Linode blacklisted on UCEProtect RBL
It looks like Linode was just blacklisted on the UCEProtect anti-spam RBL in the past couple days. Apparently, it's a "Level 3" ISP level blacklist so it can only be resolved by Linode. You can check it by going to http://www.uceprotect.net/en/rblcheck.php and lookup up a linode ip. Is this something you guys can resolve?
Thank you
130 Replies
jdutton
Linode Staff
Hi @1to1 - thanks for posting this.
We've gotten a few reports about the block over the last 24 hours. It's been escalated to our Trust and Safety department, and they're currently investigating next steps. In the meantime, we're also monitoring the issue internally, and I've added your post to our tracker.
We're seeing this (on about 6 different IPs we have with Linode). I wonder if it stems from one of my old servers launching a spamming attack (even though it was a server I no longer has, I was still registered as the abuse email, so was getting hammered with bounced emails telling me that it had received reports of abuse). I passed this onto Linode's support team, and they quickly took the server offline. I guess going by the scale of the spamming its possible this was the cause of the blacklist (I was getting about 200-300 reports an hour from "Synacor Abuse Report")
Hopefully it settles down and is removed asap (I only noticed it due to GlockApps suddenly going red on all the IP's being blacklisted on this list!)
_Brian
Linode Staff
@youradds while possible that the server you mentioned contributed, it is definitely not the cause, and you shouldn't feel responsible at all. The listing has targeted our entire ASN, which encompasses every Linode IP address.
This RBL provider has some arbitrary limits that they place upon hosting providers based on the size of their IP space and number of "reported" instances. They have determined that our service meets their "LEVEL 3" requirements, which by their own description is designed to cause collateral damage to innocent users:
This blacklist has been created for HARDLINERS. It can, and probably will cause collateral damage to innocent users when used to block email.
also
Use of Level 3 for blocking is recommended only if you are a HARDLINER and you want to cause service providers and carriers that have spammer / abusive clients to be quickly and effectively blocked and it does not matter to you if regular email is also occasionally rejected.
This can bring a lot of pressure on service providers and carriers to get their act in order and resolve the issues within their responsibility.
We recommend mail server administrators do not use UCEPROTECT's Level 3 service.
Regardless, this listing should automatically expire within the next week or so.
All new accounts on our platform have had their outbound email ports restricted since November 5, 2019 as outlined in this blog post, and we review and respond to every actionable spam report that we receive to both our abuse@ inbox and our Abuse Portal. We welcome reports of any potential abuse of our platform, and always appreciate the opportunity to help clean up our corner of the web.
@_Brian I wasn't blaming myself :) (we haven't owned that server/IP for a month or so, so I guess it was whoever took it over - either did a crap job of security or set it up with the intent of spamming the hell out of everyone)
I agree though - UCEPROTECT are a joke and shouldn't be taken seriously as they are effectively just blackmailing for money to get removed. It's crazy how many ISP's use their services!
Is there any update on this? We're still getting notices that Linode is blacklisted on UCEProtect
jackley
Linode Staff
Hey there – no updates, sorry. This has been a problem in the past and we're not sure if or when it'll be resolved. It seems we have not fallen off their Level 3 listing in the 7 day timeframe.
Are you seeing any email rejections or bounces because of UCEProtect? You mentioned notices – are these coming from UCEProtect?
What is a HARDLINER? I cannot get a decent definition on Google. Would someone like gmail be a HARDLINER?
_Brian
Linode Staff
@maallyn Gmail and the other major providers we have checked do not use this service.
Generally speaking, Gmail usually just needs a little time to warm up to accepting mail from a new IP address before those messages will be sorted to the Inbox rather than Spam. We have not seen reports of bounced mail from Gmail.
Also: Hardliner
noun: hardliner
a member of a group, typically a political group, who adheres uncompromisingly to a set of ideas or policies.
I cannot send mail from any of the servers I have just bought.
My mail server cannot connect to gmail and yahoo.
For example
2021-02-04 14:09:07 1l7fBI-00024Y-I6 H=alt3.gmail-smtp-in.l.google.com [74.125.28.26] Connection timed out
2021-02-04 14:11:18 1l7fBI-00024Y-I6 H=alt4.gmail-smtp-in.l.google.com [74.125.137.27] Connection timed out
2021-02-04 14:11:18 1l7fBI-00024Y-I6 == mymailadress@gmail.com R=dnslookup T=remote_smtp defer (110): Connection timed out
I guess my new ip address is blocked from everywhere.
@ADEL --
All email ports (25, 587, 465) are blocked on new Linodes until you contact support requesting they be unblocked. This has been a long-standing policy to prevent spam.
-- sw
Are you seeing any email rejections or bounces because of UCEProtect? You mentioned notices – are these coming from UCEProtect?
@jackley Our instance on linode is more of a secondary mail server, so the mail flow is low unless the primary is down. While we don't know of any rejections caused by UCEProtect, we also don't have large amount of emails going out at the moment through Linode to know for sure.
The notices we get are through our external monitoring system which checks the instance for possible blacklisting against well known RBL's.
Is it possible you have a customer that's still sending out large amounts spam and causing UCEProtect to keep the ISP level blacklist on Linode?
Hello,
we have a further list for all of our Linode servers due to a characterisation of your network
This is now on LEVEL 2
dnsbl-2.uceprotect.net
Net 172.104.224.0/19 is UCEPROTECT-Level2 listed because 184 impacts are seen from LINODE-AP Linode, LLC, US/AS63949 there. See: http://www.uceprotect.net/rblcheck.php?ipr=172.104.237.43
dnsbl-3.uceprotect.net
Your ISP LINODE-AP Linode, LLC, US/AS63949 is UCEPROTECT-Level3 listed because of a spamscore of 665.7. See: http://www.uceprotect.net/rblcheck.php?ipr=172.104.237.43
Do you intend to take any action on this?
thank you
mjones
Linode Staff
Hi @1to1 and @apogeelu - I'll do my best to answer both your questions:
The UCEPROTECT Level 2 list is similar to the Level 3 list, except where the Level 3 lists entire ASNs the Level 2 lists IP ranges. Both have similar practices of listing domains that have a certain number of "impacts" in a 7 day period. There's not much info given on what counts as an "impact" and for the level 3 list specifically one of the examples used is 55 "impacts" over 1024 IP addresses causes a "spam score" on their list of over 5300. It's unclear what counts as an "impact", and whether or not separate reports of the same email from the same IP address would count as more than one "impact". In addition to the automatic listing conditions, there is the possibility of a manual listing, though the criteria for when that would happen is unclear and it seems to be solely at the discretion of the list operators.
The process of delisting requires either manual intervention from the list operators, for which they charge a fee, or that there be no "impacts" registered for that ASN or IP range for 7 days. According to the info available, it would only take a single "impact" within the 7 day period to keep a listing active.
That being said, UCEPROTECT isn't widely used and is unlikely to cause deliverability problems. Because of this, and our findings that the list isn't considered reputable, we have decided to not attempt to pay for manual delisting.
If you find any bouncebacks or errors related to UCEPROTECT could you send them our way in a ticket? Myself or another member of the Support team would be happy to take a look.
The issue stopped for a day but continues
Report on offending IPs
->
Report generated for 2a06:4944:8fb:7c00:1d84:4edc:691a:125b at 11.02.2021 23:52
UCEPROTECT-Level3 Details
AS63949 | LINODE-AP Linode, LLC, US
Timezone is CET.
