Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


UCEPROTECT experience
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

UCEPROTECT experience

jmginerjmginer Member, Patron Provider
edited July 2016 in General

Hello,

We have detected that the blacklist UCEPROTECT has blacklisted our entire range: 185.47.131.0/24

The blacklist was caused due a "customer" that has sent SPAM with their VPS using the IPs:

185.47.131.xx

185.47.131.xx

185.47.131.xx

185.47.131.xx

185.47.131.xx

We have received the first SpamCop abuse reclamation at:
15 Jul 2016 16:05:54

And we have closed the server of this customer at:
16 Jul 2016 12:49

We don't spy what our customers are doing with their servers, so, we need to take care about abuse reclamations to know if a VPS is serving SPAM.

Seems, that 18 hours time reactivity and 5 IPs are a cause for UCEPROTECT to blacklist our entire /24 range.

Now, we expect that UCEPROTECT will remove the blacklist in the next days.

:(

Comments

  • UCEPROTECT is often slow with their BL Removals! It's a bummer they BL'd the entire /24 though.

  • If I were you I would remove those IP's. We all know LET.

    Thanked by 1DigitalFyre
  • jmginerjmginer Member, Patron Provider
    edited July 2016

    The most crazy part, is that a customer has contacted UCEPROTECT, and their response was:

    YOU ARE NOT!. Your IP 185.47.131.xxx was NOT involved in a spamrun, 
    but has a spammy neighborhood. Other customers within this range did 
    not care about their security and got hacked and started spamming, 
    while your provider has possibly not even noticed that there is a serious problem.
    We are sorry for you, but you have chosen an provider not acting fast enough 
    on spammers.
    

    We are sorry for you, but you have chosen an provider not acting fast enough on spammers.

    WTF!!!?

    Thanked by 1linuxthefish
  • zafouhar said: If I were you I would remove those IP's. We all know LET.

    >

    Thanked by 1netomx
  • jarjar Patron Provider, Top Host, Veteran
    edited July 2016

    Extortion racket, nothing more. Anyone filtering anything based on their list seals their own fate for being uninformed.

    It should not be your concern that a random blacklist mentions your IPs. Anyone can make a blacklist and list any range they want. Anyone subscribing to these lists should be prepared to defend their choice, and they should be the ones receiving the complaints.

  • raindog308raindog308 Administrator, Veteran

    I've just added 0.0.0.0/32 to RaindogRBL.

    Sorry, but your "Internet" is a spammy neighborhood.

    Thanked by 2netomx cassa
  • IshaqIshaq Member

    @raindog308 said: I've just added 0.0.0.0/32 to RaindogRBL.

    That's just one IP :P

  • raindog308raindog308 Administrator, Veteran

    Ishaq said: That's just one IP :P

    I knew I shouldn't have outsourced all technical operations offshore...

  • is a /24 not the standard minimum subnet for all blacklists tho

  • SpartanHostSpartanHost Member, Host Rep

    @texteditor said:
    is a /24 not the standard minimum subnet for all blacklists tho

    No, lots just blacklist a /32 to begin with then if a large amount in the /24 are blacklisted then they usually go that route but certainly not immediately or if 5 IPs are blacklisted in the /24.

  • ShadeShade Member

    UCEProtect are "a**holes" ... i had a lot of trouble with this dumb "company"...

  • @jmginer said:
    We are sorry for you, but you have chosen an provider not acting fast enough on spammers.

    WTF!!!?

    What's so crazy about that? By your own admission, you don't even begin to care what your customers are doing until after major abuse has occurred. Nobody here knows if you run your business in a way that justifies that level of trust. We don't know how many spam were sent over what time period from that (one?) customer's range of IPs. Perhaps UCEPROTECT is overly aggressive, but you really haven't made the case for yourself in this instance.

    As I've mentioned in another thread, I have that entire /8 in my firewall because of the widespread abuse that originates from there. So, yeah, do a better job screening your customers, and work with all the providers above you to make sure they're doing the same.

  • MaouniqueMaounique Host Rep, Veteran
    edited July 2016

    impossiblystupid said: I have that entire /8 in my firewall

    Nice, so you are blocking prometeus too which has 0 IPs listed at uceprotect raketeering scam.
    http://www.uceprotect.net/en/rblcheck.php AS(N) 34971
    Also my Voxility IPs, but you are not blocking Frantech solutions which has 18 IPs listed and a /24
    UCEPROTECT blocked the whole UPC in romania, including the business range because people were infected at home on dynamic ranges which should have been blocked anyway as they have no business in running mailservers. Can anyone really believe the average Joe can be educated to avoid trojans when the US government gets hacked? Punish their provider, really???

    I am sorry @impossiblystupid, i have read your posts here with interest most of the time, but this is one which illustrates your chosen nick.

  • jmginerjmginer Member, Patron Provider
    edited July 2016

    @impossiblystupid

    I will try to re-explain: UCEPROTECT has do the blacklist AFTER when we have stopped/closed our customer spammer server.

