Hacker News new | past | comments | ask | show | jobs | submit login
Uceprotect Hijinks
1 point by ignatz on Aug 19, 2023 | hide | past | favorite | 1 comment
I'm pretty sure everyone knows what a RBL (Realtime Black List) is. It's a more than imperfect attempt to identify offenders on the 'Net--spammers, phishers, etc.

Why imperfect? Because there is no one RBL site. There are, literally, dozens if not hundreds. And there is no universal guide or standard for operation--how sites are flagged, how they can be removed, or what the trust level of the RBL may be.

Some are very good--they have reliable reporting and analysis mechanisms in place, are responsive to reports of false positives, etc.

Some are horrendous--they are badly designed and implemented, or are unresponsive to reports of false positives (this is especially bad for RBLs located in uncooperative countries, such as China), have "died"--either are no longer funded/maintained, etc.)--but are still reporting results.

And worst of all--there are "aggregator" sites that are in use by various organizations and individuals. These query a bunch of RBLs and other flagging sites, and return an aggregate result. Some of them give a rating; others just return PASS/FAIL based on as little as one negative result from a single RBL or other flagging site. Tracking these down and squashing them, one by one, is a skill I never wanted to have to develop.

But now there's one I hadn't seen before that seems worse than ever.

It's called UCEPROTECT. It appears the domain, uceprotect.net, was created on 05/14/2023. And it's the worst one I've encountered yet. Take a look at

  https://www.uceprotect.net/en/rblcheck.php
Essentially, you can end up on it not because YOU did anything wrong, but because THEY decided that your ISP has a bad reputation. For instance, my static IP is from Comcast. In the past couple of days, I've gotten notifications that E-Mail from me hasn't been delivered due to rejection as a site listed as a spammer. Once I looked into this, I found I'm only listed on UCEPROTECT as a "Level 2" failure. It explicitly states at the site that my IP is NOT listed as a "Level 1" site--it isn't spamming.

But the Comcast Network subnet I'm in HAS been listed as a "Level2" offender. The entire block of addresses--including mine--is returned as a risk.

You can't request exclusion--there is no false positive reporting mechanism. You have to wait 7 days--and hope that NOBODY in the block spams in the next week. BTW, my block at Comcast is 173.160.0.0/13--which means 524286 addresses are in that block.

But UCEPROTECT advertises on the test page that you can go to ips.whitelisted.org to be whitelisted. If you go there, they cheerfully tell you that you're in UCEPROTECT's Level-2 Netrange, and can register for 1, 6, 12, or 24 months--at 25, 50, 70, or 90 CHF. Had to look that up--it's Swiss francs.

I'm smelling collusion. This domain was registered long before UCEPROTECT--back on 06/27/2007--but I'd love to know who owns it now. I'd love to know who owns uceprotect.net. Unfortunately, with ICANN allowing "domain privacy", you can't know this.

I'm starting with a complaint to Comcast. But next I'm going to see what I can find out about these guys.

ADDENDUM: Noticed a button on the UCEPROTECT page that Comcast could click for "Express" delisting. It purports to do so--for 249 CHF. Swiss francs, same as from the whitelisting.org site they poionted to.







Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: