BLOG

UCEProtect and GDPR fallout

First thing this morning I got an email from a client that they were listed on the UCEProtect Level 3 blacklist. Mid-morning I got a message from a different client telling me the same thing. Both clients shared their bounce messages with me:

550  Conexion rechazada por estar o167890x0.outbound-mail.sendgrid.net[167.89.0.0]:56628 en la DNSBL dnsbl-3.uceprotect.net (ver Your ISP LATINET – TELPAN COMMUNICATIONS/AS11377 is UCEPROTECT-Level3 listed for hosting a total of 193 abusers. See: http://www.uceprotect.net/rblcheck.php?ipr=167.89.0.0)

(Note: the IP is not my client’s IP, it’s the start of the /17 assigned to SendGrid.)
Basically, UCEProtect listed half of SendGrid’s IP space (167.89.0.0/18). Looking at the publicly available data, it appears that in the last 48 hours, there was a lot of mail to UCEProtect’s spamtraps from part of SendGrid’s IP space. If I had to guess, I’d say this was GDPR related, particularly given that UCEProtect is run out of Europe. In fact, if we look at the listing graph from UCEProtect’s own website this is really clear.

As of 4 PM PDT they’re up to 263 IPs listed.
This is, really, no big deal. UCEProtect is not very widely used. Of my two clients, one had 5 emails bounce and one had 150, well under 0.0001% of their sends. Unfortunately, a lot of folks worry about any blacklisting, without really understanding that the vast majority of blacklists have almost no effect on mail delivery. The only way a listing can hurt is if you’re trying to send to a domain that uses a blacklist.
UCEProtect is not widely used and most folks will see little to no effect on email delivery due to this escalation. With that being said, it’s probably time to talk a little bit about UCEProtect as a list.

What they say about their list.

The UCEProtect lists are primarily spamtrap driven, although there are people who can manually add IPs. They have automated escalations, where if there is a specific number of listings over a certain period of time, surrounding space is listed. There are 3 levels.

  • Level 1 is a single IP listing. These are the IPs that are sending mail to the UCEProtect spamtraps. These listings are both automated (more than 50 emails from a single IP to the spamtrap network) and manual.
  • Level 2 is per allocation. They’re not completely transparent about how they determine allocation (and as I’ll talk about a little later, there is evidence some of the data they’re using is out of date). Basically, if multiple IP addresses in a range are on the list within a 7 day period, then they list more than a single IP.
  • Level 3 lists every email in a particular ASN if there are more than 100 IPs and >.2% of all IPs in that ASN on Level 1. This is, in UCEProtect’s own words, a list that will cause collateral damage to innocent users

Listings expire automatically 7 days after the mail stops. Listees can pay a fee to get delisted faster.

What’s this got to do with GDPR?

For the 2 of your who haven’t used email in the past 3 days, there has been an explosion of privacy policy updates and notifications sent out over the last 48 hors or so. Many of these updates are going to addresses that haven’t been mailed in a while. Thus, we can expect a lot of senders saw an increased volume of spamtrap hits for their mailings.
UCEProtect’s own listing graph shows a spike in listings starting mid-day Friday. (CEST is 2 hours ahead of UTC).

What happened overnight?

Because of the automated escalation scheme, over 75,000 IP addresses belonging to SendGrid were listed on the UCEProtect Level 3 list overnight. The listing encompassed all IPs announced by AS11377. UCEProtect states this ASN belongs to LATINET – TELPAN COMMUNICATIONS. The ASN was officially registered to SendGrid in June of 2012. Best we can tell, there was a list circulated around in 2007 listing current ASN assignments. I have no idea why UCEProtect is using a list more than a decade old, where they can directly query ARIN for current data through a website, FTP or whois (whois -a ‘a 11377’). Whatever the reason, it doesn’t fill me with confidence in the accuracy of the list.
Now that we’re (almost?) done with GDPR notifications, I expect these listings to age off and go away in the next week.

The good news

UCEProtect listings are unlikely to have any real impact on email delivery. These lists are just not that widely used. I also know SendGrid is aware of the issue and are working with clients who write into support.
My advice for anyone who is worried about blacklists that don’t affect email.


  • Note: I chose this IP because it’s the first IP in the range assigned to the ASN and these IPs are generally never used to send mail for technical reasons.

3 comments

  1. Claus von Wolfhausen says

    You do not really have a clue who uses UCEProtect to block email, or you think your readers are too stupid to spot simple relationships.
    A simple Google search should teach anyone who is capable of logical thinking better.
    Where did all the crying spammers and spam supporters come from, who shouted bullshit like ““blackmail“ or „extortion“ over the last 16 years because of the optional express delisting?
    The fact that there have been fewer lately has been due to the fact that most and especially the larger ISP now use preventive measures against spammers and spambots in their networks. This is to a degree also a merit of our Level 3 and the hardliners who use it as a boycott list.
    It may be doubted whether this positive development would have occurred without our strict policies.
    On Sendgrid we have only to say the following:
    Who else but the marketing companies are interested in whether their advertising emails arrive?
    They should choose their customers more carefully and put more emphasis on their list hygiene, and promptly delete permanenly undeliverable email addresses, it is unacceptable that some even send advertising to domains whose owners have changed 3 times in the meantime…

  2. Schiacciata Burdizzo says

    Laura,

    Some useful background info concerning your case: https://www.aaroncake.net/misc/showthought.asp?thought=57

    Regards.

  3. grin says

    @laura: you should be aware that apart from what you said uceprotect is run by a person who is quite known as, how to put it nicely, someone who bound to get rich by extort money from entities while continuously explaining how nice he is and how just is that he blacklists someone. He is not quite respected or liked. (I would usually use stronger words, but I guess you get the point.)

    He runs a few lists, and they can be useful if they would be used the right way (which is hard for people not familiar with his one-man-show-operation). The spamlists usually blacklist servers on ONE spam for a week and there is no way to remove the entry; it is fun when an ISP runs a relay and one user mails one spamtrap, and the few hundred thousand users would get blacklisted. It is also fun when he use his misc lists to blacklist various entities he don’t like, like the “backscatterer” list which contain possibly 15% of entries which backscatter and the rest is for various “I don’t like what you’re doing” reasons. But he’ll assert you that it’s not so, of course. Very verbose, too.

    So, these can be used for spam *scoring*, with a rather low score assigned, since they suggest that with medium probability there is, or more probably there WAS some problem with the IP in the past weeks or so. But using them for outright rejection is just plain stupid due to the extreme high level of false positives (mostly due to the nonexistence of removal and long autoexpiration).

    But this is specifically the reason that really few people use it for rejection and they can be educated not to. People are free to run blacklists for any reason whatsoever, inlcuding eye color or the prime numbers in IP addresses, only if they would tell the others about it so they wouldn’t use it for serious work. In an ideal world.

    So yes, nobody should use it for rejection, and fortunately only a few does. No need to panic.

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.