UCEProtect Spam Block List

[JElder]

We have recently had some problem delivery emails to a few customers - we have been getting complaints when we know we have sent the requested information! After a bit of backtracking, we have found our IP address is listed in a Spam Mail IP block list called UCEProtect.

UCEProtect is a IP blocklist that mail server owners can use to block certain IP addresses from delivering emails to their users. It is a system that is a useful spam indicator, in conjunction with content analysis, link analysis and other tools.

However, UCEProtect have a massive failing - they tend to block IP address ranges (rather than a single IP address). This will help with the spammers that use changing IP addresses, but also will block countless other users.

At the moment, they have blocked an entire range of BT email servers. A large number of emails are being rejected by users of this block list. There may indeed be some spam emails being generated inside this IP address range by spammers or virus infected machines, but there are also thousands of genuine, legitimate emails being blocked.

Any effective Spam solution has to BOTH block spam AND allow genuine emails through. Blocking a large IP address range totally fails the second part of this test.

BT have apparently contacted them about this, but they are asking for a large amount of money to remove the IP block. I will leave it to your own judgement to decide if this is a legitimate administration charge to solve a problem they created in the first place. Their website says that any complaints about extortion will result in a permanent IP block.

If you are a mail server admin, I would strongly recommend looking elsewhere for a IP block list, or only using UCEProtect as a single scoring aspect, not as a 100% spam failure. I would also suggest you check to see if your IP is on the block list (especially if you are a BT customer) - and be aware some emails will not be delivered.

 

[Jim2k]

Yup some of our clients are hit by this! I have urged them to route their mail through a 3rd party until BT can get it cleaned up or UCEProtect change their stance.

 

[MartCactus]

At the moment, they have blocked an entire range of BT email servers. A large number of emails are being rejected by users of this block list. There may indeed be some spam emails being generated inside this IP address range by spammers or virus infected machines, but there are also thousands of genuine, legitimate emails being blocked.

SPEWS list operated in this manner.

The idea is that they start with single IPs and then expand the blocks if the ISP shuffles the spammer to a clean one, or doesn't boot them off the network. Its just too much work to work at the level of single IP addresses most of the time.

People using the list want protection from spam - if a block of IPs is sending spam, it belongs on such a list. We used to use the SPEWS and Spamhaus lists that worked in the same way, occasionally it blocked real mail, but its blocked SO MUCH spam that we didn't care - it was a price worth paying.

The solution seems simple - get BT to stop the spamming from their network, and everyone (except the spammer, and perhaps BT who were merrily taking his money) is happy.

 

[KM-Tiger]

If you are a mail server admin, I would strongly recommend looking elsewhere for a IP block list,

Agreed, I only use zen.spamhaus as that is safe, and legitimate senders in dynamic ranges can opt out of the PBL.

That sort of extortion has been going on for a while, I think it was SORBS that started it.

 

[JElder]

@MartCactus

I do agree in principle, blocking ranges that host spammers that use dynamic IPs seems a good idea, until you realise the potential damage it may cause.

Any decent Spam system is measured in not only stopping spam, but not having false positives. When I checked it was only a handful of IP addresses out of several thousand that were sending spam - so (making the BIG assumption that all IPs send the same volumes) their spam blocker is blocking several hundred genuine emails for each spam - a very poor rate.

And asking for a E40 fee to be removed just makes me suspicious. They may have good intentions but their badly laid out site littered with spelling mistakes does not instil confidence in handing over payment details.

 

[JElder]

Been doing a bit more research on UCEProtect - it's worse than I thought!

They classify automated replies sent to their spam trap addresses as spam. As i'm sure you all know, spammer use random 'from' addresses, generally from the same spam list they send to.

Your email server gets the spam, and replies to the from address with:

• Autoresponse from your sales@ box
• Out of office reply
• User not known
• Any other automated response

This goes back to the spam trap, is classified as spam (even if it has clear headers showing it is a non deliverable report or similar) and your IP ends being blocked.

Seriously bad idea by UCE Protect. The only option is to turn off all auto responders and Non-Delivery Reports, but this would break email for legitimate users, who need to know if an email was not delivered due to a typo, or someone leaving.

Not sure what we can do about this now. Even if we were to pay their removal fee, as some other BT users are generating spam, it will end up being blocked again. Don't like this kind of extortion anyway - having to pay to resolve a problem they created - only Governments can get away with that!

 

[tomtom82]

Dear all,

I am a reporter with The Mail on Sunday. We have been alerted to your problems which appear to be very frustrating.

There appears to be a story here - and maybe a bit of publicity might quicken a solution to your problems!

Unfortunately, not being overly tech-literate, I don't understand exactly what is going on here.

If one of you could explain in detailed laymans' terms what is going on, including the relationship between BT and UCEprotect, that would be very helpful.

If you don't want to post in an open forum you can call me privately on 0207 938 7031.