IP Impacts Latest Impact
+/- 1 Minute Earliest Expiretime
23.92.29.85 1 10.02.2021 22:56 18.02.2021 00:00
45.33.5.223 2 10.02.2021 22:22 18.02.2021 00:00
45.33.7.49 1 09.02.2021 23:23 17.02.2021 01:00
45.33.24.113 7 10.02.2021 17:00 17.02.2021 19:00
45.33.124.121 12 11.02.2021 12:50 18.02.2021 14:00
45.56.91.118 8 11.02.2021 10:35 18.02.2021 12:00
45.79.83.62 4 10.02.2021 18:24 17.02.2021 20:00
45.79.106.170 7 11.02.2021 07:32 18.02.2021 09:00
45.79.110.218 7 11.02.2021 12:37 18.02.2021 14:00
45.79.126.30 1 11.02.2021 04:40 18.02.2021 06:00
45.79.136.161 14 11.02.2021 01:49 18.02.2021 03:00
45.79.138.240 1 10.02.2021 06:31 17.02.2021 08:00
45.79.151.240 1 11.02.2021 17:03 18.02.2021 19:00
45.79.185.147 2 09.02.2021 14:37 16.02.2021 16:00
45.79.189.15 1 09.02.2021 21:02 16.02.2021 23:00
45.79.195.46 1 11.02.2021 22:16 19.02.2021 00:00
45.79.211.43 1 09.02.2021 13:40 16.02.2021 15:00
45.79.226.48 1 10.02.2021 16:18 17.02.2021 18:00
45.79.250.158 12 11.02.2021 20:55 18.02.2021 22:00
50.116.12.94 1 11.02.2021 17:46 18.02.2021 19:00
50.116.43.238 3 11.02.2021 22:20 19.02.2021 00:00
66.228.46.113 1 10.02.2021 00:10 17.02.2021 02:00
69.164.219.142 2 09.02.2021 12:47 16.02.2021 14:00
69.164.221.39 1 09.02.2021 23:17 17.02.2021 01:00
74.207.245.21 1 11.02.2021 16:17 18.02.2021 18:00
80.85.84.75 16 11.02.2021 09:12 18.02.2021 11:00
97.107.131.98 62 11.02.2021 19:17 18.02.2021 21:00
97.107.134.124 4 11.02.2021 18:55 18.02.2021 20:00
104.200.16.116 1 10.02.2021 01:02 17.02.2021 03:00
139.162.13.108 1 11.02.2021 13:15 18.02.2021 15:00
139.162.15.89 2 11.02.2021 13:18 18.02.2021 15:00
139.162.18.157 2 11.02.2021 13:19 18.02.2021 15:00
139.162.27.174 7 09.02.2021 20:38 16.02.2021 22:00
139.162.65.76 8 11.02.2021 11:37 18.02.2021 13:00
139.162.69.98 6 11.02.2021 20:42 18.02.2021 22:00
139.162.72.191 5 11.02.2021 22:31 19.02.2021 00:00
139.162.75.99 6 11.02.2021 06:40 18.02.2021 08:00
139.162.77.6 9 11.02.2021 21:10 18.02.2021 23:00
139.162.84.112 8 11.02.2021 22:35 19.02.2021 00:00
139.162.86.84 6 11.02.2021 14:12 18.02.2021 16:00
139.162.90.220 6 11.02.2021 19:36 18.02.2021 21:00
139.162.98.244 10 11.02.2021 19:09 18.02.2021 21:00
139.162.99.58 7 11.02.2021 22:27 19.02.2021 00:00
139.162.104.208 3 11.02.2021 10:38 18.02.2021 12:00
139.162.106.178 6 11.02.2021 14:35 18.02.2021 16:00
139.162.108.62 5 11.02.2021 11:22 18.02.2021 13:00
139.162.110.42 9 11.02.2021 12:22 18.02.2021 14:00
139.162.112.248 3 11.02.2021 16:15 18.02.2021 18:00
139.162.115.221 5 11.02.2021 19:59 18.02.2021 21:00
139.162.116.22 13 11.02.2021 20:12 18.02.2021 22:00
139.162.118.185 10 11.02.2021 16:12 18.02.2021 18:00
139.162.118.251 9 11.02.2021 21:19 18.02.2021 23:00
139.162.120.98 7 11.02.2021 06:52 18.02.2021 08:00
139.162.121.165 5 11.02.2021 19:45 18.02.2021 21:00
139.162.121.251 10 11.02.2021 14:22 18.02.2021 16:00
139.162.123.29 5 11.02.2021 18:00 18.02.2021 20:00
139.162.145.250 8 10.02.2021 02:22 17.02.2021 04:00
139.162.247.102 6 10.02.2021 03:00 17.02.2021 05:00
172.104.14.201 2 10.02.2021 00:31 17.02.2021 02:00
172.104.24.225 5 09.02.2021 22:32 17.02.2021 00:00
172.104.26.242 4 11.02.2021 02:22 18.02.2021 04:00
172.104.65.226 3 11.02.2021 07:15 18.02.2021 09:00
172.104.76.217 9 11.02.2021 21:15 18.02.2021 23:00
172.104.92.168 8 11.02.2021 20:13 18.02.2021 22:00
172.104.92.209 4 11.02.2021 01:51 18.02.2021 03:00
172.104.94.253 8 11.02.2021 21:55 18.02.2021 23:00
172.104.109.88 5 11.02.2021 18:42 18.02.2021 20:00
172.104.109.160 6 11.02.2021 16:40 18.02.2021 18:00
172.104.112.244 6 11.02.2021 18:00 18.02.2021 20:00
172.104.116.36 7 11.02.2021 14:42 18.02.2021 16:00
172.104.122.237 8 11.02.2021 21:42 18.02.2021 23:00
172.104.124.229 9 11.02.2021 10:42 18.02.2021 12:00
172.104.125.180 6 11.02.2021 22:42 19.02.2021 00:00
172.104.139.66 1 11.02.2021 18:20 18.02.2021 20:00
172.104.166.231 1 11.02.2021 13:18 18.02.2021 15:00
172.104.240.69 2 10.02.2021 08:31 17.02.2021 10:00
172.104.242.173 21 11.02.2021 19:41 18.02.2021 21:00
172.105.11.150 1 11.02.2021 09:50 18.02.2021 11:00
172.105.11.170 1 09.02.2021 21:47 16.02.2021 23:00
172.105.13.75 4 10.02.2021 23:32 18.02.2021 01:00
172.105.15.33 1 10.02.2021 19:10 17.02.2021 21:00
172.105.16.137 2 11.02.2021 14:45 18.02.2021 16:00
172.105.26.170 6 09.02.2021 21:51 16.02.2021 23:00
172.105.34.166 3 10.02.2021 12:51 17.02.2021 14:00
172.105.52.207 5 11.02.2021 17:52 18.02.2021 19:00
172.105.61.249 2 11.02.2021 07:45 18.02.2021 09:00
172.105.77.209 26 11.02.2021 22:21 19.02.2021 00:00
172.105.89.161 17 11.02.2021 22:06 19.02.2021 00:00
172.105.90.188 3 11.02.2021 21:17 18.02.2021 23:00
172.105.103.83 1 10.02.2021 07:47 17.02.2021 09:00
172.105.103.158 1 09.02.2021 18:29 16.02.2021 20:00
172.105.105.87 2 11.02.2021 09:47 18.02.2021 11:00
172.105.106.64 2 11.02.2021 04:56 18.02.2021 06:00
172.105.118.120 1 09.02.2021 11:41 16.02.2021 13:00
172.105.174.240 1 10.02.2021 16:17 17.02.2021 18:00
172.105.180.124 1 09.02.2021 15:33 16.02.2021 17:00
172.105.187.116 1 09.02.2021 15:33 16.02.2021 17:00
172.105.192.195 7 11.02.2021 02:15 18.02.2021 04:00
172.105.197.151 4 11.02.2021 02:35 18.02.2021 04:00
172.105.207.40 4 11.02.2021 08:05 18.02.2021 10:00
172.105.210.107 6 11.02.2021 12:07 18.02.2021 14:00
172.105.213.140 1 09.02.2021 22:52 17.02.2021 00:00
172.105.217.71 7 11.02.2021 20:15 18.02.2021 22:00
172.105.219.236 7 11.02.2021 15:34 18.02.2021 17:00
172.105.224.78 9 11.02.2021 19:11 18.02.2021 21:00
172.105.225.204 6 11.02.2021 13:57 18.02.2021 15:00
172.105.239.183 4 11.02.2021 14:22 18.02.2021 16:00
176.58.124.134 8 11.02.2021 04:22 18.02.2021 06:00
178.79.128.152 3 11.02.2021 07:05 18.02.2021 09:00
178.79.129.218 1 10.02.2021 00:00 17.02.2021 02:00
178.79.146.7 1 10.02.2021 23:37 18.02.2021 01:00
178.79.174.152 2 10.02.2021 16:18 17.02.2021 18:00
192.46.213.5 5 10.02.2021 14:50 17.02.2021 16:00
192.53.160.135 4 11.02.2021 20:51 18.02.2021 22:00
192.53.170.235 1 09.02.2021 16:00 16.02.2021 18:00
192.53.170.237 1 09.02.2021 16:00 16.02.2021 18:00
192.155.80.195 5 09.02.2021 15:15 16.02.2021 17:00
212.71.239.106 8 11.02.2021 20:57 18.02.2021 22:00
213.168.250.151 12 11.02.2021 20:41 18.02.2021 22:00
Yay, had an email from MXToolbox about a week ago informing me this had cleared… Then lo and behold another email tonight informing me that my IP (Well Linode in general) is back on the list.
Can someone not just sue these arseholes(UCEProtect, not linode) for vexatious practices?
Today I was surprised to find all my Linode IP addresses on 2 servers are listed at UCEPROTECT Level 3, and some on Level 2 and 3. The funny part is that I have 3 IPS that I have had for over 3 years and have never ever used them, they are not attached to any accounts or any emails, and yet they are listed at Level 3.
Is there a solution to this? will this impact the email delivery of my clients? and is there a way we can get past these RBL that appear to be scammers?
Here is an interesting blog that I came across today:
https://securityboulevard.com/2021/02/uceprotect-when-rbls-go-bad/
jyoo
Linode Staff
Our ASN was indeed placed back on UCEPROTECT's Level 3 list shortly after we were moved to Level 2. Even after re-listing, we have not seen reports of emails blocked as a direct result of UCEPROTECT, so we do not believe that email deliverability is being impacted. What we are seeing is that customers whose emails are being rejected are on the RBLs of specific email providers, such as Microsoft or AT&T. If you're in this situation, we ask that you open a Support ticket so that we can request delisting from the specific provider that is rejecting the emails.
Regarding the overall state of UCEPROTECT as an RBL, we've found that most email providers do not use their list. Use of the Level 3 list to block email would result in rejecting all emails from the listed provider's ASN, most of which are not spam. I can't speak to how other listed providers view these types of RBLs, but I can confirm we will not be paying for delisting from Level 3. We're continuing to cut down on spam being sent from our platform as well as ensure all new accounts have SMTP restrictions in place by default.
This is not correct. AT&T-related domains are blocking mail from Linode IPs as of 2/19/2021 and I've submitted a ticket with Linode support:
XXX@bellsouth.net: host al-ip4-mx-vip1.prodigy.net[144.160.235.143]
said: 553 5.3.0 alph764 DNSBL:RBL 521< 23.239.24.27 >_is_blocked. For assistance forward this error to abuse_rbl@abuse-att.net (in reply to MAIL FROM command)
Please pursue this with UCEPROTECT and/or AT&T, Linode folks.
We are getting this with Outlook as well sigh (we are not on any other blacklists, and our IP is clean on M$'s own "request removal" system for blacklisted IPs, so pretty sure this is coming from UCE)
host outlook-com.olc.protection.outlook.com [104.47.41.33]
SMTP error from remote mail server after MAIL FROM:<support@etrust.pro> SIZE=5839:
550 5.7.1 Unfortunately, messages from [45.79.97.48] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [DM3NAM03FT045.eop-NAM03.prod.protection.outlook.com]
Can someone please shut these pirates down? By all means block IPs if they are spamming / being used maliciously, but blocking a whole ISP's subnet is crazy!!!!
watrick
Linode Staff
In the case of the 550 message that you posted above, @andynewby this looks like a blocklist related to Outlook. If you were to open a Support ticket with the following information, we can try to get your IP address delisted from Microsoft:
Ensure you have Reverse DNS (rDNS)](https://www.linode.com/docs/guides/configure-your-linode-for-reverse-dns/) configured and an SPF Record set up.
The domain that you're sending email from
The 5xx error message you received (and posted above).
We can't guarantee the IP we get delisted, though we've seen success by doing this.
Thanks @watrick. Just looking at it, we do have the rDNS setup - but not DKIM or DMARC. I've just set those up. Will keep an eye out to see if we get more bounces after that change. Thanks!
I've just had email blocked by an icloud.com email address.
https://support.proofpoint.com/dnsbl-lookup.cgi?ip=178.79.129.204
Looks like UCEPROTECT Level 3 range blocking.
This Level 3 block is not yet lifted. We have been getting blocked by them since the list I am running started in earnest last week (Feb. 26, 2021). Unfortunately the site I am trying to deliver mail to is a large Australian university so I don't see much chance of getting them to change their rules. Can anyone with more time on Linode provide any anecdotal evidence for how long these blocks last and how often they repeat?
Cloudmark are now blocking, and the only blacklist our IP is on is UCEPROTECTL3.
This is nothing more than vexatious behaviour by them, but if not resolved soon I will need to start considering moving my custom to another provider.
Linode has always been a great place to be, I even recommended it as a host to my employer who now has more than 150 VPS on here, but you cannot keep ignoring the problem and hoping it will go away.
It's amazing they don't provide details of the IP's that are affecting the ranking, so something can be done!
We run a hundred or so websites on Linode and this is starting to have an impact with clients asking to move away from the system.
An example would be a client of ours who, when they send emails out with links to their website, are being marked as spam and/or dangerous.
We love Lindode, have used them for over 10 years without issue. I do hope this can be resolved.
I still can't work out why any ISP/provider would use UCEPROTECTL. They are just modern-day pirates, with no backbone
@andynewby --
You write:
I still can't work out why any ISP/provider would use UCEPROTECTL. They are just modern-day pirates, with no backbone
Most ISPs/providers are run by bean-counters/marketeers who wouldn't know a blacklist from dog poo. They subscribe to BS like this on the perceived strength/glossiness of UCEPROTECTL's marketing/sales pitches…not for any sound technical reason or as a solution to any actual client-/subscriber-protection issues.
The faux syllogism goes like this:
- My competitors are doing it.
- I am losing (an infinitesimal amount of) share to my competitors.
- I must do it as well.
The proof is left to the reader…
-- sw
Come on @Linode, what can be done about this other than your customers praying for deliverance or taking their custom elsewhere?
_Brian
Linode Staff
@mooret1972 I would recommend opening a ticket in your case. Many folks like yourself have done their own investigation after seeing a bounce from a mail provider that uses a private RBL such as Outlook, ATT, or Cloudmark (Proofpoint) and determined that the UCEPROTECT listing was responsible when that was not the case.
Yeah, this list does in fact seem to get used by @free.fr and Orange in France, quite large providers.
I know that to be the case because the mail started bouncing to these destinations right when the UCE L3 block got added. My mail server does all the right things with DKIM, SPF, and DMARC.
Of course, it is 'colloquial' evidence because the bounces from free.fr don't mention UCEProtect, they just throw '550 spam detected'. But they were accepting mail up til that point..
Unfortunately I can't see what Linode can do about this. I agree with other posts here that UCE are basically an extortion racket. Pressure needs to be put on the other mail server providers to avoid using it, and for as much bad publicity to be made about UCEPROTECT as possible, by all of us.
I get load of spam from CA (LINODE)), made many raports to abuse@linode.com. Never got any response back.
_Brian
Linode Staff
@mig5 According to this page Orange also uses Cloudmark. Like the person just above you, I would also recommend opening a ticket and we can reach out. It does appear Orange accepts delisting requests to their abuse@ address.
Speaking for myself here only w/r/t what should be done, I'd be happy if they weren't trying to label us a "SPAMHEAVEN" when looking at the individual listings shows a bunch of entries that have nothing to do with spam. Someone could spin up 200 Nanodes for 5m and port scan a UCEPROTECT honeypot, and suddenly the entire Linode AS is a "spammer" network for a week.
@Tntdruid Unless it has been years since you sent us a report, I'm having difficulty reconciling your comment. Our abuse inbox has been monitored by a person 24/7/365 for longer than my tenure at Linode, and we take action on every complaint that we can. There are very few exceptions to that, and I welcome you to keep sending us any reports for abusive behavior.
I am having this same issue and have my own work and client emails being blocked by Gmail because of it. Submitted a ticket, but this is a massive headache now.
Hi all,
I was blocked by Cloudmark this week. Tried to send a message to a builder to confirm a quote for repairs after we were flooded at Christmas and got blocked. I was able to get my IP delisted using CSI IP Reputation Remediation Portal. It took two requests to do it but the messages have now gone through.
UCEPROTECT seems to be a bit overkill blocking and entire AS level. Their monitoring seems to be able to detect the network range the trouble is coming from so why they don't target those ranges seems odd to me.
