Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


UCEPROTECT Fake Reports - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

UCEPROTECT Fake Reports

2»

Comments

  • jarjar Patron Provider, Top Host, Veteran

    @quags said:

    @jar said:
    It’s mxrbl.com. Feel free to use it. Nothing on it is listed lightly without consideration.

    Can you add an entry for 127.0.0.2 for testing purposes.

    I can add a wildcard at *.bl.mxrbl.com so it can replicate the intent of mxtoolbox.

    Thanked by 1bulbasaur
  • randvegetarandvegeta Member, Host Rep
    edited April 2021

    @LTniger said:

    @randvegeta said: I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block. Maybe malfunction? Contact them: http://www.uceprotect.net/en/index.php?m=8&s=0

    So, chillout mate and take real actions to solve your problem without bashing someone.

    P.S. This looks ominous http://www.uceprotect.org/

    "WARNING: Do not play around here. You have no idea who we really are, and what will happen to you!"

    P.P.S. http://www.uceprotect.org/cart00neys/index.html :D

    Do you know what null routing does?

    Do you know what cutting power to the server does?

    Tell me what a responsible host should do and why null routing and cutting power is insufficient?

    Thanked by 2Daniel15 tech2_AU
  • quagsquags Member

    For testing I'd generally expect 2.0.0.127.bl.mxrbl.com to respond. Like spamhaus

    Name: 2.0.0.127.dbl.spamhaus.org
    Address: 127.0.1.255

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2021

    @quags said:
    For testing I'd generally expect 2.0.0.127.bl.mxrbl.com to respond. Like spamhaus

    Name: 2.0.0.127.dbl.spamhaus.org
    Address: 127.0.1.255

    I test all day in production but here’s one you can try:

    root@pdns1:~# rbladd 1.3.3.7 Apr 01 18:25:08 [bindbackend] Parsing 0 domain(s), will report when done Apr 01 18:25:08 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed Current records for 7.3.3.1.bl.mxrbl.com IN A will be replaced New rrset: 7.3.3.1.bl.mxrbl.com. 600 IN A 127.0.0.2

    LET and pastes never work for me.

  • As far as I know, UCEPROTECT is ran by one person who uses a fake name online (Claus von Wolfhausen), and he's ridiculously sexist:
    http://www.uceprotect.org/cart00neys/2021-001.html

    It's a garbage blacklist that's just used to extort people. Unfortunately Microsoft do appear to use them :(

    Thanked by 2randvegeta skorupion
  • LeviLevi Member

    @randvegeta said:

    @LTniger said:

    @randvegeta said: I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block. Maybe malfunction? Contact them: http://www.uceprotect.net/en/index.php?m=8&s=0

    So, chillout mate and take real actions to solve your problem without bashing someone.

    P.S. This looks ominous http://www.uceprotect.org/

    "WARNING: Do not play around here. You have no idea who we really are, and what will happen to you!"

    P.P.S. http://www.uceprotect.org/cart00neys/index.html :D

    Do you know what null routing does?

    Do you know what cutting power to the server does?

    Tell me what a responsible host should do and why null routing and cutting power is insufficient?

    Care to share few listings here? Specially those "fake" ones.

  • randvegetarandvegeta Member, Host Rep

    @LTniger said:

    @randvegeta said:

    @LTniger said:

    @randvegeta said: I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block. Maybe malfunction? Contact them: http://www.uceprotect.net/en/index.php?m=8&s=0

    So, chillout mate and take real actions to solve your problem without bashing someone.

    P.S. This looks ominous http://www.uceprotect.org/

    "WARNING: Do not play around here. You have no idea who we really are, and what will happen to you!"

    P.P.S. http://www.uceprotect.org/cart00neys/index.html :D

    Do you know what null routing does?

    Do you know what cutting power to the server does?

    Tell me what a responsible host should do and why null routing and cutting power is insufficient?

    Care to share few listings here? Specially those "fake" ones.

    Sure.

    FYI, our ASN is AS133398. You can look us up. Our entire ASN is on the their Level3 list.

    http://www.uceprotect.net/en/asn-details.php?asn=133398&accesskey=2263e2d610b47f33380cd614ef8daebb

    Here you can see 8 IPs listed. All the IPs with multiple impacts have been null routed and server shut down. You can see the latest impacts were today and yesterday. And yet all the IPs with multiple impacts were disabled over a week ago. It is simply IMPOSSIBLE for the reports to be genuine.

    Even if they were genuine, the listing affects our entire ASN. We have almost 9,000 IPs under our network, and all are affected because of an alleged 8 IPs sending out spam. And it's not even true. But even if it were true, that's a case rate of less than 0.1%.

    Bloody ridiculous.

    I will not play their games. I will not pay them for express delisting.

