Level 1: 128325 IP's, Level 2: 22060 Allocations, Level 3: 601 ASN's. Last Updated: 22.04.2021 18:14 CEST
for Level 1
for Level 2
for Level 3
Help for ISPs
How to use
UCEPROTECT Blacklist Policy LEVEL 2
It can be assumed that if your email servers are repeatedly receiving spam from various IP addresses within a net block, then it is either several compromised computers within the IP pool or the IP range of a spam company.
It is also reasonable to assume that you will not usually receive important
/ real emails from such IP blocks because no professional service provider
would put their “smarthost” email servers into to same IP address space
as dynamic / dialups.
In order to stop spam from IP blocks already known to be a spam source, Level 2 is generated.UCEPROTECT level 2 escalates dynamically and lists the relevant allocation if the number of impacts of the IPs listed in level 1 exceeds certain limit values within 7 days. Allocations smaller than / 27 are automatically listed immediately in level 2 if a single impact has occurred, a / 26 network is listed for at least 2 impacts, and a / 25 for at least 3 impacts
Based on the / 24 network with 4 or more impacts, the further automatic escalation is calculated using the following formula:
Netmask - 1 = ((netmask value + 1) + (netmask value +3))
/ 23 = ((value of / 24) + (value of / 26))
e.g.: A / 23 is listed in Level 2 if 4 + 2 = 6 impacts from IPs from that area in Level 1 were counted.
/ 10 = ((value of / 11) + (value of / 13))
e.g: A / 10 is listed in Level 2 if 651 + 303 = 954 impacts from IPs from that area in Level 1 were counted.
We think we have explained the formula clearly. The escalation limits are also displayed in the IP, Impact and ASN test.
We guess you understood the formula. Anyway escalation limits are also displayed in the IP, Impact and ASN Check.
This helps control situations that are rapidly escalating in volume.
Clean IP's inside such spammy networks which are registered at ips.whitelisted.org are excluded from Level 2 to prevent false positives.
To get escalated to Level 2 is almost always an indicator, that providers don't act fast enough on abusers.
To prevent responsible providers to end up in Level 2, we did install a provider protection.
In the case of new listings in Level 1, the 4 hour provider protection first takes effect.
That means no further IMPACT from that IP is initially counted for 4 hours.
This gives the provider 4 hours to disconnect the abuser before further IMPACTS are counted from that IP.
The impact counter can therefore only increase by a maximum of 1 per 4 hours per IP on new Level 1 listings.
Anyway our patience is limited, so if there is still abuse detected from said IP, 24 hours after it was listed in Level 1, the provider protection is reduced to one hour.
Finally we are fed up with it, if the IP is still detected because of abuse after 48 hours in Level 1, so the provider protection is no longer applicable and every impact is counted indefinitely.
Providers should therefore act immediateley on every Level 1 listing to prevent that even one single abusive IP will get their allocation up to Level 2 by skyrocketing the impact counter.
Additionally and independent of Level 1 listings, a Network can get listed at Level 2 manually and permanent when it is suspected that it were specially created for spamming.
This suspicion is given in principle if:
- The provider rotates spammers / abusers within the Network.
- The Network or parts of it are assigned to a well known spammer / spamsupporter / listwashing service / botnet operator / malware distributor.
- The provider blocks IP addresses or netranges of blacklists, to enable their spammers to fly safely under the blacklists radar (evasion tactics).
- A striking disparity exists between legit mail and spam.
NOTE: By using Level 2 blocking, be prepared to lose a few mails too. DO NOT BLAME US, YOU HAVE BEEN FOREWARNED!
While it is unlikely, there exists the possibility of blocking a few required emails by the use of Level 2 blacklist though it can be easier to use Level 2 and whitelist the required sender IP addresses.
If you fear to loose email you can also incorporate Level 2 it into a scoring system, to
give e.g. 4 points on a ‘match’ where 5 or more points trigger a spam tag.
We recommend the use of Level 2 blocking in cases where our Level 1 is not proving to be effective enough against spammers.If you are a true BOFH you would logically block using all of our levels.
To get an idea how UCEPROTECT-Level 2 and other blacklists did perform within the last 4 weeks see the statistics measured at the real mailflow of several authorities in Germany, Austria and Switzerland.