Take care,
Ryan
UCEPROTECT seems to be a scam… they block entire ASNs and then ask innocent users of IPs within that ASN to pay them to whitelist their IP, which removes the IP from their Level 2/3 blocks.
Here is a blog post about it:
https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html
(EDIT: I see this article was already posted at another link in a comment above)
In short, I wouldn't worry about this. Its highly unlikely that any reputable mail provider like Gmail or Outlook is blocking inbound emails based on UCEPROTECT.
Same problem. Blocked by cloudmark. This is affecting our business.
"someone@domain.it: host mx.domain.it[62.149.X.X] refused to talk
to
me: 554 mxdhfe06.ad.aruba.it bizsmtp MEkclmGqniL3F Connection refused
from
176.58.X.X. See
http://csi.cloudmark.com/reset-request/?ip=176.58.X.X
for more information.
"
"In short, I wouldn't worry about this. Its highly unlikely that any reputable mail provider like Gmail or Outlook is blocking inbound emails based on UCEPROTECT." by @raman
Unfortunately outlook.com (hotmail.com, live.com, etc.) are using this block list, meaning no e-mail can be sent to these addresses from the blacklisted Linode IP range:
anonimized@hotmail.com
host hotmail-com.olc.protection.outlook.com [104.47.55.161]
SMTP error from remote mail server after pipelined MAIL FROM:<anonimized@anonimized.com> SIZE=3028:
550 5.7.1 Unfortunately, messages from [my.linode.ip] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [BN8NAM12FT056.eop-nam12.prod.protection.outlook.com]
Reporting-MTA: dns; anonimized.com
This issue as also moved over to ESET Anti Virus. The 172.105.174.0 is on there block list and is causing issues.
So if UCEPROTECT is a scam, shouldn't Linode be using whatever leverage it has to rectify the situation? I have 4 completely separate domains on a brand new server all experiencing issues. The only place any of them are listed is UCEPROTECT.
UCEPROTECT even looks like a scammer site. They even state that they will not talk to you. They accept ransom payments as well. According to mxtoolbox, UCEPROTECT is the only blacklist my domain is on of 50 or so…and it is "Level 3" or entirety of Linode.
So can I start a listing service and randomly target hosting providers for ransom? Is that how this works now????
What is the law against extortion? Could this all be construed as extortion? It sure seems close to extortion to me.
@maallyn --
Unfortunately, UCEPROTECT has to be prosecuted under applicable law…which in this case is Germany, Austria, Switzerland.
-- sw
Same Isue…
Serious problems with sending mail, all our messages are rejected, example:
Please contact your Internet service provider since part of their network is on our block list (S3150). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [DB5EUR03FT022.eop-EUR03.prod.protection.outlook.com]
We've checked and found that the Linode AS63949 is listed in the uceprotect blacklist.
In order to put our ip on the white list, these gentlemen ask money.
This situation is very ridiculous (I suspect it is a scam).
Why Linode does not take action?
I have tried to stay quiet on all of this, despite getting constant calls about people unable to send email to various recipients.
The argument that people should not take UCEProtect seriously and not to worry about it, is frankly unprofessional, especially considering the amount of evidence that this is indeed affecting anyone sending mail out of Linode to asps/isps using UCEProtect.
Enough sweeping this under the carpet. As much as I hate the UCEProtect guy as much as you do, HE DOES HAVE THE UPPER HAND. And, Linode thinks it will just go away on its own. We are 30 DAYS in, with no end in sight. None. Nada. Zippo.
It costs UCEProtect NOTHING to keep Linode on the list, so what motivation is there if Linode just does nothing? Just like Linode, Microsoft, Barracuda, AT&T, etc., etc., etc. aren't doing anything, either. You ask us to individually put tickets in, but YOU KNOW HOW BIG THIS IS. This idea of buckshot patching is not solving anything. And, the fact this is being talked about in forums and not addressed with the responsibility of an issue this large makes me wonder what else is swept under the rug.
Linode, I expect better from you. I looked forward to migrating to your network, and while I like your systems, I am starting to really dislike your approach to dealing with major issues like this. This pissing contest is affecting our livelihoods.
There are lots of things you can do that we cannot. And, those are the straightforward ones. This does not begin to touch the creative solutions.
Linode is known for being innovative.
Let's see it.
jackley
Linode Staff
Thanks for the feedback, folks, we understand this isn't ideal. The only quick solution is to pay to delist each IP address, which is a non-starter. I'll pass this feedback along and see what can be done to sort this out.
@GruppoEuro @homebutton if you're having Microsoft deliverability issues, reach out in a Support ticket and we can request the IP address be delisted (UCEProtect has nothing to do with Microsoft's own blocklists, so far as we know).
Wikipedia lists UCEPROTECT as an RBL service right along with other well-known RBLs. There are Reddit threads which reference the Wikipedia article as proof that UCEPROTECT is "legitimate". (insert clown emoji here) I cannot find a way to request an edit to the Wikipedia page but it appears the page has taken heat. It seems UCEPROTECT itself should be flagged as a likely scam on that page.
Are provider technical staff or package maintainers relying on these same sources when including UCEPROTECT in their chain? I looked for ways to provide feedback to Spamassassin - which appears to include UCEPROTECT - but cannot find a way to converse with them.
This is a true systemic problem. I think it has to be approached at the package maintainer level. Comment out UCEPROTECT in the configs with a note that it is a scam so it can't creep back in. Complaints will be lost on high level folks such as those monitoring "abuse@" mailboxes. What's surprising is UCEPROTECT has been doing this since at least 2001.
According to UCEPROTECT, it appears a "Level 3" can be triggered when their "honey pot" email addresses get too much spam. So are they too ignorant to spot or understand spoofing? Or are they being willfully ignorant in order to justify ransoms? Do they feed their own honey pots to create a trail of "evidence" for the purposes of justifying ransom payments? Whether it is ignorance, fraud or potentially activism gone wrong is immaterial - they are allowed to target vast swaths of people and business worldwide and it must stop.
As far as I know, anyone can edit a Wikipedia article. You do have to have a Wikipedia account, but anyone can get one.There are limitations, of course. Your edits have to be sourced. Think of it as an ecyclopedia. In addition, all articles have a talk page that is there to discuss the article. The talk page is accessed via a tab on the upper right hand corner of the page. I have a wikipedia account and I have about a 10 year history of doing edit with them.
I am willing put a question on the Talk page for the Wikipedia article on the comparison of DNS blacklists, which is where I see UCEPROTECT mentioned. There is no dedicated Wikipedia article on UCEPROTECT.
I do have to warn you, though. Wikipedia insists on sourcing; ie; think of this as a bibliograpy for a research article.
Are there any new/trade/professional journals, etc that indicate problems with UCEPROJECT? For example, anything in ZDnet, Arts Technica, or anything at all that you can point me to that I can use as sources?
I am afraid I have been also battling with UCEPROTECT L3 for the last month. I see a sizeable uptick of users among reputable mail providers (e.g. @web.de addresses, one of the main providers in Germany, relies on UCEPROTECT L3).
I will open a ticket; but if this is not solved I will be forced to move my whole infrastructure to another cloud provider. E-mail is a critical service for me, and it keeps getting worse with no actions in sight.
UCEPROTECT, scammy as it indeed is, provides a list of culprit IPs that lead to the most impacts. Did Linode staff run an internal investigation to assess why these hosts are allegedly originating spam? Did you think to firewall repeated offenders?
For instance, many of the main culprits at UCEPROTECT as of this writing are also present on several other RBLs:
http://www.anti-abuse.org/multi-rbl-check-results/?host=74.207.245.21
http://www.anti-abuse.org/multi-rbl-check-results/?host=139.162.79.87
http://www.anti-abuse.org/multi-rbl-check-results/?host=172.104.242.173
Why is this not being addressed by Linode?
I also despise how this guy is running UCEPROTECT asking for money for de-listing and generally being extremely unpleasant and unprofessional. But it's not an excuse not to address the root problem.
To tchernobog, I notice (I think) that you are responding to my query about the Wikipedia information on UCEPROJECT. I looked at the RBL information you provided for the IP addresses. Are those Linode IP addresses?
This makes me wonder, should I hold off on making any comments on the Wikepidia article's talk page until you get those addresses resolved? I don't want to get my foot in my mouth with Wikipedia if there is any real valid asset of UCEPROJECT.
jackley
Linode Staff
We hear all of you and we're trying to resolve the source of this issue. We'll share updates when we have them.
