Canadian Broadband → Anyone here ever been screwed by these bastards?

Some RBL services are blocking entire IP ranges based upon the AS record - and not individual IP addresses. In particular, there is a RBL called UCEPROTECT which is particularly nasty in this respect, and affects ALL customers of the AS holder. Seems like an extortion scheme to me.

»www.uceprotect.net/

ps. Looks like they've been at it a long time..... »Argg.... UCEPROTECT... very frustrating!

can somebody explain maynards post in plain english? what is an RBL and how do i know they blocked me? i can get onto the internet and browse web pages but how and why does this affect me?

They're an email spam blocker from the looks of it. Not unusual for temporary IP bans to stop scripts.

Yeah, but blocking a /24 would be considered drastic. Whacking the entire AS is just stupid. I can't imagine anyone who understands what they're doing actually using them.

When a mail server is contacted by some external machine with IP a.b.c.d to deliver some mail, the receiving server can check the "reputation" of IP address a.b.c.d with any number of DNSBL or "black-list" servers in order to make a quick decision as to whether or not a.b.c.d is a trojanized zombie PC that is part of a botnet network and thus the email attempting to be delivered will 100% be spam.

I find it absolutely hillarious that Maynard is directing his anger at the particular blacklist (UCEprotect in this case) instead of the adminstrators of the remote server that have chosen to hook their server into UCEprotect and by so doing are causing problems for the delivery of his mail.

The use of these blacklist servers is by choice. If they are found to be overly broad in the IP's that they list, then their use will cause too many problems for the mail-server operator that chooses to use them (too many of his users will not be receiving legit mail and hence will be complaining to him).

Just for a data point - I've been operating a mail server at $dayjob since 1999, and I have over 9,000 IP ranges entered into my server's own local blocking list, including about 50 Class-A networks. A class-A network contains a lot of IP addresses. If I want to block all of latin and south america, about 8 A-class entries are needed (and I block them all). Same with Africa.

When any work account receives a new spam, say it comes from IP address A.B.C.D, I enter A.B.0.0/16 into my server's blocking list right off the bat. I *will* do a historical check to see if I've ever received legit mail from A.B.0.0/16, and if not, then the entry stays. That's how I deal with spam. Blocking A.B.C.0/24 is for the birds. Completely ineffective.

My server has thus far this year rejected over 350,000 separate SMTP connections based on IP alone. That's about 1 attempt every 48 seconds.

And by the way, Maynard, your subject line could have been MUCH more useful if it stated more clearly what your beef was about. Being screwed by bastards could mean any one of several thousand things.

I know that the various mail administrators who choose to use UceProtect are basically smart as bricks.

What I don't understand is how an outfit like that manages to stay in business. They can hold entire ISP's up for ransom, and they are NOT quick about unblocking IP's either.

If you are (or a mail server you administer is) trying to send mail to Person-X, and the mail server used by Person-X is blocking your mail because of UCEprotect, and if Person-X thinks that your mail is important enough to receive, then X needs to ask his mail administrator to drop UCEprotect and use another DNSRBL (or don't use UCEprotect level 3 but dial it back to level 2 or 1).

Happened to a few places I worked for. They are assholes, we ended up changing the IP, anything else was too long and cumbersome (not whole AS was blacklisted, only specific IP).

Best to contact the destination domain to tell them to whitelist or better, disable this list, it is filled with legitimate domains. Almost no one is giving them any weight anymore, but a few small providers still do (clueless admins, usually enable almost everything without thinking)...

I did that at work , and got screamed at by the powers that be, that they weren't getting their emails.

I gave them a choice, be spammed, or let me work with the sending servers admin.

I'm curious if you look at how often legitimate mail gets dropped due to the /16 and continent-wide blocks?

Good thing nobody uses that RBL.

As long as your not in Barracuda, Spamhaus or SORBS you'll be fine.

Any blacklist that charges money for removal is generally considered a waste of time and not a legitimate source.

About a year ago UCEprotect hit my hosting provider - they had a /16 - and blocked the whole freakin' thing for 7 days, apparently due to about 200 IP's of that /16 who were causing problems.

Unfortunately, some of the domains I needed to communicate with actually used UCEprotect. Took us a while to figure out what happened.

> I'm curious if you look at how often legitimate mail gets dropped
> due to the /16 and continent-wide blocks?

Anywhere from 1 to 4 times a year. I poke a hole in the blocking list when ever that happens. Our "Contact Us" page has a gmail contact address (which is forwarded to us) so people can always use that as a last resort.

Unlike most small businesses, we sell globally so it's not unusual to get email from countries with advanced economies. That still leaves a lot of countries easily blockable. Any company with a more limited geographic footprint should be more able than us to block more of the global IPv4 address space as an anti-spam measure. Unfortunately, ISP's like Comcast, Verizon and Road Runner still allow their residential customers to send direct-to-mx on port 25. And I'm still seeing the odd Bell/sympatico ip hit us on port 25.

It's really amazing how many bott'd PC's there are out there. Just looking at the volume of Connection-Refused attempts hitting our mail server over the years, it really does seem that there's an infected host on every active /24 subnet on the internet.

For pop access to our server from outside our LAN (for our people that check mail from home or cell phone) I changed the port-routing on our router from port 110 to something else - because of the pop login attacks.

Yeah I can see how even an international company can block some countries from sending email, I was more interested in how often blocking a /16 would result in lost mail.

I would have expected a lot more than a handful of lost messages, since for example my company has a /16 and so the whole company would be prevented from reaching you if a single infected PC spammed you and got our /16 on your blacklist.

> Yeah I can see how even an international company can block some countries
> from sending email, I was more interested in how often blocking a /16 would
> result in lost mail.

Just to be clear, I'm not blocking any countries from sending mail - I'm preventing my server from accepting mail. Be it from /16 net-blocks that I have no interest in finding out who operates / owns / uses them, or /8 net-blocks assigned to a particular geographical area of the planet.

> I would have expected a lot more than a handful of lost messages, since for
> example my company has a /16 and so the whole company would be prevented
> from reaching you if a single infected PC spammed you and got our /16 on
> your blacklist.

I would sincerely hope that your company would not allow every given machine on your /16 IP net-block to be able to send direct-to-mx (port 25) mail out of your network to the internet at large. If there is a reason why your company would not have (and force the use of) a handful of dedicated out-bound servers to handle outgoing mail from your network, I'd like to hear it.

Yeah I realized that's what you meant, by "sending email" I meant "sending email to its employees" (and really the whole sentence could have been worded better).Maybe I'm misunderstanding how your blacklist works. Say I'm friends with someone at your company, and my PC gets infected and starts sending spam to all my contacts (including the friend at your company). My PC can't direct-to-mx on 25, but if the spam is delivered through my company's mail server, won't that result in my company's /16 being blacklisted?

Or do infected PCs not typically use the SMTP settings on the infected PC, and instead route through another mail server, in which case my company's /16 wouldn't be the one getting blacklisted?

I know of at least 6 city governments and 2 county governments in Ontario and Alberta that do this. And they're supposedly "managed" by professional IT contractors, needless to say when I did a security audit of the city governments after a series of intrusions, one of which is under by the RCMP; they're still freaking doing it.

There are three parts to most RBL's actions.

The emphasis they put on the parts is what is at issue here really.

The first is for their users to block mail from known spam sources.

The second is to get the ISPs or upstream providers of known spam sources to take action against known spam sources that they harbour.

The third is delisting ... when the spam stops and/or the ISP or upstream provider takes action to stop the source of spam from users under their control.

These latter two are the problem with some RBLs.

Simply including the IPs used by john.spammer.invalid.com is rarely to stop him from spamming unless he's an "accidental" spammer (i.e. someone legit who doesn't realize he's spamming in sending out his newsletter unsolicited for example)

So, the goal is to get his ISP or upstream to take notice. A huge proportion of ISP abuse desks pay little attention. So, to get them to pay attention including their known IP ranges in a blocklist is going to start to get some notice. The more IP ranges added is going to get more attention. If the ISP doesn't take action, it refers up to get the attention of the upstream. This is one of the ways Sanford Wallace's operation was brought down. He had little choice in the end of where to go leading up to the courts taking action. No ISP wanted his business for fear of having their network blocked, never mind their email!

The speed of the escalation is a problem. When some joe.public is taken over by a spambot, it's highly inappropriate to start by blocking all of the ISP's addresses. A measured response is needed. Some RBLs add lots of addresses quickly if an ISP doesn't respond (measured by continued spam reports).

The next issue is the delisting process. Some RBLs are notoriously bad for delisting ... One says basically, once you're on the list, there's no way off. The delisting processes are inconsistent. They should be published before companies sign up to use the RBLs.

 
One of the eMail addresses which I still maintain is a carry-over from a former local ISP of mine.

Recently, that ISP was bought out by a larger national ISP, and the admin of this address went along with it.

Even MORE recently, I tried to send a CC to this address, of a message outbound to someone else from one of my Yahoo accounts, and the CC got bounced.

I had done this occasionally in the past, and bouncing had never happened, prior to the change of ownership of my former ISP.

Fast Forward to a few days ago.

The new owner decided to change their WebMail UI, and now uses RoundCube, which is a very flexible and feature-laden open-source WebMail UI, to which add-ons can also be augmented.

One of their stated reasons for doing this was so that they could add an appointment/event calendar.

Anyway, I was browsing the RoundCube config options there, and discovered that I am now allowed to manipulate blocked domains, at least by name, and y'know what ?

Yahoo was in there.

I removed it, tested, and there is no more bouncing.

Hotmail and Yahoo! and gmail to a lesser extent were historically incredible sources of spam. In recent years as they shutdown simple access to their SMTP servers, the amount of spam actually originating from their servers plummeted, even though a lot of them say they are from hotmail addresses ... these are usually forged From: addresses, not the mail source and reply to addresses or reply addresses embedded in the text.

Over 95% of my spam is from machines infected by spambots.

This means that these freemail sources have a history that gets them plopped into blacklists almost automatically, even though they are now rarely a spam source.