![]() Level 1: ![]() ![]() ![]() Realtime Outbreakmonitor |
|
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
UCEPROTECT Blacklist Policy LEVEL 2 It can be assumed that if your email servers are repeatedly receiving spam from various IP addresses within a net block, then it is either several compromised computers within the IP pool or the IP range of a spam company. It is also reasonable to assume that you will not usually receive important
/ real emails from such IP blocks because no professional service provider
would put their “smarthost” email servers into to same IP address space
as dynamic / dialups. In order to stop spam from a IP blocks already known to be a spam source, Level 2 is generated. UCEPROTECT-Level 2 automatically escalates within the allocation if the number of UCEPROTECT-Level 1 listed abusive hosts grows over predefined trashcounts within 7 days. Allocations smaller than /26 will be Level 2 listed immediatley if only a single IP gets listed at Level 1, and a /25 if 2 IP's get listed at Level 1 for abuse within 7 days.Starting at /24 if more than 4 abuser IP's are Level 1 listed, further escalation can be calculated by following formula: Netmask -1 = Abusers + (Abusers at Netzmask + 1) Thus a /23 get Level 2 listed, if more than 9 abuser IP's, a /22 if more than 14 abuser IP's, a /21 if more than 24 abuser IP's have joined Level 1 etc. This helps control situations that are rapidly escalating in volume. Clean IP's inside such spammy networks which are registered at ips.whitelisted.org are excluded from Level 2 to prevent false positives. Additionally and independent of Level 1 listings, a Network can get listed at Level 2 manually and permanent when it is suspected that it were specially created for spamming. This suspicion is given in principle if: - The provider rotates spammers / abusers within the Network. - The Network or parts of it are assigned to a well known spammer / spamsupporter / listwashing service / botnet operator / malware distributor. - The provider blocks IP addresses or netranges of blacklists, to enable their spammers to fly safely under the blacklists radar (evasion tactics). - A striking disparity exists between legit mail and spam. NOTE: By using Level 2 blocking, be prepared to lose a few mails too. DO NOT BLAME US, YOU HAVE BEEN FOREWARNED! While it is unlikely, there exists the possibility of blocking a few required emails by the use of Level 2 blacklist though it can be easier to use Level 2 and whitelist the required sender IP addresses. If you fear to loose email you can also incorporate Level 2 it into a scoring system, to
give e.g. 4 points on a ‘match’ where 5 or more points trigger a spam tag. We recommend the use of Level 2 blocking in cases where our Level 1 is not proving to be effective enough against spammers. If you are a true BOFH you would logically block using all of our levels.To get an idea how UCEPROTECT-Level 2 and other blacklists did perform within the last 4 weeks see the statistics measured at the real mailflow of several authorities in Germany, Austria and Switzerland. |