@jackley You may want to let whoever handles the support tickets know that. I'm facing deliverability issues, my server admin is telling me that "MX is not visible or propagating, this is linode issue and you need to raise it with them because A records and NS are visible" but the support person is whining about how they're getting a lot of complaints about UCEPROTECT.
You have a serious issue and its escalating. Gmail, Barracuda and other services are spewing out errors and rejections for domains I've owned for up to 20 years and have had on Linode for over 10. Email is the lifeblood of small business and it's not circulating, so those businesses are withering. This is not a casual issue where we can wait around until support takes its time to need to be convinced that there's a problem.
@maallyn seems like at least a conversation should to be started with Wikipedia about putting a clear warning on UCEPROTECT or even moving it to another section of "suspect" providers. This link to Security Boulevard from above enumerates the scamminess of UCEPROTECT well. There are a bunch of other links to discussions on this GitHub page where someone is asking the developer of an IP checker application to remove UCEPROTECT.
@tchernobog moving to a new hosting provider crossed my mind also but I don't think running from UCEPROTECT is the solution. They've been doing this for a long time and will get you again wherever you are. UCEPROTECT needs to be the focus. Consider that those other spam lists perhaps see UCEPROTECT as a competitor and are potentially loosening controls to "keep up"? Similarly, any hosting provider is going to have a certain amount of scofflaws. I'd assume the providers deal with those scofflaws but new ones pop up. Kind of like Whac-a-Mole.
Here's a conversation the UCEPROTECT "technical director" had with the IETF. What a rambling mess of interpersonal issues and hypocrisy. The guy is even trying to excoriate the IETF for not requiring transparency, public posting of listing criteria, etc which UCEPROTECT apparently cares nothing about anyway. This nutjob is now capable of targeting his craziness on vast swaths of internet communications. Marvel should make a movie with this person as a villain. Look around, there are more examples of this behavior. If anyone disagrees with this person, they are attacked, called names and accused of being bad actors in an attempt to smear and intimidate.
@practigmal --
I read the "technical director" guy's comments. Classic narcissist… I wonder if this is his first contact with the IETF standards process? If so, he's really naive about how it works and the kind of influence it has. Taking his football and going home is not really the kind of response to lack of support for his ideas (legitimizing extortion) in a standards committee…and he has the gall to accuse the others of unprofessional conduct…
UCEPROTECT exists because sales/marketing 'droids (who don't know the difference between a megabit and a bowl of cornflakes) at it's subscribers perceive it to be a valuable leg up on their competition. There's not much Linode can do about that.
Mind you, as an email operator myself, I think UCEPROTECT is much more insidious than the worst spammer. IMHO, Claus V. Wolfhausen should be relegated to Dante's 7th level of hell. The problem is that's a tough sell to someone who has no clue about email or how it works.
-- sw
FYI, here is the comment I just submitted to the talk page of the Wikipedia article on the list of RBL providers:
https://en.wikipedia.org/wiki/Talk:Comparison_of_DNS_blacklists#Noting_issues_with_UCEPROTECT
Thank you, Practgimal, for the links! I am hoping this will help present a perspective of this issue to the Wikipedia community.
Folks:
Regarding my last comment, I need to warn you all on one thing. The Wikipedia community is very different from our community. They are much less tech centric and much much more policy and article writing style centric.
I may need help from those of you who may be better at pursuasion than I am.
You can follow the discussion on Wikipedia at: https://en.wikipedia.org/wiki/Talk:Comparison_of_DNS_blacklists
@jackley,
As near as I can tell, we are not on any rbls, except UCE. It would appear that a lot of older providers are using UCE. MSN, Prodigy, ATT, etc seem to be using them.
@maallyn - what about just publishing an update with references? I could create an account and do that. If it has proper references and nothing that could be construed as slander, will it stick or just get deleted? Does there have to be discussion? Looks like nobody there wants to respond to your message?
@practigmal --
I think @maallyn's biggest concern is whether or not IETF mailing list posts are considered valid references by the Wikipedia editors.
-- sw
@Steve - my guess is that the person behind UCEPROTECT will just come in and delete it. Looks like someone removed two other attempts at pointing out the flaws of that RBL. One of those removals was tagged as "that's what spammers say" which matches that person's MO perfectly.
So maybe a conversation is best to maybe get it locked as well? Though Wikipedia is just one step I think.
Though I don't understand how an RBL can get added with no references and proceed to be reckless, belligerent and incorporate charges which incentivize fraud or abuse - but then to get them removed, you need a Wall Street Journal article. Makes no sense but I suppose I don't make the rules or bestow authority at Wikipedia.
@practigmal --
The real people you have to reach are UCEPROTECT's subscribers. If (in @homebutton's words) MSN, Prodigy, ATT, etc. are all using UCEPROTECT, those are the people that you have to convince that they're aiding & abetting an extortion scheme.
Since UCEPROTECT is a German company, any illegal actions that may be alleged have to be proven in a German court. I'm not a lawyer (much less an expert on German law) but my guess is that the bar for criminality of UCEPROTECTs behavior under German law is much higher than it is in the US.
The people at MSN, Prodigy, ATT, etc. who probably manage the UCEPROTECT subscription probably only know enough about Wikipedia to use it to write term papers on Sunday nights before Monday due dates about subjects they don't understand.
-- sw
@stevewi - I'm not opposed to attempting getting through to the heavy ISPs. But I'd also like to know where Linode is stepping in with any of this? They should have industry relationships which would make those tasks much more direct.
Linode? @jdutton, @_Brian, @jackley can you tell us where Linode is with this issue? I don't mind doing some of the legwork for things like Wikipedia who are probably going to scoff at a corporation but where is Linode in this pursuit?
Anyone tried with whitelisting.org, does it work? - I am not happy about payments for delisting :-(
What about asking Linode for another AS that is not listed?
I am in AS63949 right now…
Regards Martin
@twister5800 whitelisted.org is the ransom collection arm of uceprotect. AS63949 is the entirety of Linode.
The gist seems to be that uceprotect is a reckless and bizarre entity run by a small tyrant which creeps into spam blocking software once in a while to the point where it is capable of adversely affecting vast swaths of internet communications (and likely collecting a handsome amount of ransom payments). As far as I can tell, this happens every few years, then everyone complains and gets them removed…only for it to happen again later down the road.
@twister5800 --
Even if Linode could get a new ASN tomorrow (without disrupting their entire internet operation), there's nothing that would prevent UCEPROTECT from blacklisting the new ASN in an equally speedy fashion…probably faster since UCEPROTECT doesn't need any approvals from standards bodies to do what they do.
@practigmal is correct. A UCEPROTECT-like situation happens every few years…causing lots of stürm und drang. The perp usually implodes or runs afoul of local law and just disappears.
This is not to minimize the short-term pain for everyone…
-- sw
@practigmal and @stevewi thanks for your postings, it's crazy with this UCEPROTECT, I even wonder why the ISP's are using them ?! Crazy, it's kinda like cryptolocker for IP's, "Pay the ransom or your IP / Business will be blocked!"
The Wikipedia RBL page has been updated to add a "Suspect RBL Providers" section. UCEPROTECT was moved to that section with an explanation of their tactics. A warning was placed at the top of the page as well.
The Wikipedia page is not "locked" so we may have to consider getting it locked in order to limit edit-war. If UCEPROTECT undoes the edit (and they will), I have the original markup ready to go. That tyrant will not go away easily.
@Linode - still curious what you are doing to help. ;)
If UCEPROTECT does indeed revert the edit, I would suggest that we request (and there is a Wikipedia process in doing so) to have an arbitration done for this edit.
If we try to revert their revert, then it can escalate to a revert war and that is something we do not want. With arbitration, both sides get to say their piece before a committee of editors (none of whom is supposed to be affiliated with the topic (that is, none affiliated with us and non affiliated with UCEPROTECT). That committee make a decision as to whether the edit stays.
I ran into this issue today, and from what I'm seeing in this thread, would it be correct to assume that using Linode for self-hosted email is not a good idea as long as some providers use UCEPROTECT?
@monkeyangst - good question. On one hand, we know UCEPROTECT has affected many other providers, including AWS so you're really not safe anywhere from their misguided or fraudulent dealings.
On the other hand, @Linode, @jdutton, @_Brian and @jackley have told us absolutely nothing about what Linode is doing to get this remedied so as far as we know they are completely ignoring it and hoping it will go away.
