UCEProtect and GDPR fallout
First thing this morning I got an email from a client that they were listed on the UCEProtect Level 3 blacklist. Mid-morning I got a message from a different client telling me the same thing. Both clients shared their bounce messages with me:
550 Conexion rechazada por estar o167890x0.outbound-mail.sendgrid.net[126.96.36.199]:56628 en la DNSBL dnsbl-3.uceprotect.net (ver Your ISP LATINET – TELPAN COMMUNICATIONS/AS11377 is UCEPROTECT-Level3 listed for hosting a total of 193 abusers. See: http://www.uceprotect.net/rblcheck.php?ipr=188.8.131.52)
(Note: the IP is not my client’s IP, it’s the start of the /17 assigned to SendGrid.)
Basically, UCEProtect listed half of SendGrid’s IP space (184.108.40.206/18). Looking at the publicly available data, it appears that in the last 48 hours, there was a lot of mail to UCEProtect’s spamtraps from part of SendGrid’s IP space. If I had to guess, I’d say this was GDPR related, particularly given that UCEProtect is run out of Europe. In fact, if we look at the listing graph from UCEProtect’s own website this is really clear.
As of 4 PM PDT they’re up to 263 IPs listed.
This is, really, no big deal. UCEProtect is not very widely used. Of my two clients, one had 5 emails bounce and one had 150, well under 0.0001% of their sends. Unfortunately, a lot of folks worry about any blacklisting, without really understanding that the vast majority of blacklists have almost no effect on mail delivery. The only way a listing can hurt is if you’re trying to send to a domain that uses a blacklist.
UCEProtect is not widely used and most folks will see little to no effect on email delivery due to this escalation. With that being said, it’s probably time to talk a little bit about UCEProtect as a list.
What they say about their list.
The UCEProtect lists are primarily spamtrap driven, although there are people who can manually add IPs. They have automated escalations, where if there is a specific number of listings over a certain period of time, surrounding space is listed. There are 3 levels.
- Level 1 is a single IP listing. These are the IPs that are sending mail to the UCEProtect spamtraps. These listings are both automated (more than 50 emails from a single IP to the spamtrap network) and manual.
- Level 2 is per allocation. They’re not completely transparent about how they determine allocation (and as I’ll talk about a little later, there is evidence some of the data they’re using is out of date). Basically, if multiple IP addresses in a range are on the list within a 7 day period, then they list more than a single IP.
- Level 3 lists every email in a particular ASN if there are more than 100 IPs and >.2% of all IPs in that ASN on Level 1. This is, in UCEProtect’s own words, a list that will cause collateral damage to innocent users.
Listings expire automatically 7 days after the mail stops. Listees can pay a fee to get delisted faster.
What’s this got to do with GDPR?
UCEProtect’s own listing graph shows a spike in listings starting mid-day Friday. (CEST is 2 hours ahead of UTC).
What happened overnight?
Because of the automated escalation scheme, over 75,000 IP addresses belonging to SendGrid were listed on the UCEProtect Level 3 list overnight. The listing encompassed all IPs announced by AS11377. UCEProtect states this ASN belongs to LATINET – TELPAN COMMUNICATIONS. The ASN was officially registered to SendGrid in June of 2012. Best we can tell, there was a list circulated around in 2007 listing current ASN assignments. I have no idea why UCEProtect is using a list more than a decade old, where they can directly query ARIN for current data through a website, FTP or whois (whois -a ‘a 11377’). Whatever the reason, it doesn’t fill me with confidence in the accuracy of the list.
Now that we’re (almost?) done with GDPR notifications, I expect these listings to age off and go away in the next week.
The good news
UCEProtect listings are unlikely to have any real impact on email delivery. These lists are just not that widely used. I also know SendGrid is aware of the issue and are working with clients who write into support.
My advice for anyone who is worried about blacklists that don’t affect email.
- Note: I chose this IP because it’s the first IP in the range assigned to the ASN and these IPs are generally never used to send mail for technical reasons.