Linode blacklisted on UCEProtect RBL

It looks like Linode was just blacklisted on the UCEProtect anti-spam RBL in the past couple days. Apparently, it's a "Level 3" ISP level blacklist so it can only be resolved by Linode. You can check it by going to http://www.uceprotect.net/en/rblcheck.php and lookup up a linode ip. Is this something you guys can resolve?
Thank you

24 Replies

Hi @1to1 - thanks for posting this.

We've gotten a few reports about the block over the last 24 hours. It's been escalated to our Trust and Safety department, and they're currently investigating next steps. In the meantime, we're also monitoring the issue internally, and I've added your post to our tracker.

I also had an email about being blocked. Can you update us here when resolved?

We're seeing this (on about 6 different IPs we have with Linode). I wonder if it stems from one of my old servers launching a spamming attack (even though it was a server I no longer has, I was still registered as the abuse email, so was getting hammered with bounced emails telling me that it had received reports of abuse). I passed this onto Linode's support team, and they quickly took the server offline. I guess going by the scale of the spamming its possible this was the cause of the blacklist (I was getting about 200-300 reports an hour from "Synacor Abuse Report")

Hopefully it settles down and is removed asap (I only noticed it due to GlockApps suddenly going red on all the IP's being blacklisted on this list!)

@youradds while possible that the server you mentioned contributed, it is definitely not the cause, and you shouldn't feel responsible at all. The listing has targeted our entire ASN, which encompasses every Linode IP address.

This RBL provider has some arbitrary limits that they place upon hosting providers based on the size of their IP space and number of "reported" instances. They have determined that our service meets their "LEVEL 3" requirements, which by their own description is designed to cause collateral damage to innocent users:

This blacklist has been created for HARDLINERS. It can, and probably will cause collateral damage to innocent users when used to block email.

also

Use of Level 3 for blocking is recommended only if you are a HARDLINER and you want to cause service providers and carriers that have spammer / abusive clients to be quickly and effectively blocked and it does not matter to you if regular email is also occasionally rejected.
This can bring a lot of pressure on service providers and carriers to get their act in order and resolve the issues within their responsibility.

We recommend mail server administrators do not use UCEPROTECT's Level 3 service.

Regardless, this listing should automatically expire within the next week or so.

All new accounts on our platform have had their outbound email ports restricted since November 5, 2019 as outlined in this blog post, and we review and respond to every actionable spam report that we receive to both our [email protected] inbox and our Abuse Portal. We welcome reports of any potential abuse of our platform, and always appreciate the opportunity to help clean up our corner of the web.

@_Brian I wasn't blaming myself :) (we haven't owned that server/IP for a month or so, so I guess it was whoever took it over - either did a crap job of security or set it up with the intent of spamming the hell out of everyone)

I agree though - UCEPROTECT are a joke and shouldn't be taken seriously as they are effectively just blackmailing for money to get removed. It's crazy how many ISP's use their services!

Is there any update on this? We're still getting notices that Linode is blacklisted on UCEProtect

Hey there – no updates, sorry. This has been a problem in the past and we're not sure if or when it'll be resolved. It seems we have not fallen off their Level 3 listing in the 7 day timeframe.

Are you seeing any email rejections or bounces because of UCEProtect? You mentioned notices – are these coming from UCEProtect?

What is a HARDLINER? I cannot get a decent definition on Google. Would someone like gmail be a HARDLINER?

@maallyn Gmail and the other major providers we have checked do not use this service.

Generally speaking, Gmail usually just needs a little time to warm up to accepting mail from a new IP address before those messages will be sorted to the Inbox rather than Spam. We have not seen reports of bounced mail from Gmail.

Also: Hardliner

noun: hardliner
a member of a group, typically a political group, who adheres uncompromisingly to a set of ideas or policies.

I cannot send mail from any of the servers I have just bought.
My mail server cannot connect to gmail and yahoo.

For example

2021-02-04 14:09:07 1l7fBI-00024Y-I6 H=alt3.gmail-smtp-in.l.google.com [74.125.28.26] Connection timed out
2021-02-04 14:11:18 1l7fBI-00024Y-I6 H=alt4.gmail-smtp-in.l.google.com [74.125.137.27] Connection timed out
2021-02-04 14:11:18 1l7fBI-00024Y-I6 == mymailadress@gmail.com R=dnslookup T=remote_smtp defer (110): Connection timed out

I guess my new ip address is blocked from everywhere.

@ADEL --

All email ports (25, 587, 465) are blocked on new Linodes until you contact support requesting they be unblocked. This has been a long-standing policy to prevent spam.

-- sw

Are you seeing any email rejections or bounces because of UCEProtect? You mentioned notices – are these coming from UCEProtect?

@jackley Our instance on linode is more of a secondary mail server, so the mail flow is low unless the primary is down. While we don't know of any rejections caused by UCEProtect, we also don't have large amount of emails going out at the moment through Linode to know for sure.

The notices we get are through our external monitoring system which checks the instance for possible blacklisting against well known RBL's.

Is it possible you have a customer that's still sending out large amounts spam and causing UCEProtect to keep the ISP level blacklist on Linode?

Hello,

we have a further list for all of our Linode servers due to a characterisation of your network

This is now on LEVEL 2

dnsbl-2.uceprotect.net
Net 172.104.224.0/19 is UCEPROTECT-Level2 listed because 184 impacts are seen from LINODE-AP Linode, LLC, US/AS63949 there. See: http://www.uceprotect.net/rblcheck.php?ipr=172.104.237.43

dnsbl-3.uceprotect.net
Your ISP LINODE-AP Linode, LLC, US/AS63949 is UCEPROTECT-Level3 listed because of a spamscore of 665.7. See: http://www.uceprotect.net/rblcheck.php?ipr=172.104.237.43

Do you intend to take any action on this?

thank you

Linode Staff

Hi @1to1 and @apogeelu - I'll do my best to answer both your questions:

The UCEPROTECT Level 2 list is similar to the Level 3 list, except where the Level 3 lists entire ASNs the Level 2 lists IP ranges. Both have similar practices of listing domains that have a certain number of "impacts" in a 7 day period. There's not much info given on what counts as an "impact" and for the level 3 list specifically one of the examples used is 55 "impacts" over 1024 IP addresses causes a "spam score" on their list of over 5300. It's unclear what counts as an "impact", and whether or not separate reports of the same email from the same IP address would count as more than one "impact". In addition to the automatic listing conditions, there is the possibility of a manual listing, though the criteria for when that would happen is unclear and it seems to be solely at the discretion of the list operators.

The process of delisting requires either manual intervention from the list operators, for which they charge a fee, or that there be no "impacts" registered for that ASN or IP range for 7 days. According to the info available, it would only take a single "impact" within the 7 day period to keep a listing active.

That being said, UCEPROTECT isn't widely used and is unlikely to cause deliverability problems. Because of this, and our findings that the list isn't considered reputable, we have decided to not attempt to pay for manual delisting.

If you find any bouncebacks or errors related to UCEPROTECT could you send them our way in a ticket? Myself or another member of the Support team would be happy to take a look.

The issue stopped for a day but continues

Report on offending IPs
->

Report generated for 2a06:4944:8fb:7c00:1d84:4edc:691a:125b at 11.02.2021 23:52
UCEPROTECT-Level3 Details
AS63949 | LINODE-AP Linode, LLC, US