Let's hope Linode tells us that they are doing something besides telling us to file tickets when we are blocked with specific providers - so they can simply act as a proxy to asking those postmasters to unblock specific IPs. Maybe they're doing more but as far as we know, they're just offering that "they understand" we are upset and then promptly burying their heads in the sand.
I've been a Linode customer since July of 1999 (or almost 22 years). I have brought at least half a dozen other customers to Linode. This is the first time I have experienced any type of trouble. But Linode's lack of communications is really an eye-opener and, frankly, it is embarrassing to me as someone who has recommended Linode to other businesses. I will not recommend Linode again until I see at least better communications that lead me to believe Linode is taking this seriously and taking specific, enumerated steps to remedy this issue AND this issue is satisfactorily and fully remedied.
Unfortunately, based on everything I have read here, there isn't much that Linode can do. UCEPROTECT is causing the problem. Whether or not that problem is impacting Linode customers, or perhaps customers of other hosting providers, is irrelevant to the hosting providers themselves being able or unable to do anything about UCEPROTECT. Also, though this isn't the first time Linode hasn't clearly communicated something right away, there probably isn't much they can communicate at the moment. The situation is a bad one for everyone involved.
@tech10 - I fully understand. Linode customers updated the RBL Wikipedia page - and then another editor appears to have backed those edits up with a ton of other small edits - but who knows if that'll stick. At least it's a start.
But what is Linode - who is using our money to pay for multiple backbone connections to the Internet - leveraging with those high-level contacts? Anything? Are all of the above just tolerating the UCEPROTECT tyrant until he - yet again - goes away while we suffer or are they prepping legal staff as we speak? Customers want to know (just a guess) how all of our money is being spent on our behalf.
"I looked for ways to provide feedback to Spamassassin - which appears to include UCEPROTECT - but cannot find a way to converse with them."
I have some history with spamassassin folks. Can you give me evidence that they're including UCEPROTECT?
I just checked their latest rules, updated yesterday, and I don't see it:
darxus@panic:/var/lib/spamassassin/3.004002$ grep -ir uceprot .
darxus@panic:/var/lib/spamassassin/3.004002$
Any spamassassin administrator could add their own local rules to use UCEPROTECT. They're not hard to find.
I see no mention of it on their dev list. There were 17 posts about it on their users list, only in November 2016. uceprotect participated in the thread, plenty of other people pointed out how sketchy it is. The thread is easy to find via google search for: spamassassin uceprotect issue
I'm glad to see good progress has been made on the wikipedia article.
I ended up here because I noticed gmail flagged one email from my server as spam. I have no evidence that it's related to UCEPROTECT.
Oh, what about getting uceprotect removed from mtoolbox.com's blacklist search? Has anybody contacted them about this? Linode?
I just found this article after many hours trying to find a way to remove this blacklist for our servers. They are unfortunately part of the blacklisted subnet at UCEPROTECT which is a contradiction in terms. The only blackist against out servers at MXTOOLBOX is UCEPROTECT in a list of over 50 rbls's
This is affecting multiple clients who cannot send to their legitimate clients via email.
I cannot get a response from linode support on the tickets raised on this issue. We are at the point of looking at moving all of our cloud hosting to another provider with all of the inherent risks that entails just to restore normal email services to our clients.
It is utter nonsense that this unscrupulous service is allowed to disrupt the lawful operation of so many businesses and seems to operate with impunity.
If the collective outcry from all of the contributors to the debate are not enough to get linode to solve this problem, then what is the answer for us providers.
This seems to be going in only one direction where ultimately there will be only a handful of mega email service providers i.e. Google, Microsoft. And the smaller hosting service provider will be dead!
jackley
Linode Staff
I wanted to provide a general update on where we are with this problem and address a misconception about how UCEProtect might impact mail deliverability.
UCEProtect may not affect your mail deliverability.
Our ASN's presence on UCEProtect does not necessarily mean that this listing is causing your emails to bounce, even if your email is bounced and the reason is given as an RBL listing. Many email providers, including Microsoft (which seems to account for the majority of our blocklist issue tickets), maintain their own blocklists and allow us to request delisting on behalf of our customers; most are successful. AT&T also allows us to request delisting from their blocklists.
If your emails are being bounced by a specific network and the bounce message indicates the message was blocked because of spam, please open a ticket, provide us with the bounce message, and we'll do our best to help you. However, because most bounce messages (that we've seen to date) don't state which RBL is responsible for the bounce and because we don't know who uses UCEProtect for spam filtering, we remain skeptical at how much actual email is being bounced because of this blocklist.
Having said that, I'd like to see us delisted from this list more than anyone, if only to remove listing on this blocklist as a possible factor. This leads me to my second point:
What is Linode doing about UCEProtect?
A number of the IP addresses that are generating the most impact points (which get providers listed on the various levels of this list) belong to customers performing security research, all of whom have been approved to do so by Linode. We're working with the applicable customers to address the source of the problem that's gotten their IPs listed on this blocklist, and we've already seen improvement within the last week.
Since a number of our approved security researchers have been with us for years, and since most weren't listed on this blocklist until the start of 2021 (when UCEProtect changed their listing policies), we're trying to come up with a solution that's best for our affected customers and us.
I promise you that we care about this problem and that we're working on it every day, but there aren't any quick or easy solutions that we see.
In the meantime, as I said, please reach out to us through a ticket when you get email bounced errors and we'll continue to try to get them delisted from blocklists. If you open a ticket about this issue, we ask that you provide and confirm the following:
- A copy of the 550 bounce code from the mail server
- The domain name sending mail
- Confirmation that SPF has been configured for the domain sending mail
I'm hopeful that we'll have good news to share soon about Linode being delisted from Level 3.
Appears that an employee of UCEPROTECT seems to be starting to make complaints on Wikipedia and started to make changes.
@maallyn writes:
Appears that an employee of UCEPROTECT seems to be starting to make complaints on Wikipedia and started to make changes.
Not surprising… Narcissists are pretty thin-skinned about even objective criticism…of any kind.
-- sw
Hmmm the latest one seems to be https://mailspike.org/iplookup.html? All our Linode server IPs were put on it as "Distributed Spam Wave"
I run 3 different clients, and all of them have the same issue on their accounts. Is this a known issue? I know for a fact we don't spam from some of the servers that are listed, as we don't even have outgoing mail facilities and the servers are locked down!
I just checked 23.239.21.140, which is for conference.allyn.com, which is at the Linode Fremont, California data center. As of 9 AM Pacific U.S. time on Thursday, May 6th, there was no listing.
Uceprotect ASN block strikes Linode again…check for yourself. This is a problem.
Maybe we should strike back by blacklisting outgoing connections from Linodes to the known honeypot servers from UCEPROTECT :-).
Maybe we should strike back by blacklisting outgoing connections from Linodes to the known honeypot servers from UCEPROTECT
I'd be happy to do this…anyone have a list?
-- sw
Looks like we are good again (not showing as blocked)
I do have a list of known honeypots that I have built up on another project (crawling websites, and my ips kept getting blocked due to unknowingly pinging honeypot ips). Happy to provide what I've got if its any help? Not sure it would help though - as everyone would need to use it to be effective :) (BTW this list is for all "sinkholes" … so can't guarantee it has all of the IPs in for UCE!)
EDIT: I spoke too soon! Checking back again 6 hours later, and they are all back on the bloody UCE list… arghhhhh!
All of our five domains on Linode are now on the blacklist. One of our print vendors (colorfxweb.com) can't get our email which hurts both of us. We put in orders but they don't get them because their (lame) IT dept. must be hitting UCEPROTECT. I've told them about it but they may be using a 3rd party provider. Who knows.
Linode really needs to find out which of their customers are causing Linode's IP block to be listed and terminate those accounts.
Linode really needs to find out which of their customers are causing Linode's IP block to be listed and terminate those accounts.
This is a scam. The scammers' end is to extort money from Linode. There is probably no "trigger" as you suggest.
You and your customers can take action by refusing to do business with people who use this "service".
-- sw
Maybe we should strike back by blacklisting outgoing connections from Linodes to the known honeypot servers from UCEPROTECT
I'd be happy to do this…anyone have a list?
https://uceprotect.wtf/uceprotect.json has a list, plus nirvana.admins.ws as per http://www.uceprotect.net/en/index.php?m=2&s=0
jackley
Linode Staff
Hey folks – just a quick update, we're keeping a pretty close eye on UCEProtect and we're actively ticketing customers that get their IPs listed to see what we can do about it. As I write this, our Spamscore is 7.2 points away from automatically falling off Level 3 (down from 64 a few days ago), so hopefully we fall off soon.
I expect that this cycle of listing and delisting will continue for sometime.
All of our five domains on Linode are now on the blacklist. One of our print vendors (colorfxweb.com) can't get our email which hurts both of us. We put in orders but they don't get them because their (lame) IT dept. must be hitting UCEPROTECT. I've told them about it but they may be using a 3rd party provider. Who knows.
@acanton77 make sure you're checking for bounce messages, which often contain details about how you can delist yourself. I wouldn't assume that they're related to UCEProtect – many customers have reached out and we've been able to help them get delisted from Microsoft, ATT, etc. If you have these bounce messages and want to see if we can do anything, just open a ticket.
Linode really needs to find out which of their customers are causing Linode's IP block to be listed and terminate those accounts.
In instances of abusive or fraudulent customers, it's usually this simple, but that's not the case for most of the IPs we're finding listed on UCEProtect. What seems to have changed is UCEProtect's listing practices, not our customers' behavior.
Many customers are also finding out about UCEProtect through MXToolBox's blocklist checker. MXToolBox itself has summarized their stance on UCEProtect:
We have noted that some companies are dropping UCEPROTECT from their decision criteria due to the recent activity. We will watch this issue but will also continue to show UCEPROTECT listings as long as they are being used for email delivery decisions.
I expect that this cycle of listing and delisting will continue for sometime.
One of my other providers is working directly with UCEPROTECT to ensure that I don't have to go through this with them.
Is there some reason Linode can't do the same?
When you say things like…
What seems to have changed is UCEProtect's listing practices, not our customers' behavior.
… it sounds like you're just guessing.
A month or so ago you said that "security researchers" on your platform had caused this and that you'd dealt with it, but that's clearly not been sufficient.
What is Linode actually doing at this time to end the denial of service that its customers have been experiencing because of this?
@defulmere did you see the link for mxtoolbox? They are saying the same;
https://blog.mxtoolbox.com/2021/02/12/recent-spikes-on-uce-protect-level-3/
@andynewby the fact that UCEPROTECT changed how they operate isn't in question.
What's in question is what Linode is willing, or perhaps more appropriately unwilling, to do to minimize how this impacts their customers.
Unfortunately, UCEProtect are … not in the business of reputable mail delivery. They're in the business of aggressively listing whoever they can in the interest of extorting money from them.
If your email is blocked because someone is actually using UCEProtect at any level to protect their email, you probably don't want to be doing business with them anyway.
In short: UCEProtect is a scam.
I'm not sure if this is UCEProtect as well but I'm on their list too. However not only is email being blocked my site is blocked fully and is inaccessible by companies that use UCEProtect (i.e. AT&T). That's the case when I attempt to access the site from my house. If I do it through work, my mobile provider, or a VPN I can access the site no problem. Very frustrating.
@dnm no argument there, but as long as UCEProtect exists and mail providers use it (which unfortunately they do), then it's a problem for the rest of us who depend on IP reputation to get business done.
Linode almost certainly isn't going to pay UCEProtect, and it sounds like they're going after whatever gets reported to them, but they're also saying stuff like…
Someone could spin up 200 Nanodes for 5m and port scan a UCEPROTECT honeypot, and suddenly the entire Linode AS is a "spammer" network for a week. #
… so what's to be done? How does Linode improve this situation for their customers?
… so what's to be done?
UCEPROTECT appears to be a shakedown.
I'm contacting the postmaster of each domain for which I've had a bounce due to UCEPROTECT asking them to stop using UCEPROTECT, and I'm contacting each intended recipient of each message asking them to do the same.
@defulmere - who's to say someone at Uceprotect isn't spinning up those "200 Nanodes for 5m and port scan a Uceprotect honeypot"?
Scammers do things like that. Research Uceprotect just a smidge and you will get all of your questions answered. Most of the answers you seek are already in this thread if you choose to read through it.
The basic premise is that Uceprotect is a scam. The Uceprotect "Technical Director" even had some really bizarre argument with IETF. See this link (from Wikipedia). I don't know who your other providers are but there's no "working with" someone like that.
Though I do wish Linode and others would use more resources to fix or try to regulate this problem. Otherwise, maybe we should get into the RBL business and scam people. Why not, right? Uceprotect gets away with it and I'd bet they clean up from ransom payments.
200 Nanodes in 5 minutes???? It takes me about 5 minutes to start up a single linode instance, put my account in it, install the stuff I need, before I am able to do anything on it. How in heck do I set up 500 nodes in 5 minutes?
@maallyn - you could use a script/API to queue up 500 nodes from a pre-created image and they should all be ready in 5 minutes. Maybe sprinkle them across Linode DCs for maximum throughput.
If you're Uceprotect, your base image launches a script on startup to port-scan their honeypot. Maybe sprinkle your honeypot(s) into a list of other sites so it's not obvious. You could do this with Azure, AWS, Digital Ocean, etc. Just make sure you use a (cheap) non-logging VPN to do all of this. Then you claim the ASN is "bad" and put it on your RBL which gets propagated out to hundreds of thousands of mail hosts running common software. Out of tens of thousands of affected customers, a percentage are going to find "whitelisted.org" and panic-pay the ransom. "Whitelisted.org" sounds like a legit, industry-wide thing, right!
It's unthinkable that this isn't somehow regulated. Any script kiddie with a modicum of patience could affect this scam.
It looks like there was a pissing match on Wikipedia and that the person who works for UCEPROTECT has been barred from editing Wikipedia.
@maallyn Appears the ban was only temporary. Uceprotect was deemed to be a "sock puppet" by Wikipedia, aka using multiple fake accounts to defraud auditable history. No surprise and par for the course.
Telling that someone claiming to be an "authority" uses fraudulent tactics. Classic narcissist and again no surprise.
Also, @maallyn, appreciate you.
Hey folks, just wanted to chime in after reading the rest of the thread as I've been delivering Internet mail for… quite some years now (strokes invisible beard).
My mail machines are Linodes and so far I haven't seen any bounces, or had any bounces reported, that came from UCEPROTECT listings. They're well known shysters and no reputable mail provider will use them - for instance, if your mail isn't getting to Microsoft or to Gmail UCEPROTECT is guaranteed not to be the problem as they do their own blacklisting that is much more sophisticated and reputation-based than "is it on a third party list".
Nobody should be seeing significant rejections from a UCEPROTECT listing -- as long as your machines and your mail already follow the existing best practices for sending Internet mail. For instance, I have:
- Valid reverse lookups
- SPF, DMARC and DKIM, SRS all configured and working
- SSL with a valid certificate (more important for inbound mail, but a piece of cake to do with LetsEncrypt)
- DNSSEC
If you're forwarding mail (i.e. accepting mail for user@example.com and forwarding it to user@gmail.com for delivery) SRS will reduce your bounce rate substantially.
I had problems with delivery to Outlook when I only had SPF and valid DNS. If you want to get mail delivered reliably on the Internet now you really do have to make sure you're technically 100%. Simply injecting mail and keeping your fingers crossed just doesn't work these days. Remember that a lot of "spam/not spam" decisions are based on scoring rather than simple yes/no blacklist checks, and it's in your interest to tick as many of the boxes that decrease your spam score.
Oh, and if I was Linode I would be refusing to deal with UCEPROTECT at all and definitely refusing to pay them anything. They're shakedown merchants and shysters. Don't pay their protection money.
Is there any overall update from Linode on this? Every month, we are back listed.
I use Linode to host my personal VPN and this blacklist issue is affecting my ability to do my job, as multiple industry-specific websites are blocking me from accessing them.
Seriously considering taking my business elsewhere as it seems Linode can't keep their IPs clean for their honest users.
You didn't read all of this thread before posting to it did you?
This has nothing to do with Linode…or the "cleanliness" of it's IP addresses. UCEProtect RBL is a well-known shakedown scheme. They blacklist the entire ASNs (thousands…sometimes hundreds of thousands of IP addresses) and then ask for a fee to de-list.
It's unfortunate that people you do business with also subscribe to UCEProtect RBL. They shouldn't. On top of being a high-tech blackmail scheme, it's of marginal utility at stopping spam.
-- sw
@stevewi I did read the thread, and I agree about the shady shakedown scheme business model of UCEProtect, but my issue remains.
I'm not even dealing with email services, simply accessing StackOverflow and other major websites like Verizon or Disney+ … all blocked due to my "fresh" Linode IP.
SOLVED
I tried creating multiple new Nanodes today, ALL the IPs are blacklisted.
My solution was to switch to a new hosting provider who actually prevents abuse from festering within their servers.
☮️
So now an entire range is listed on Spamhaus
https://check.spamhaus.org/listed/?searchterm=2a01:7e01::
A device using 2a01:7e01::/64 is infected with malware and is emitting spam.
IP Address 2a01:7e01::/64 is making SMTP connections and identifying itself (via the HELO command) using a domain that is not possible: for example, "gmail.com" or "outlook.com". The providers that own these domains do not ever use them in this way, so this is a sure sign of a problem.
The most recent detection was on September 22 2021, 15:50:00 UTC (+/- 5 minutes).<<
Can anything be done about this?
@lyepd3cd68chfdb writes:
My solution was to switch to a new hosting provider who actually prevents abuse from festering within their servers.
UCEProtect are shakedown operators… Blackmailers tend to get/be greedy. I wonder who the "new hosting provider" is that is going to escape that.
UCEProtect has listed Linode's ENTIRE ASN (AS63949) in their "level 3" blacklist. According to my best information, that's 419 IPv4/IPv6 subnets of varying sizes…~550K IP addresses. Not ALL of them can be sending spam simultaneously! They want 449 Swiss francs ($527.09) for "express delisting"…with no guarantee that:
- they will do what they say; or
- AS63949 won't end up on their level 3 blacklist again within minutes.
$530 every 5 minutes is a pretty nice reward for (somewhat) fictional service. This thread started 8 months ago. The other major thread on this subject:
is almost 7 months old. AFAIK, AS63949 has been continuously listed in UCEProtect Level 3 during that whole time.
UCEProtect are located in Germany…conveniently out of reach of US consumer/criminal fraud protection.
-- sw
mcivitarese
Linode Staff
Hi @apogeelu -
Spamhaus has an FAQ with information on how they handle IPv6:
At the very bottom of the section they note the following:
NOTE: Linode customers should read this document, then open a ticket to get their own /64.
The document they're referencing is our IPv6 overview guide:
Which includes a section on obtaining additional IPv6 addresses:
You'll just want to open a Support ticket requesting a /64 routed range, due to the Spamhaus block. IPv6 addresses you configure from the /64 routed range to send mail should not be impacted by the Spamhaus block.
I hope this helps!
After two days of building my business on linode only to discover the issue with their dirty ASN, I've ended up moving to AWS. I realise this is not an issue with Linode (or is it), but end of the day, this is a huge problem for customers and potentially a bigger problem for Linode losing a lot of business opportunity.
The Reason UCE doesn't block AWS to extort them is their lawyers would be up UCE's collective ass.
I can't believe this is still an issue. Just set up a new Linode, and a client says he got a bounce back from hotmail.com due to us being on a blacklist. So I thought I'd look at MXToolbox, and low and behold UCESCAM comes up. Checking on their system it shows:
Subnet - 178.79.183.0/24 LISTED
1 -- 8 -- 4
So 1 abuser in the last 7 days, and 8 actual events in the last … and they think this is good enough to blacklist a whole bloody block!!!!!
I had to partially leave Linode after years of great service because of this.(moved high volume client machine on another account). Even though we sent emails through Mailgun - blacklisted IP tied to domain name still seemed tp cause spam issues. I have checked other IP addresses in the same range I had - some of them are listed with other lists, not just these zealots (UCE), which indicates that spam issues are not taken seriously by LInode :( I was checking back now, as I need to move again as apparently Vultr just had a 4 hour outage yesterday, and other users said it is not the first time they had such a long one. So I was hoping to come back, but it seems this issue is not resolved. I think this is the matter of survival for Linode.
_Brian
Linode Staff
@Alex_PL Linode is not currently listed with UCEPROTECT Level 3. We fell off the list on the 10th. We will likely continue to fall on and off the list as they continually count "impacts" against us for approved behavior that has nothing to do with spam.
It seems to me that the level 3 list is most effective at tricking folks into believing that it is the cause for their mail being blocked. In hundreds of tickets since they changed their rules last January, I have seen exactly 2 pieces of blocked mail as a result of that listing. In both cases they were from very small providers that knowingly chose to use the "draconian" list. I have not seen a single piece of mail rejected as a result of the UCEPROTECT Level 3 listing from a large/reputable provider.
If you've received a bounce message from a mail provider while sending mail from a Linode, I recommend opening a ticket so that our Support team can take a look. We'll be happy to help.
[@Brian] (/community/user/Brian) maybe it was not listed 1 week 5 days ago when you wrote your message. But now it does affect me. I couldn't write to the teacher of my son.
Here
http://www.uceprotect.net/en/rblcheck.php
we see that it's on the list (again).
This thread is now a year old. On the page I named you will also find a 'help for ISPs'. You should really fix that. Otherwise there is no meaning using linodes for mail servers.
//Martin
_Brian
Linode Staff
Hey @grauschnabel
From my previous message:
We will likely continue to fall on and off the list as they continually count "impacts" against us for approved behavior that has nothing to do with spam.
We do not have control over the criteria that UCEPROTECT uses to count impacts, and many of the things that they count as impacts are not things that are malicious or at all related to spam.
But now it does affect me. I couldn't write to the teacher of my son.
Does the bounce message you received from the recipient mail server mention UCEPROTECT or something else? You should include the full error message in a Support ticket so that our team can address the root cause of the issue.
Hi there.
We are experiencing the same issue on our LINODE. How do we remedy this?
Thank you
@gishua --
I suggest you follow @_Brian's advice:
Does the bounce message you received from the recipient mail server mention UCEPROTECT or something else? You should include the full error message in a Support ticket so that our team can address the root cause of the issue.
Linode's ASN seems to be a permanent fixture on UCEPROTECT's RBLs. None of the major email providers use them (probably because UCEPROTECTs reputation as a blackmail scheme is well-known…and they can't afford the bad press). I know M$ doesn't use them. I doubt Gmail does either.
I suspect there may be some other reason…like the current royal screw-up with respect to Office365 and Outlook.com (an M$ problem).
-- sw
We've been caught by this UCEProtect too, causing a serious issue for delivery of email. The main impact is to an Outlook/MS mail service client, who cannot receive email.
Our linode system sends out email to a notification list (subscription only list), so it's a pain that almost 1/3 of the recipients in a particular company can't get their emails from us.
This is causing us a serious issue. We've been in touch with Linode support, who will give us a new IP address not in the current ASN blacklisted block. We shall see how this goes.
It's very frustrating and something needs to be done.
I guess at this point Linode needs two different ASNs: one for users who are not security reasearchers (or similar), and thus do not produce spam, and one for those who do.
Then, crack down on any spam in the first ASN. That would solve the UCEPROTECT issues, and als improve our scores for e.g. Microsoft and the likes.
@tchernobog --
UCEPROTECT is an extortion racket. Why should Linode reward these guys' behavior by doing anything?
Maybe, finally, Linode's new owners will sue the holy s*** out of them. That's the only thing UCEPROTECT deserves.
-- sw
We're seeing the same thing right now -- I have a Linode that I use for my email, and it doesn't send out spam.
The whole ASN is blocked, so many clients aren't receiving emails at all.
Linode is an attractive platform for spammers and it's a good thing that UCEPROTECT have banned their ASN. A world without dimwitted spammers and marketeers is a better world. Those complaining about this issue are not seeing beyond their selfish needs. Use a smart host like SES.
Linode is an attractive platform for spammers and it's a good thing that UCEPROTECT have banned their ASN.
The presence or absence of spammers on Linode's platform and/or Linode's attractiveness thereto has nothing to do with Linode's ASN being listed on UCEPROTECT.
UCEPROTECT is an extortion racket. It makes no sense for Linode to pay their "de-listing fees" (i.e., the blackmail).
Those complaining about this issue are not seeing beyond their selfish needs. Use a smart host like SES.
I could say the same about you. Do you work for or get kickbacks from SES?
-- sw