Level 1: 140710 IP's, Level 2: 1718 Allocations, Level 3: 16 ASN's. Last Updated: 09.04.2020 15:01 CEST
for Level 1
for Level 2
for Level 3
Help for ISPs
How to use
UCEPROTECT Blacklist Policy LEVEL 2
It can be assumed that if your email servers are repeatedly receiving spam from various IP addresses within a net block, then it is either several compromised computers within the IP pool or the IP range of a spam company.
It is also reasonable to assume that you will not usually receive important
/ real emails from such IP blocks because no professional service provider
would put their “smarthost” email servers into to same IP address space
as dynamic / dialups.
In order to stop spam from a IP blocks already known to be a spam source, Level 2 is generated.UCEPROTECT-Level 2 automatically escalates within the allocation if the number of UCEPROTECT-Level 1 listed abusive hosts grows over predefined trashcounts within 7 days. Allocations smaller than /26 will be Level 2 listed immediatley if only a single IP gets listed at Level 1, and a /25 if 2 IP's get listed at Level 1 for abuse within 7 days.
Starting at /24 if more than 4 abuser IP's are Level 1 listed, further escalation can be calculated by following formula:
Netmask -1 = Abusers + (Abusers at Netzmask + 1)
Thus a /23 get Level 2 listed, if more than 9 abuser IP's, a /22 if more than 14 abuser IP's, a /21 if more than 24 abuser IP's have joined Level 1 etc.
This helps control situations that are rapidly escalating in volume.
Clean IP's inside such spammy networks which are registered at ips.whitelisted.org are excluded from Level 2 to prevent false positives.
Additionally and independent of Level 1 listings, a Network can get listed at Level 2 manually and permanent when it is suspected that it were specially created for spamming.
This suspicion is given in principle if:
- The provider rotates spammers / abusers within the Network.
- The Network or parts of it are assigned to a well known spammer / spamsupporter / listwashing service / botnet operator / malware distributor.
- The provider blocks IP addresses or netranges of blacklists, to enable their spammers to fly safely under the blacklists radar (evasion tactics).
- A striking disparity exists between legit mail and spam.
NOTE: By using Level 2 blocking, be prepared to lose a few mails too. DO NOT BLAME US, YOU HAVE BEEN FOREWARNED!
While it is unlikely, there exists the possibility of blocking a few required emails by the use of Level 2 blacklist though it can be easier to use Level 2 and whitelist the required sender IP addresses.
If you fear to loose email you can also incorporate Level 2 it into a scoring system, to
give e.g. 4 points on a ‘match’ where 5 or more points trigger a spam tag.
We recommend the use of Level 2 blocking in cases where our Level 1 is not proving to be effective enough against spammers.If you are a true BOFH you would logically block using all of our levels.
To get an idea how UCEPROTECT-Level 2 and other blacklists did perform within the last 4 weeks see the statistics measured at the real mailflow of several authorities in Germany, Austria and Switzerland.