Definitelly, zero ethics, but they help most of the time.
@jar , does mxroute use uce L1 or L2?
If you block everyone, you also block all spam.
Currently I’m only using MXRBL. However, it seems to be quite a bit of a mirror of their L1 list at least from what I’m seeing. Not intentionally, rather it seems we’re working from similar data sets.
Yes, L1 is pretty reliable.