UCE Protect

Summary

Background

uceprotect.net is a DNS blacklisting service that is comprised of three distinct zones: dnsbl-1.uceprotect.net, dnsbl-2.uceprotect.net, and dnsbl-3.uceprotect.net. Each zone has different listing criteria, all of which are extremely important to understand before using any zone within the service. While DNS blacklists by nature can be controversial, uceprotect.net is perhaps one of the most controversial of them all.

uceprotect.net works with over 50 other partners to help them gather information on servers that have been seen sending spam. Every tactic is used to locate which servers are sending spam, from spamtraps to third party reports, each of the 50 partners untimely communicates their findings back to uceprotect.net. From there, uceprotect.net will determine which of their three zones the IP address should be listed in.

uceprotect.net is unforgiving with their listing policy, with a core belief that “people learn by consequence”. As a result of uceprotect.net’s unforgiving listing polices, there is significant misinformation about their service written at other sources. uceprotect.net does not charge for delisting, delisting happens automatically as soon as spam has ceased, and no special treatment is given to partners or anyone in particular with regard to listing or delisting. uceprotect.net does have an expedited delisting service in which there is a fee, though it is only applicable to certain levels of listings.

Listing criteria

Listing in uceprotect.net is somewhat unique compared to other DNS blacklists, such as Barracuda Block List or Backscatter List due to the three distinct listing zones that are made available. Zones range from level one to level three. Level one contains individual IP addressees, level two listings are escalations to containing subnets surrounding level one addresses, and level three, contains even larger subnets surrounding level two listings. This listing criteria essentially covers the broadest range of IP addresses possible.

If a set of IP addresses is seen spamming, it will start with a listing in the level one list. If within seven days, that spam has not stopped, the listing will escalate to contain much broader ranges of IP addresses. Essentially a level one listing may contain up to 255 IP addresses; if that is escalated to a level two listing, the number of IP addresses may be as high as tens of thousands. Finally, if still no action is taken against the spammers, a level three listing can potentially block IP ranges that contain entire service providers, which could mean hundreds of thousands of listed IP addresses.

In all cases, it only takes spam to stop for a total of seven days, in which case the listing will be removed. Though, with such large ranges being blocked, it can often be near impossible to stop all spam from hundreds of thousands of hosts for a period of seven days. Even if such a feat were possible, as soon as another spam was detected, the listing process would start all over again.

Zones

dnsbl-1.uceprotect.net

This is uceprotect.net’s primary first level zone. If you find yourself in this blacklist, it generally means your server has inadvertently been sending spam. Track down the source of the spam, prevent it from happening again, and your IP will be delisted in seven days.

dnsbl-2.uceprotect.net

This is uceprotect.net’s secondary level zone. Allocations less than /26 will be automatically be removed if no additional abuse is detected. Allocations of /25 will be allowed to expire only if there are less than two IP addresses listed in the level one blacklist.

A /24 range will expire if four or less IP addresses remain in Level one.

uceprotect.net uses a formula for all further delisting calculations within the level two zone:

(Netmask – 1) = Abuser IP’s + (Abuser IP’s at Netzmask + 1)

For example, a /23 network range will be removed when nine or less IP addresses remain, a /22 network range will be removed if fourteen or less IP addresses remain, and a /21 network range will be removed if twenty-four or less IP addresses remain.

Furthermore, in order for a network range to be removed from a level two listing, that IP address must have already been removed from a level one listing.

Level two listings can usually only be removed at the request of your upstream service provider.

dnsbl-3.uceprotect.net

This is uceprotect.net’s third level zone. If after all the above listings in level two and level one have been worked out, and a level three listing still remains, the best you can do is complain to the ASN for which spam continues to come from, or take your business elsewhere. There is nothing an end server administrator can do to influence uceprotect.net’s level three blacklist zone.

Removal Process

As an end user administrator of an email server, you can become delisted out of the level one uceprotect.net DNS blacklist by simply correcting the spam that was seen to come from your server, and waiting seven days. If seven days is too long of a wait, for a fee of 50 Euros per IP address, you can have your addresses immediately removed.

Naturally delisting in seven days, or even paid delisting, can only happen for IP space in which you are in control of. If your IP address is a leased or shared IP address, and part of a larger network, the network owner will have to work with uceprotect.net for delisting. uceprotect.net’s policy is that it is not your responsibility to do the work of your upstream provider; the upstream must be the one to correct the problem.

A level two delisting will usually require significant work, as well as policy change on how spam is dealt with on behalf of the upstream that is providing leased or shared IP services. A level three delisting will be much like a level two delisting, however, the most challenging of all. As level three listings are comprised of large ISP’s, it may be impossible to have them make the needed changes to meet uceprotect.net’s delisting criteria. In those cases, you can search out a new provider, or chose to no longer support this particular DNS blacklist.

Related Articles

• General blacklist removal instructions
• Check to see if an IP is blacklisted
• How do I report spam?
• What is a spam trap?
• What is a DNSBL (blacklist)?
• Ask for help to diagnose and resolve listing issues