    For UCEPROTECT we don't act fast, but how to say or what is the word to explain their act?

  • UCEPROTECT is time based. I'd rather deal with them than a SBL on something bigger than a /24.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    Yeah UCEPROTECT is terrible. I don't know of any serious company that uses them due to the way they operate.

    Francisco

    Thanked by 2Shade lbft
  • @Maounique said:
    Nice, so you are blocking prometeus too which has 0 IPs listed at uceprotect raketeering scam.

    I don't care what UCEPROTECT or any other blacklist is doing. I'm blocking based on actual abuse that comes to my servers. Not just spam, either, but also scans for web vulnerabilities and ssh break-in attempts.

    you are not blocking Frantech solutions

    How do you know I'm not? What's the actual range you're talking about?

    Can anyone really believe the average Joe can be educated to avoid trojans

    If you can't educate them, stop taking them on as customers. Otherwise, don't complain if they shoot the reputation of your IPs to hell.

  • @jmginer said:

    I will try to re-explain: UCEPROTECT has do the blacklist AFTER when we have stopped/closed our customer spammer server.

    For UCEPROTECT we don't act fast, but how to say or what is the word to explain their act?

    What's so hard to understand? Spammers lie all the time, and historically so have the providers that serve them. Nobody outside your company knows whether or not you're really on the up-and-up. You admit to having a lackadaisical policy, at the very least, when it comes to dealing with abusive customers. It is not unreasonable for you to get blacklisted for a while to make sure you've actually taken action. Take your lumps and learn from this experience.

    And, like I said, you're also probably blocked directly by many other people who have less forgiving policies. There's very little you can do once that damage is done. It doesn't profit me to accept abuse from your network.

  • jmginerjmginer Member, Patron Provider
    edited July 2016

    @impossiblystupid said:
    You admit to having a lackadaisical policy,

    I have not admited nothing of this.

    We check every 24h all our IPs in more than 30 blacklists, and the customer using this IP is notified automatically with a e-mail that most customers said us that is a bit "aggressive".

    We can filter + analize L7 connections on our routers? Yes

    We will do? No

    Maybe for you is a lackadaisical policy for us is privacy policy.

    Thanked by 3Shade Clouvider aglodek
  • @jmginer said:
    We check every 24h all our IPs in more than 30 blacklists, and the customer using this IP is notified automatically with a e-mail that most customers said us that is a bit "aggressive".

    Then you are doing business with the wrong kind of customers.

    Maybe for you is a lackadaisical policy for us is privacy policy.

    There is a wide range of measures that fall between deep packet inspection and allowing spammers free reign for a full day. You're welcome to not do them, but then you shouldn't be surprised when you get blocked with increasing severity. None of your complaints actually work towards solving your problems. Change your approach if you want people to stop acting "crazy" in response to your current practices.

  • linuxthefishlinuxthefish Member
    edited July 2016

    impossiblystupid said: There is a wide range of measures that fall between deep packet inspection and allowing spammers free reign for a full day. You're welcome to not do them, but then you shouldn't be surprised when you get blocked with increasing severity. None of your complaints actually work towards solving your problems. Change your approach if you want people to stop acting "crazy" in response to your current practices.

    Acting on abuse complaints and blacklists is the industry standard for dedicated servers, with the exceptions including OVH and CC who inspect SMTP traffic and nullroute IP's with high mail volume - and we all know they are far from clean networks.

  • @linuxthefish said:
    exceptions including OVH and CC who inspect SMTP traffic and nullroute IP's with high mail volume - and we all know they are far from clean networks.

    Perhaps it is because the big providers accumulate spammers that they feel they need to go to those extremes. I'd say it's essentially a situation that every provider finds themselves in at some point. The only question is whether or not the actions taken (or not taken) still allow them to remain in business. My contention is simply that @jmginer could do more while still respecting the client's privacy.

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2016

    impossiblystupid said: Perhaps it is because the big providers accumulate spammers that they feel they need to go to those extremes

    More and more will. As IPv4 grows in value, so does the value of its continued functionality. IPv4 is still in high demand, and we ain't getting any more numbers. Companies like Vade Retro, like OVH uses, will see nice raises in profits while hosting companies scramble to deal with IP reputation. This will all be driven by companies like Gmail, Microsoft, AOL, Yahoo, and Verizon who militantly dictate what they consider acceptable for IP owners, and customers will not hold those email services accountable for their high demands. As a result, customers will be inconvenienced by providers who are forced to take extreme measures to meet customer demands.

    The most annoying part of all of that can be found in these two parts:
    "customers will not hold those email services accountable for their high demands"
    "customers will be inconvenienced by providers who are forced to take extreme measures to meet customer demands"

    Because customers will continue to hold their hosting providers solely accountable for mail deliverability issues, they will force companies to take those extreme measures.

    Thanked by 1impossiblystupid
  • MaouniqueMaounique Host Rep, Veteran

    jarland said: Because customers will continue to hold their hosting providers solely accountable for mail deliverability issues, they will force companies to take those extreme measures.

    Not really and this has nothing to do with UCEPROTECT anyway.
    We are extremely far from DPI, we only have flow checks and sane policies of not allowing /24 on a 512 MB VM, policies which are not even ours, but originate from RIPE.
    Also, we dont just allow the first comer to sign from a proxy with a stolen card, some of them even came here to complain they were rejected and send threatening tickets to us about it.
    That is enough to keep spammers at bay, but this does not mean UCEPROTECT has any meaning in this "battle". Blocklists are largely meaningless these days when people use google mail services and fewer and fewer legitimate needs for a mail sending VPS arise (apart from managing your own email with encryption and privacy in mind also for sending automated notifications to your own unfiltered server, for example).
    Many providers block outgoing port 25 altogether with little to no problems. Also, big email providers operate more on more on a whitelist basis, or block any new IP without reputation. This is something that i think it happens at the likes of Microsoft, for example.

    impossiblystupid said: If you can't educate them, stop taking them on as customers. Otherwise, don't complain if they shoot the reputation of your IPs to hell.

    This is simply insane, expecting every internet user to be an IT pro, I mean.

  • @Maounique said:

    impossiblystupid said: If you can't educate them, stop taking them on as customers. Otherwise, don't complain if they shoot the reputation of your IPs to hell.

    This is simply insane, expecting every internet user to be an IT pro, I mean.

    The only questionable thinking is trying to enforce a mandatory false dichotomy. It's not only a choice between DPI or just let the inmates run the asylum. It's not only a choice between technology superstars or complete noobs. All I'm saying is that, if you find yourself whining about being blacklisted, maybe consider aiming a bit higher.

  • MaouniqueMaounique Host Rep, Veteran
    edited July 2016

    impossiblystupid said: All I'm saying is that, if you find yourself whining about being blacklisted, maybe consider aiming a bit higher.

    I think your problem comes from the TL;DR issue which plagues younger generations, I think you may be under 30.
    You probably did not read my post:

    Maounique said: UCEPROTECT blocked the whole UPC in romania, including the business range because people were infected at home on dynamic ranges which should have been blocked anyway as they have no business in running mailservers. Can anyone really believe the average Joe can be educated to avoid trojans when the US government gets hacked? Punish their provider, really???

    So, I ask again, more clear this time, can anyone believe a test in IT security can be required from people which want internet at home?
    (OK, I concede, not 100% must be passed, but, say, 50% required at least?)

    Another point I made is that even powerful governments get hacked, so, even with an average level of expertise, it is safe to say that non-specialists will be hacked sooner rather than later and if you are a large ISP with millions of subscribers, you WILL have hundreds if not thousands of customers on the dynamic ranges (which change, so more and more will be listed) hacked (even with such a test, they have kids, parents, spouses using the internet) scanning, mailing, DDoSing, etc. Block all provider? Are you absolutely sure?

  • @Maounique said:
    I think your problem comes from the TL;DR issue which plagues younger generations, I think you may be under 30.

    The problem is not that I don't understand you, it's that you refuse to understand why you are wrong. I'll give it one more shot.

    So, I ask again, more clear this time, can anyone believe a test in IT security can be required from people which want internet at home?

    Straw man. My point is that someone in the loop should know what they're doing. If it's not the end user, it should be their provider. If an ISP is not going to provide competence as a value-added service, they should not be selling to beginners. There's a reason managed hosting costs more than unmanaged.

    Block all provider? Are you absolutely sure?

    Yes. Invoking human shields is the act of a despot. It doesn't matter that anybody can get hacked. What matters is the policies a provider has in place to deal with the external costs of the abuse that gets done. It'd be a different story if you offered a reward for reporting when your customers are doing bad things. So, yeah, I'm going to block anyone that clearly isn't serious about stopped the crap traffic that flows out of their network, including government systems. It is their problem to fix, not mine.

  • MaouniqueMaounique Host Rep, Veteran
    edited July 2016

    impossiblystupid said: Straw man. My point is that someone in the loop should know what they're doing. If it's not the end user, it should be their provider. If an ISP is not going to provide competence as a value-added service, they should not be selling to beginners. There's a reason managed hosting costs more than unmanaged.

    Once again, please, pretty please, read what i quoted. Show me the word hosting there and I eat the monitor. Anyone was a beginner at times, maybe we should put on major ISP some firewall like in schools or in china, which, by the way, do not stop much abuse.

    impossiblystupid said: So, yeah, I'm going to block anyone that clearly isn't serious about stopped the crap traffic that flows out of their network, including government systems. It is their problem to fix, not mine.

    You do that, I am sure someone at 0.0.0.0/0 has a trojan of sorts.

    Thanked by 1Clouvider
Sign In or Register to comment.