  • LeviLevi Member
    edited April 2021

    @randvegeta said:

    @LTniger said:

    @randvegeta said:

    @LTniger said:

    @randvegeta said: I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block. Maybe malfunction? Contact them: http://www.uceprotect.net/en/index.php?m=8&s=0

    So, chillout mate and take real actions to solve your problem without bashing someone.

    P.S. This looks ominous http://www.uceprotect.org/

    "WARNING: Do not play around here. You have no idea who we really are, and what will happen to you!"

    P.P.S. http://www.uceprotect.org/cart00neys/index.html :D

    Do you know what null routing does?

    Do you know what cutting power to the server does?

    Tell me what a responsible host should do and why null routing and cutting power is insufficient?

    Care to share few listings here? Specially those "fake" ones.

    Sure.

    FYI, our ASN is AS133398. You can look us up. Our entire ASN is on the their Level3 list.

    http://www.uceprotect.net/en/asn-details.php?asn=133398&accesskey=2263e2d610b47f33380cd614ef8daebb

    Here you can see 8 IPs listed. All the IPs with multiple impacts have been null routed and server shut down. You can see the latest impacts were today and yesterday. And yet all the IPs with multiple impacts were disabled over a week ago. It is simply IMPOSSIBLE for the reports to be genuine.

    Even if they were genuine, the listing affects our entire ASN. We have almost 9,000 IPs under our network, and all are affected because of an alleged 8 IPs sending out spam. And it's not even true. But even if it were true, that's a case rate of less than 0.1%.

    Bloody ridiculous.

    I will not play their games. I will not pay them for express delisting.

    Took a quick look at your asn. 185.36.81.0/24 is marked as still growing in reports. And seems asn had hundreds of listings from few different subnets. Uncontrolled level 1 brought you to level 3. To slow to react at spam. This means properly unsupervised network.

    You can't delist with express while your reports are still growing. Monitor your network activities.

  • randvegetarandvegeta Member, Host Rep

    @LTniger said:

    @randvegeta said:

    @LTniger said:

    @randvegeta said:

    @LTniger said:

    @randvegeta said: I already stated that the IPs have been null route for over a week, and the NULL ROUTED IPs are getting new reports DAILY. How does that even happen?

    You are an idiot if you ask such question here. They operate fully automated blacklist and you are to insignificant to perform manual block. Maybe malfunction? Contact them: http://www.uceprotect.net/en/index.php?m=8&s=0

    So, chillout mate and take real actions to solve your problem without bashing someone.

    P.S. This looks ominous http://www.uceprotect.org/

    "WARNING: Do not play around here. You have no idea who we really are, and what will happen to you!"

    P.P.S. http://www.uceprotect.org/cart00neys/index.html :D

    Do you know what null routing does?

    Do you know what cutting power to the server does?

    Tell me what a responsible host should do and why null routing and cutting power is insufficient?

    Care to share few listings here? Specially those "fake" ones.

    Sure.

    FYI, our ASN is AS133398. You can look us up. Our entire ASN is on the their Level3 list.

    http://www.uceprotect.net/en/asn-details.php?asn=133398&accesskey=2263e2d610b47f33380cd614ef8daebb

    Here you can see 8 IPs listed. All the IPs with multiple impacts have been null routed and server shut down. You can see the latest impacts were today and yesterday. And yet all the IPs with multiple impacts were disabled over a week ago. It is simply IMPOSSIBLE for the reports to be genuine.

    Even if they were genuine, the listing affects our entire ASN. We have almost 9,000 IPs under our network, and all are affected because of an alleged 8 IPs sending out spam. And it's not even true. But even if it were true, that's a case rate of less than 0.1%.

    Bloody ridiculous.

    I will not play their games. I will not pay them for express delisting.

    Took a quick look at your asn. 185.36.81.0/24 is marked as still growing in reports. And seems asn had hundreds of listings from few different subnets. Uncontrolled level 1 brought you to level 3. To slow to react at spam. This means properly unsupervised network.

    You can't delist with express while your reports are still growing. Monitor your network activities.

    Fake reports cant be remedied.

  • jarjar Patron Provider, Top Host, Veteran

    @LTniger said: 185.36.81.0/24

    Good bit of brute force from those recently:

         114 185.36.81.174
         231 185.36.81.21
         585 185.36.81.39
           4 185.36.81.58
           3 185.36.81.98

    Just from a quick run of:

    darun grep 185.36.81. /var/log/exim/mainlog \| grep Incorrect | awk '{print $9}' | sed 's/\[//' | sed 's/\]//' | sed 's/\://' | sort | uniq -c

    Runs against the DA servers.

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2021

    Yeah I’m gonna have to say looking at the ASN that’s the /24 that they report as still growing, and I have brute force attacks from it today. From an IP that I can presently ping (185.36.81.21).

    Then from the others:

    45.125.65.63 brute force on 3/28 and 3/29

    91.224.92.142 - 1 today

    91.224.92.155 - A few on 3/29 and 3/30

    91.224.92.140 - A bunch on 3/30

    So I guess these are actually all accounted for in the last 2-3 days. All SMTP brute force which means that if they are successful elsewhere, they’re sending spam. The randomized EHLO statements are familiar, this is a common botnet.

    So @LTniger was right, and despite my dislike for them I had no reason to rant against them in this thread.

  • randvegetarandvegeta Member, Host Rep

    @jar said:
    Yeah I’m gonna have to say looking at the ASN that’s the /24 that they report as still growing, and I have brute force attacks from it today. From an IP that I can presently ping (185.36.81.21).

    Then from the others:

    45.125.65.63 brute force on 3/28 and 3/29

    91.224.92.142 - 1 today

    91.224.92.155 - A few on 3/29 and 3/30

    91.224.92.140 - A bunch on 3/30

    So I guess these are actually all accounted for in the last 2-3 days. All SMTP brute force which means that if they are successful elsewhere, they’re sending spam. The randomized EHLO statements are familiar, this is a common botnet.

    So @LTniger was right, and despite my dislike for them I had no reason to rant against them in this thread.

    I don't usually null route or shutdown servers with a single report. Interesting though that 45.125.65.63 shows up. This was null routed over a week ago now, and server shut down a few days ago.

    Can you still send out spam from an IP if only inbound traffic is being blocked?

    I cannot understand how spam could be getting through with a null route in place.

  • randvegetarandvegeta Member, Host Rep

    Its a handful of IPs. Not sure that's really worth of blacklisting an ASN with >8K IPs. All null routed now any way.

  • jarjar Patron Provider, Top Host, Veteran

    @randvegeta said: Can you still send out spam from an IP if only inbound traffic is being blocked?

    Yeah. I don't know how this botnet works but I assume it's every action isn't commanded externally, it's probably given the code to run independently and triggered to start running from external command.

  • randvegetarandvegeta Member, Host Rep

    @jar said:

    @randvegeta said: Can you still send out spam from an IP if only inbound traffic is being blocked?

    Yeah. I don't know how this botnet works but I assume it's every action isn't commanded externally, it's probably given the code to run independently and triggered to start running from external command.

    UDP technically doesn't need a return path, but how do you do a brute force, or do any kind of smart exploit when you have no return packets? So DDoS, sure, it works. But brute force? I can't figure that out.

  • @jar said:

    @user54321 said:
    RBL are useless trash, mine is the only one you need
    You just need two entries to have perfect IP based protection, don't waste your space with thousands of listings other RBLs have.
    0.0.0.0/0
    2000::/3
    Is all you need if you rely on any IP based "protection"
    If you want to get delisted just pay me 1 bitcoin.

    Much easier to block actual spam networks than try to keep up with spammers who are using human intelligence to bypass your content filters. AI can’t compete with human intelligence, but you can block millions of spam and nothing else by blocking ServerHub. RBLs are an important part of a larger strategy for anyone who actually knows how to manage mail servers. Typically the only people who fully oppose RBLs are either spammers or people bad at securing their servers that get frustrated at everyone else over it.

    We dropped here any IP related stuff completly and go only for Text patterns and heuristics on attachments. Sure it is more effort at the start than simply asking a RBL and you need enough email income to adapt, but the benefit of a lot less false positives plus you can deliver from everywhere is big.
    I have no problem if Spamhaus, UCE and all the others would disappear for ever, their idea worked in the 2000, now they are completly useless.

    Thanked by 1quicksilver03
  • jackbjackb Member, Host Rep
    edited April 2021

    @randvegeta said:

    @jar said:

    @randvegeta said: Can you still send out spam from an IP if only inbound traffic is being blocked?

    Yeah. I don't know how this botnet works but I assume it's every action isn't commanded externally, it's probably given the code to run independently and triggered to start running from external command.

    UDP technically doesn't need a return path, but how do you do a brute force, or do any kind of smart exploit when you have no return packets? So DDoS, sure, it works. But brute force? I can't figure that out.

    I think his point is the host was already compromised and the C&C sends spoofed packets to the compromised hosts to hide its location.

  • @randvegeta said:
    Its a handful of IPs. Not sure that's really worth of blacklisting an ASN with >8K IPs. All null routed now any way.

    Some of those IP addresses are also listed in AbuseIPDB. The 185.36.81.98 has been reported 479 times to AbuseIPDB and the most recent report was 3 hours ago. You might have to check if hosts at those IPs were compromised before you remove the null routes.

Sign In or Register to comment.