Warmest regards,
Tom

 

[Pentangle]

Hi Tom,

I doubt it's going to aid anyone's cause in the UK by you running the story:

- UCEProtect is a German concern
- One bad apple in an industry where a lot of people give a lot of time for free to protect others from spam is only to be expected
- You'd do more harm than good by going after the antispammers, you'd be FAR better directed to go after the ISPs that take the cash of spammers, let them onto the internet, and then don't act when they spam others. THIS is where the spam epidemic comes from (but it would be biting off more than you can chew to assume you could do much about it).

Cheers,
Mike.

 

[OldWelshGuy]

Fasthosts also block huge ranges of email from entering their system.

 

[tomtom82]

Thanks Mike.

I'm not targeting anti-spammers in particular. I'm just trying to find out what the hell is going on! If BT, or other ISPs, are behaving badly then I'll happily write that.

I've just spoken to someone at length who posted on another forum. He claims that UCE Protect are not the cause of all these problems as they have been wrongly blacklisting people for years, everyone knows this, and consequentially ignores them.

He claims that the problem is other, more reputable anti-spammers (including Sorbs, Spamhaus and Barracuda), have started wrongly blacklisting people now. (He can't explain why they are blacklisting for no reason but is adamant that they are because he can prove he has not sent any spam from his IP address.)

He is angry that BT are not contacting these companies to explain and prove they have made mistakes, and accuses BT of leaving them high and dry with no email.

Is this your understanding?

 

[Pentangle]

Hi Tom,

We run a managed antispam service, and about 2 months ago we had a problem which we attributed to spammers having injected a whole bunch of false addresses into certain RBLs. Either that or someone had had some finger-trouble somewhere.

The services are now back to normal as far as i'm concerned (we block approx 50,000 emails a day and i've not been notified of any issues this month).

Certain users will always be 'duped' into thinking they're either spamming, being blocked, or "being hacked". A lot of this is just FUD, and is driven by the fact that the email protocol was designed in the 60's.

I strongly believe your story lies in ISPs turning the other way whilst taking spammers' money though. For example, Barracuda reports today that of the 2 BILLION emails they've filtered today alone, 91% of them are spam. That means that a lot of services are 10 times the size they need to be in order to deal with this issue....and the ISPs do little about it because a) they are getting money from the spammers and b) the margins in being an ISP are so little these days that there's simply not the money to be proactive and evangelical.

 

[wdltd]

We had the same UCEProtect problem last week and our ISP is Pipex / Opal / Tiscali - or whatever they call themselves this week. They did get it resolved quickly - but it was a real pain for a couple of days.

Interestingly, when we contacted them about running our inhouse email marketing service from our office using their network, they weren't at all concerned and pretty much told us to do what we liked. OK - we are pretty strict about opt-in lists only - but others might not be.

 

[heathcote123]

Dear all,

I am a reporter with The Mail on Sunday. We have been alerted to your problems which appear to be very frustrating.

There appears to be a story here - and maybe a bit of publicity might quicken a solution to your problems!

Unfortunately, not being overly tech-literate, I don't understand exactly what is going on here.

If one of you could explain in detailed laymans' terms what is going on, including the relationship between BT and UCEprotect, that would be very helpful.

If you don't want to post in an open forum you can call me privately on 0207 938 7031.

Warmest regards,
Tom

hmm The Daily mail reporting stuff they don't understand? surely that could never happen?

It was the immigrants Tom - they took our jobs, blocked our emails & THEN they got 2 million pounds mansions at the expense of hard-working brits. And they had burkas on.

 

[wdltd]

hmm The Daily mail reporting stuff they don't understand? surely that could never happen?

It was the immigrants Tom - they took our jobs, blocked our emails & THEN they got 2 million pounds mansions at the expense of hard-working brits. And they had burkas on.

Excellent, that's cheered me right up

 

[heathcote123]

Excellent, that's cheered me right up

Looking forward to Sundays headlines:

"Immigrants steal YOUR emails!"

 

[tomtom82]

Ha ha very good. Well, rest assured I won't be reporting anything on this at the moment...

Don't know if this helps but the BT press office just came back to me with this response. It suggests blacklisting isn't the problem...does this square with your understanding of things...?

Hello everyone - I have just had this response from the BT press office. It suggests blacklisting is not the issue. From your own knowledge, could it be anything else...?

A BT Spokesperson said:
"Blacklisting is a complex issue. We have been investigating the cases that you are aware of to establish the nature of the alleged blacklisting and have now established that blacklisting is not the cause of the technical issues described. We are contacting those customers now in order to further discuss the issues they are suffering in order to rectify them swiftly."

 

[heathcote123]

Ha ha very good. Well, rest assured I won't be

A BT Spokesperson said:
"Blacklisting is a complex issue. We have been investigating the cases that you are aware of to establish the nature of the alleged blacklisting and have now established that blacklisting is not the cause of the technical issues described. We are contacting those customers now in order to further discuss the issues they are suffering in order to rectify them swiftly."

Cool, the perhaps I can suggest:

"Magical sky pixies in naked email fury"?

 

[tomtom82]

FYI (start from bottom)

Hi Tom,

Less than 100 customers. As a result, we have now tightened our diagnostics to improve accuracy and this will help prevent any future occurrence.

Kind regards

Kina

From:
Sent: 16 July 2010 16:14
To: Kara,K,Kina,CRN R
Subject: Re: BT

Thanks Kina.


How many BT customers were affected?

From:
Sent: 16/07/2010 16:01 CET
To: Tom Harper
Subject: RE: BT

Hi Tom,
Please see below for a further statement,
Kina
"Due to the complexity of this issue we did diagnose a small number of customers incorrectly. We are contacting them to rectify this and to apologise. After further investigation we believe that only a tiny number of customers have been blacklisted incorrectly and we helping to rectify this situation too."

 

[syzygy]

Sadly I think that we are one of the companies that are being caught in the middle of this sandwich! Net result several hours of lost work and a sense of injustice of being blacklisted for doing nothing other than paying for a service.

BT have never been in contact with us, so clearly we are too small to be bothered with?

In my view BT and UCE need to think about what they are both doing, nothing is harming business at a time when they can ill afford it. Emails not being recieved or being able to be sent might lose us a vital contract.

I don't like being the meat in the sandwich. Nor do I want to go to the hassle of changing suppliers which is what UCE are suggesting.

Hmmmmmmm

 

[JElder]

According to UCEProtect, they are blocking 10492672 IP addresses owned by BT.

That's a pretty big range of IP addresses. Assuming that some of those are not fixed, so could be used by more than one customer, AND that some may be using NAT to host more than one person, that's a pretty large amount of email senders they are blocking, even if not all of them are in use.

It does look like UCEProtect is not used very heavily, which limits the impact, but the really stupid thing is that if you follow their suggestions and also prevent mail servers sending non-delivery reports, you will never know that some of your emails are not getting through.

For consumer this could be irritating, but for businesses this could be losing them money. Replies to genuine enquiries will be silently blocked, contact with customers could be damaged, and legitimate newsletters may not be delivered.

 

[syzygy]

I have to say nor do I like being held to ransome. It is not my issue. Is there anything that I can do? BT have been as helpful as they can. I have to say that their ITSM guys are really great

 

[newcarcontracts]

You can add me to the list of 'victims' being held to ransom here. Started getting bounceback messages yesterday from a few of my long standing, regular clients.

 

[JElder]

If you have a good relationship with them, contact their IT staff and get them to remove UCE-Protect from the list of blocklists used by their spam filters. The best way to stop their abuse of innocent email users is to make them irrelevant.

 

[kgkev]

We have been blocked 9 times, beginning 15th Nov 2009. The quickest we have been unblocked is 3 days, However it appears to take around 7-10 for the block to release

I realised it was pointless contacting BT as they appear to deny it or don't understand the problem and even so they appear powerless to do anything

I tried a different approach. Most of the failures appear to be when we sent emails to US customers. I contacted one customer and spoke to the IT manager. He understood the problem and explained that thier email was provided by a company call road runner. I have looked into this and RoadRunner (rr.com) is owned and operated by Time Warner Cable. They are unwilling to change there spam blacklist from UCEProtect and they will not consider downgrading from Level 3 to level 2.

So it appears the only way to get emails through to this particular customer is for either one of us to change our email provider.

Just out of interest has anyone had any luck with BT. Whats the best number to call?

 

[SteveSant]

The problems with UCEPROTECT/SORBS etc, and I say this as someone who works for a UK hoster, are:

1.) They block for far too long. Most genuine hosts may have a user account become compromised (usually due to the customer's insecure practices), which then results in spam being sent and the server blacklisted. That's a fair cop. We normally stamp on offenders within a few hours. A few hours later, the affected server is delisted everywhere, except UCE's ring of companies, who will still be listing a server weeks afterwards.

2.) They charge for express delisting - on technical principles alone, I'm not sure how throwing money at a blacklist provider should actually bear any relevance to whether a server is a spam risk or not. It's a complete nonsense, and a clear money-making racket.

In the end, they are only damaging themselves. I often talk with the administrators of systems that rely on UCEPROTECT and explain to them how their anti-spam strategy actually REMOVES value rather than adds it to the internet. I'm glad to say that to date, several have stopped using UCEPROTECT's services.

We all rely on RBLs to keep the internet clean from spam, and most reputable RBLs are fast to react to changing circumstances. This is why people use them. People who use UCEPROTECT imho, are usually doing so because they are unaware of doing so (it came embedded in an anti spam product they purchased), or are just taken in by the "We will stop all spammers on this planet" crap that they spout on their website.