Timezone is CET.
IP Impacts Latest Impact
+/- 1 Minute Earliest Expiretime
23.92.29.85 1 10.02.2021 22:56 18.02.2021 00:00
45.33.5.223 2 10.02.2021 22:22 18.02.2021 00:00
45.33.7.49 1 09.02.2021 23:23 17.02.2021 01:00
45.33.24.113 7 10.02.2021 17:00 17.02.2021 19:00
45.33.124.121 12 11.02.2021 12:50 18.02.2021 14:00
45.56.91.118 8 11.02.2021 10:35 18.02.2021 12:00
45.79.83.62 4 10.02.2021 18:24 17.02.2021 20:00
45.79.106.170 7 11.02.2021 07:32 18.02.2021 09:00
45.79.110.218 7 11.02.2021 12:37 18.02.2021 14:00
45.79.126.30 1 11.02.2021 04:40 18.02.2021 06:00
45.79.136.161 14 11.02.2021 01:49 18.02.2021 03:00
45.79.138.240 1 10.02.2021 06:31 17.02.2021 08:00
45.79.151.240 1 11.02.2021 17:03 18.02.2021 19:00
45.79.185.147 2 09.02.2021 14:37 16.02.2021 16:00
45.79.189.15 1 09.02.2021 21:02 16.02.2021 23:00
45.79.195.46 1 11.02.2021 22:16 19.02.2021 00:00
45.79.211.43 1 09.02.2021 13:40 16.02.2021 15:00
45.79.226.48 1 10.02.2021 16:18 17.02.2021 18:00
45.79.250.158 12 11.02.2021 20:55 18.02.2021 22:00
50.116.12.94 1 11.02.2021 17:46 18.02.2021 19:00
50.116.43.238 3 11.02.2021 22:20 19.02.2021 00:00
66.228.46.113 1 10.02.2021 00:10 17.02.2021 02:00
69.164.219.142 2 09.02.2021 12:47 16.02.2021 14:00
69.164.221.39 1 09.02.2021 23:17 17.02.2021 01:00
74.207.245.21 1 11.02.2021 16:17 18.02.2021 18:00
80.85.84.75 16 11.02.2021 09:12 18.02.2021 11:00
97.107.131.98 62 11.02.2021 19:17 18.02.2021 21:00
97.107.134.124 4 11.02.2021 18:55 18.02.2021 20:00
104.200.16.116 1 10.02.2021 01:02 17.02.2021 03:00
139.162.13.108 1 11.02.2021 13:15 18.02.2021 15:00
139.162.15.89 2 11.02.2021 13:18 18.02.2021 15:00
139.162.18.157 2 11.02.2021 13:19 18.02.2021 15:00
139.162.27.174 7 09.02.2021 20:38 16.02.2021 22:00
139.162.65.76 8 11.02.2021 11:37 18.02.2021 13:00
139.162.69.98 6 11.02.2021 20:42 18.02.2021 22:00
139.162.72.191 5 11.02.2021 22:31 19.02.2021 00:00
139.162.75.99 6 11.02.2021 06:40 18.02.2021 08:00
139.162.77.6 9 11.02.2021 21:10 18.02.2021 23:00
139.162.84.112 8 11.02.2021 22:35 19.02.2021 00:00
139.162.86.84 6 11.02.2021 14:12 18.02.2021 16:00
139.162.90.220 6 11.02.2021 19:36 18.02.2021 21:00
139.162.98.244 10 11.02.2021 19:09 18.02.2021 21:00
139.162.99.58 7 11.02.2021 22:27 19.02.2021 00:00
139.162.104.208 3 11.02.2021 10:38 18.02.2021 12:00
139.162.106.178 6 11.02.2021 14:35 18.02.2021 16:00
139.162.108.62 5 11.02.2021 11:22 18.02.2021 13:00
139.162.110.42 9 11.02.2021 12:22 18.02.2021 14:00
139.162.112.248 3 11.02.2021 16:15 18.02.2021 18:00
139.162.115.221 5 11.02.2021 19:59 18.02.2021 21:00
139.162.116.22 13 11.02.2021 20:12 18.02.2021 22:00
139.162.118.185 10 11.02.2021 16:12 18.02.2021 18:00
139.162.118.251 9 11.02.2021 21:19 18.02.2021 23:00
139.162.120.98 7 11.02.2021 06:52 18.02.2021 08:00
139.162.121.165 5 11.02.2021 19:45 18.02.2021 21:00
139.162.121.251 10 11.02.2021 14:22 18.02.2021 16:00
139.162.123.29 5 11.02.2021 18:00 18.02.2021 20:00
139.162.145.250 8 10.02.2021 02:22 17.02.2021 04:00
139.162.247.102 6 10.02.2021 03:00 17.02.2021 05:00
172.104.14.201 2 10.02.2021 00:31 17.02.2021 02:00
