UCEProtect Level 3

Is anyone else out there aware that the UCEProtect Level 3 email blacklist blocks entire AS?

r

Yes. Is that a problem?

Raleigh Apple wrote:

Is anyone else out there aware that the UCEProtect Level 3 email
blacklist blocks entire AS?

http://lmgtfy.com/?q=uceprotect+level+3

Yes. We don't use them anymore.

It is. I understand what they are trying to do but we were cut off
from some places because someone else in the huge upstream we are with
did something that appeared to be spam. It's too broad of a brush.

We stopped using UCEProtect in most places recently after using for I think a year or two -- Level 2 was blacklisting giant-sized netblocks (ie, most Cablevision cablemodem IP Space, twice, as well as large chunks of AboveNet space, and that's just what I noticed).

Indeed. That is the sort of vigilantism that leads to filtering chaos. What happens when other ASNs start filtering the entire AS of UCEProtect's upstream(s) as a response?

-Matt

Anyone who reads their description of it would be:

http://www.uceprotect.net/en/index.php?m=3&s=5

Are you one of the ASes they blacklist on that list?

Is there anyone out there aware of any significant (or larger than
'man and his dog on a DSL') mail provider using UCEPROTECT?

It's not the tool or list itself, but the horrible manner in which
someone chose to use the list.

Those places who chose to perform cut offs blindly based on the
listing are responsible, and have their own users to answer to.. The
UceProtect L3 website displays a very prominent admission of guilt
(they are open about their listing criteria):

"This blacklist has been created for HARDLINERS. It can, and probably
will cause collateral damage to innocent users when used to block
email."

So there should be little ignorance on the matter by users. The
value of the list is heuristic, for scoring, e.g. SpamAssassin score,
and use of the list should be combined with an informed decision,
before blocking mail from a sender based on it. Under those
conditions, lists like that can be quite useful.

If you try hard enough, you can find virus scanners that identify
clean system-critical files as possible malware, and firewalls that
identify normal surfers as evil hackers...

If you have that software and didn't do the research, that's your problem.
If you have that software and set it to automatically delete files, or
if you have the overzealous firewall and you wrote a script to IPban
based on firewall log, the firewall is not responsible for _that_
problem.

The list/tool provider is only an accomplice, to the extent that
they misinform you, or encourage you to use the list/tool in a poor
way given the tool's limitations....

Suresh Ramasubramanian wrote:

Is anyone else out there aware that the UCEProtect Level 3 email blacklist
blocks entire AS?

Is there anyone out there aware of any significant (or larger than
'man and his dog on a DSL') mail provider using UCEPROTECT?

dnsbl-1.uceprotect.net and dnsbl-2.uceprotect.net work good with SpamAssassin (scoring system). http://stats.dnsbl.com/ keeps some ham/spam stats on various lists. ymmv.

Problems arise when 'admin' gets hands on inexpensive anti-spam appliance that makes enabling blacklists a checkbox on a web form with little or no documentation about each list.

Ken

James Hess wrote:

It's not the tool or list itself, but the horrible manner in which
someone chose to use the list.

Exactly. We can't be responsible for what our users are doing.

Those places who chose to perform cut offs blindly based on the
listing are responsible, and have their own users to answer to.. The
UceProtect L3 website displays a very prominent admission of guilt
(they are open about their listing criteria):

"This blacklist has been created for HARDLINERS. It can, and probably
will cause collateral damage to innocent users when used to block
email."

So there should be little ignorance on the matter by users. The
value of the list is heuristic, for scoring, e.g. SpamAssassin score,
and use of the list should be combined with an informed decision,
before blocking mail from a sender based on it. Under those
conditions, lists like that can be quite useful.

I will give you some more examples how it can be very useful:

You can use it to block emails from systems with no PTR or
Generic PTR's.

You can use it to block emails from systems having non
FQDN HELO/EHLO

You can use it to block emails from systems which are also listed in
very aggressive point blocklists (Single IP blocklists).

You can use it to do excessive greylistings (i recommend at least 2 hours)
to find out if the system will show up on other blocklists in the meantime.

As you can see the only limit is your imagination.