UCEPROTECT®-Network - Spam protection made in Switzerland

Spammer listings within the last 7 days:
Level 1: 346029 IP's, Level 2: 5557 Allocations, Level 3: 90 ASN's. Last Updated: 16.11.2019 22:00 CET
Realtime Outbreakmonitor

^Deutsch
^{The Project}
^SPAM-FAQ
^{Blacklist Policy}
   ^{for Level 1}
   ^{for Level 2}
   ^{for Level 3}
^{Help for ISPs}
^{Marketing Tips}
^{How to use}
^{Removal Policy}
^{Contact us}
^{Please donate}
^Sponsors
^News
^License
^{Query Database}
^Pillory
^Netstatus
^Statistics
^{Our Products}

UCEPROTECT Blacklist Policy LEVEL 2
Description: Strict
Level 2 escalates within allocation

It can be assumed that if your email servers are repeatedly receiving spam from various IP addresses within a net block, then it is either several compromised computers within the IP pool or the IP range of a spam company.

It is also reasonable to assume that you will not usually receive important / real emails from such IP blocks because no professional service provider would put their “smarthost” email servers into to same IP address space as dynamic / dialups.

In order to stop spam from a IP blocks already known to be a spam source, Level 2 is generated.

UCEPROTECT-Level 2 automatically escalates within the allocation if the number of UCEPROTECT-Level 1 listed abusive hosts grows over predefined trashcounts within 7 days.

Allocations smaller than /26 will be Level 2 listed immediatley if only a single IP gets listed at Level 1, and a /25 if 2 IP's get listed at Level 1 for abuse within 7 days.
Starting at /24 if more than 4 abuser IP's are Level 1 listed, further escalation can be calculated by following formula:

Netmask -1 = Abusers + (Abusers at Netzmask + 1)

Thus a /23 get Level 2 listed, if more than 9 abuser IP's, a /22 if more than 14 abuser IP's, a /21 if more than 24 abuser IP's have joined Level 1 etc.

This helps control situations that are rapidly escalating in volume.

Clean IP's inside such spammy networks which are registered at ips.whitelisted.org are excluded from Level 2 to prevent false positives.

Additionally and independent of Level 1 listings, a Network can get listed at Level 2 manually and permanent when it is suspected that it were specially created for spamming.
This suspicion is given in principle if:
- The provider rotates spammers / abusers within the Network.
- The Network or parts of it are assigned to a well known spammer / spamsupporter / listwashing service / botnet operator / malware distributor.
- The provider blocks IP addresses or netranges of blacklists, to enable their spammers to fly safely under the blacklists radar (evasion tactics).
- A striking disparity exists between legit mail and spam.

NOTE: By using Level 2 blocking, be prepared to lose a few mails too. DO NOT BLAME US, YOU HAVE BEEN FOREWARNED!

While it is unlikely, there exists the possibility of blocking a few required emails by the use of Level 2 blacklist though it can be easier to use Level 2 and whitelist the required sender IP addresses.

If you fear to loose email you can also incorporate Level 2 it into a scoring system, to give e.g. 4 points on a ‘match’ where 5 or more points trigger a spam tag.

We recommend the use of Level 2 blocking in cases where our Level 1 is not proving to be effective enough against spammers.

If you are a true BOFH you would logically block using all of our levels.

To get an idea how UCEPROTECT-Level 2 and other blacklists did perform within the last 4 weeks see the statistics measured at the real mailflow of several authorities in Germany, Austria and Switzerland.