172.104.24.225 5 09.02.2021 22:32 17.02.2021 00:00
172.104.26.242 4 11.02.2021 02:22 18.02.2021 04:00
172.104.65.226 3 11.02.2021 07:15 18.02.2021 09:00
172.104.76.217 9 11.02.2021 21:15 18.02.2021 23:00
172.104.92.168 8 11.02.2021 20:13 18.02.2021 22:00
172.104.92.209 4 11.02.2021 01:51 18.02.2021 03:00
172.104.94.253 8 11.02.2021 21:55 18.02.2021 23:00
172.104.109.88 5 11.02.2021 18:42 18.02.2021 20:00
172.104.109.160 6 11.02.2021 16:40 18.02.2021 18:00
172.104.112.244 6 11.02.2021 18:00 18.02.2021 20:00
172.104.116.36 7 11.02.2021 14:42 18.02.2021 16:00
172.104.122.237 8 11.02.2021 21:42 18.02.2021 23:00
172.104.124.229 9 11.02.2021 10:42 18.02.2021 12:00
172.104.125.180 6 11.02.2021 22:42 19.02.2021 00:00
172.104.139.66 1 11.02.2021 18:20 18.02.2021 20:00
172.104.166.231 1 11.02.2021 13:18 18.02.2021 15:00
172.104.240.69 2 10.02.2021 08:31 17.02.2021 10:00
172.104.242.173 21 11.02.2021 19:41 18.02.2021 21:00
172.105.11.150 1 11.02.2021 09:50 18.02.2021 11:00
172.105.11.170 1 09.02.2021 21:47 16.02.2021 23:00
172.105.13.75 4 10.02.2021 23:32 18.02.2021 01:00
172.105.15.33 1 10.02.2021 19:10 17.02.2021 21:00
172.105.16.137 2 11.02.2021 14:45 18.02.2021 16:00
172.105.26.170 6 09.02.2021 21:51 16.02.2021 23:00
172.105.34.166 3 10.02.2021 12:51 17.02.2021 14:00
172.105.52.207 5 11.02.2021 17:52 18.02.2021 19:00
172.105.61.249 2 11.02.2021 07:45 18.02.2021 09:00
172.105.77.209 26 11.02.2021 22:21 19.02.2021 00:00
172.105.89.161 17 11.02.2021 22:06 19.02.2021 00:00
172.105.90.188 3 11.02.2021 21:17 18.02.2021 23:00
172.105.103.83 1 10.02.2021 07:47 17.02.2021 09:00
172.105.103.158 1 09.02.2021 18:29 16.02.2021 20:00
172.105.105.87 2 11.02.2021 09:47 18.02.2021 11:00
172.105.106.64 2 11.02.2021 04:56 18.02.2021 06:00
172.105.118.120 1 09.02.2021 11:41 16.02.2021 13:00
172.105.174.240 1 10.02.2021 16:17 17.02.2021 18:00
172.105.180.124 1 09.02.2021 15:33 16.02.2021 17:00
172.105.187.116 1 09.02.2021 15:33 16.02.2021 17:00
172.105.192.195 7 11.02.2021 02:15 18.02.2021 04:00
172.105.197.151 4 11.02.2021 02:35 18.02.2021 04:00
172.105.207.40 4 11.02.2021 08:05 18.02.2021 10:00
172.105.210.107 6 11.02.2021 12:07 18.02.2021 14:00
172.105.213.140 1 09.02.2021 22:52 17.02.2021 00:00
172.105.217.71 7 11.02.2021 20:15 18.02.2021 22:00
172.105.219.236 7 11.02.2021 15:34 18.02.2021 17:00
172.105.224.78 9 11.02.2021 19:11 18.02.2021 21:00
172.105.225.204 6 11.02.2021 13:57 18.02.2021 15:00
172.105.239.183 4 11.02.2021 14:22 18.02.2021 16:00
176.58.124.134 8 11.02.2021 04:22 18.02.2021 06:00
178.79.128.152 3 11.02.2021 07:05 18.02.2021 09:00
178.79.129.218 1 10.02.2021 00:00 17.02.2021 02:00
178.79.146.7 1 10.02.2021 23:37 18.02.2021 01:00
178.79.174.152 2 10.02.2021 16:18 17.02.2021 18:00
192.46.213.5 5 10.02.2021 14:50 17.02.2021 16:00
192.53.160.135 4 11.02.2021 20:51 18.02.2021 22:00
192.53.170.235 1 09.02.2021 16:00 16.02.2021 18:00
192.53.170.237 1 09.02.2021 16:00 16.02.2021 18:00
192.155.80.195 5 09.02.2021 15:15 16.02.2021 17:00
212.71.239.106 8 11.02.2021 20:57 18.02.2021 22:00
213.168.250.151 12 11.02.2021 20:41 18.02.2021 22:00

Yay, had an email from MXToolbox about a week ago informing me this had cleared… Then lo and behold another email tonight informing me that my IP (Well Linode in general) is back on the list.

Can someone not just sue these arseholes(UCEProtect, not linode) for vexatious practices?

Today I was surprised to find all my Linode IP addresses on 2 servers are listed at UCEPROTECT Level 3, and some on Level 2 and 3. The funny part is that I have 3 IPS that I have had for over 3 years and have never ever used them, they are not attached to any accounts or any emails, and yet they are listed at Level 3.
Is there a solution to this? will this impact the email delivery of my clients? and is there a way we can get past these RBL that appear to be scammers?
Here is an interesting blog that I came across today:
https://securityboulevard.com/2021/02/uceprotect-when-rbls-go-bad/

Our ASN was indeed placed back on UCEPROTECT's Level 3 list shortly after we were moved to Level 2. Even after re-listing, we have not seen reports of emails blocked as a direct result of UCEPROTECT, so we do not believe that email deliverability is being impacted. What we are seeing is that customers whose emails are being rejected are on the RBLs of specific email providers, such as Microsoft or AT&T. If you're in this situation, we ask that you open a Support ticket so that we can request delisting from the specific provider that is rejecting the emails.

Regarding the overall state of UCEPROTECT as an RBL, we've found that most email providers do not use their list. Use of the Level 3 list to block email would result in rejecting all emails from the listed provider's ASN, most of which are not spam. I can't speak to how other listed providers view these types of RBLs, but I can confirm we will not be paying for delisting from Level 3. We're continuing to cut down on spam being sent from our platform as well as ensure all new accounts have SMTP restrictions in place by default.

This is not correct. AT&T-related domains are blocking mail from Linode IPs as of 2/19/2021 and I've submitted a ticket with Linode support:

XXX@bellsouth.net: host al-ip4-mx-vip1.prodigy.net[144.160.235.143]
said: 553 5.3.0 alph764 DNSBL:RBL 521< 23.239.24.27 >_is_blocked. For assistance forward this error to abuse_rbl@abuse-att.net (in reply to MAIL FROM command)

Please pursue this with UCEPROTECT and/or AT&T, Linode folks.

We are getting this with Outlook as well sigh (we are not on any other blacklists, and our IP is clean on M$'s own "request removal" system for blacklisted IPs, so pretty sure this is coming from UCE)

host outlook-com.olc.protection.outlook.com [104.47.41.33]
SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=5839:
550 5.7.1 Unfortunately, messages from [45.79.97.48] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [DM3NAM03FT045.eop-NAM03.prod.protection.outlook.com]

Can someone please shut these pirates down? By all means block IPs if they are spamming / being used maliciously, but blocking a whole ISP's subnet is crazy!!!!

In the case of the 550 message that you posted above, @andynewby this looks like a blocklist related to Outlook. If you were to open a Support ticket with the following information, we can try to get your IP address delisted from Microsoft:

Ensure you have Reverse DNS (rDNS)](https://www.linode.com/docs/guides/configure-your-linode-for-reverse-dns/) configured and an SPF Record set up.
The domain that you're sending email from
The 5xx error message you received (and posted above).

We can't guarantee the IP we get delisted, though we've seen success by doing this.

Thanks @watrick. Just looking at it, we do have the rDNS setup - but not DKIM or DMARC. I've just set those up. Will keep an eye out to see if we get more bounces after that change. Thanks!

I've just had email blocked by an icloud.com email address.
https://support.proofpoint.com/dnsbl-lookup.cgi?ip=178.79.129.204
Looks like UCEPROTECT Level 3 range blocking.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct