Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: DigitalOcean IPs added to UCEPROTECTL3 Spam list and they want money?
8 points by codegeek on Feb 8, 2021 | hide | past | favorite | 10 comments
This is becoming a real issue for our customers and I was wondering if anyone else has faced something similar.

Apparently, a lot of DigitalOcean IPs are added to some SPAM database called UCEPROTECT [2] and I just found out that some large companies (microsoft/outlook exchange etc) uses this list to block emails from an entire domain IF this domain is on this list.

DO is one our primary server provider and looks like tons of their iP is on this list by default because 100%, we don't do any spamming. We run a legitimate SAAS business and this is very concerning as a customer who pays thousands of dollars a month to DO.

The part that is really troubling is that now to unblock a specific IP, we have to PAY these guys. The amount is not the issue for me but as a principle, it feels like a Ransom and I absolutely hate paying a random 3rd party when I know we are not at fault directly.

Does anyone at HN know what's going on here ?

I googled DO's support on this and found that they are replying with generic answers on this which is not good enough. [0]. Also found an interesting reddit article on this [1]

[0] https://www.digitalocean.com/community/questions/how-to-removed-my-ip-as-blacklisted-in-uceprotectl3-spam

[1] https://www.reddit.com/r/sysadmin/comments/eur4ju/removal_from_uceprotectl3_blacklist/

[2] http://www.uceprotect.net/

UceProtect have operated this way for a very long time. It upsets a lot of people that are on shared networks like DO. Unfortunately the best you can do is move your commercial email to a paid system such as an email marketing company that deals with email campaigns. An alternate option would be to wait for the block to time out, but that can be weeks assuming the spammers on DO have been stopped. The payment UceProtect accepts is to bypass the timers. It is akin to paying bail, but you should not do it unless you know the spammers have been stopped. The bigger VPS providers such as Amazon and Azure have their own email services you can use. The smaller VPS providers get abused a lot and it takes too long for their teams to respond to the UCE complaints. This is why their AS numbers, CIDR blocks and smaller netblocks get blocked by UceProtect, SpamCop and other RBL/RSL's frequently.

It is not an issue of emails on our end. We don't even use DO for emails. We use 3rd party providers (sendgrid/SES etc). The issue is that our client's email service is being blocked by some of their customers who are using this list. So basically we are being punished because DO allows spammers in general. So yea, only option is to move to AWS etc for hosting.

Added a comment in another thread below that may be worth looking into first.

I run a personal web server from my home. I have found Digital Ocean IP addresses as a frequent source of stupid web server hack attempts (e.g. trying to hack wordpress - I don't run wordpress). I sent complaints to their abuse department to no effect, so I now block all the Digital Ocean netblocks that show up in my logs.

My conclusion is that Digital Ocean doesn't care if their tenants run hacks and scams.

FWIW, I rarely get scans from AWS. When I do, I report it - I get a response email logging the complaint and a day or two later I get a follow-up email closing the ticket and saying "it's been taken care of."

I've just been alerted to this same issue. I have a site hosted with DigitalOcean (ie. the domain A records resolve there) and use G-Suite for my emails. Would this affect the reputation of my emails, simply because the domain is associated with the blacklist. Surely unless I was trying to send emails from the DigitalOcean server itself, it wouldn't make any difference?

Yes. this is exactly what's happening to us/our customers. We are not using DO for any emails. But because the domain itself is blacklisted on UCEPROTECTL3, some of our customer's users are blocking an email from their domain completely. Everyone is confused WTF is going on.

Could it be two issues going on at the same time? UceProtect blacklists AS numbers (netblocks belonging to an org), CIDR blocks and individual IP's. They don't block domain names. Other RSL's do block domain names. If your website domain is hosted on DO but your email does not originate from their netblocks, then the blacklisting is occurring elsewhere.

Did you get the email headers from a customer that is reporting this? You can analyze the headers to see who is flagging you. Are your emails generated on DO and you relay through another service (SES), but you are not obfuscating the DO header that your MTA injects? [1]

[1] - https://major.io/2013/04/14/remove-sensitive-information-fro...

I appreciate this info. Will run it by the team to get more info. But don't you think DO should take action to block spammer so that other genuine customers IP blocks are not added by default to this type of list ?

I absolutely agree that all VPS and server providers should do their best to deal with UCE, malware, bots and related mischief. I would add that they should make some effort to reach out to RBL's and RSL's to delist their address ranges. It would be up to a number of their customers to push for such changes before they would likely prioritize it.

I would even go as far as to suggest that both they and their customers should have aliases on all domains for spam@, uce@, postmaster@, abuse@, malware@ and security@ that route to a distribution list or mailbox that the domain holder responds to that same day. Back in the day, that was a requirement to varying degrees to sign up for any of the big email campaign providers.

Every domain holder should also have a proper DNS dmarc rule with a reporting email address listed. Example using ycombinator.com [1]

  [1] dig +short _dmarc.ycombinator.com txt

  "v=DMARC1; p=none; sp=none; rua=mailto:dmarc-reports@ycombinator.com,mailto:re+gewxcbuqfmh@inbound.dmarcdigests.com; aspf=r; pct=100"

They make an attempt. UCEPROTECT is nearly an extortion racket. Search for "uceprotect lowendtalk" or "uceprotect webhostingtalk" and it's nothing but providers complaining about being forced to pay $600 or they stay listed for a year per entry, including terminated spmamers that lasted an hour

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact