Level 1: 80911 IP's, Level 2: 9900 Allocations, Level 3: 540 ASN's. Last Updated: 20.09.2021 21:04 CEST
for Level 1
for Level 2
for Level 3
Help for ISPs
How to use
UCEPROTECT Blacklist Policy LEVEL 3
This blacklist has been created for HARDLINERS. It can, and probably will cause collateral damage to innocent users when used to block email.UCEPROTECT level 3 automatically lists all IPs assigned to an AS number as soon as its SPAMSCORE is 50 or higher , and (to avoid mini providers being listed because of 1 or 2 spammers) at least 50 impacts of IPs which are assigned to the AS number have been listed in level 1 in the last 7 days.
The SPAMSCORE is calculated using the following formula:
(Level 1 impacts from this ASN / total IPs in this ASN) * 100000
The resulting number is rounded to one decimal place.
We'll give you a few examples:
You have managed to get 55 impacts within 7 days, and your ASN has allocated a total of 1024 IPs, then your SPAMSCORE is 5371.09375 rounded 5371.1 which means nothing else than that your network should be disconnected from the Internet ...
If, on the other hand, you have 160 impacts within 7 days, but a total of 34025472 IPs are allocated in your ASN, then your SPAMSCORE would be 0.47023594558 rounded 0.5, which means you are a very clean and professional provider ...
As you can see that formula sounds much more dramatic than it is in reality.
It corresponds to at least 50 Impacts at tiny providers, several hundret Impacts at mid-size providers, and some thousands at big providers.
Good providers usualy stay safely below a SPAMSCORE of 10.
It is impossible for respectable and professional providers to end up in UCEPROTECT-Level 3, because Level 1 records expire if there is no abuse for 7 days and we also took care about providers size by generating Level 3.
To get escalated to Level 3 is almost always an indicator, that providers don't act fast enough on abusers.
To prevent responsible providers to end up in Level 3, we did install a provider protection.
In the case of new listings in Level 1, the 4 hour provider protection first takes effect.
That means no further IMPACT from that IP is initially counted for 4 hours.
This gives the provider 4 hours to disconnect the abuser before further IMPACTS are counted from that IP.
The impact counter can therefore only increase by a maximum of 1 per 4 hours per IP on new Level 1 listings.
Anyway our patience is limited, so if there is still abuse detected from said IP, 24 hours after it was listed in Level 1, the provider protection is reduced to one hour.
Finally we are fed up with it, if the IP is still detected because of abuse after 48 hours in Level 1, so the provider protection is no longer applicable and every impact is counted indefinitely.
Providers should therefore act immediateley on every Level 1 listing to prevent that even a manageable number of abusive IP's will get their ASN up to Level 3 by skyrocketing the impact counter.
Additionally and independent of Level 1 listings, an ASN can get listed at Level 3 manually and permanent when it is suspected that it were specially created for spamming.
This suspicion is given in principle if:
- The provider rotates spammers / abusers within the ASN.
- The provider blocks IP addresses or netranges of blacklists, to enable their spammers to fly safely under the blacklists radar (evasion tactics).
- The ASN is assigned to a well known spammer / spamsupporter / listwashing service / botnet operator / malware distributor / phisher / deceiver.
- A striking disparity exists between legit mail and spam.
We believe that a professional service provider or carrier should be able to act promptly before listings are escalating up to Level 3, therefore by using Level 3 the chances are that you will mostly block “learning-resistant” service providers or carriers and their customers.
NOTE: By using Level 3 for blocking, be prepared to occasionally lose some required mails too. DO NOT BLAME US, YOU HAVE BEEN FOREWARNED!
The recommended use of Level 3 is incorporating it into a scoring system, to
give e.g. 2 points on a ‘match’ where 5 or more points trigger a spam tag.
If you are a true BOFH you would logically block using all of our levels.To get an idea how UCEPROTECT-Level 3 and other blacklists did perform within the last 4 weeks see the statistics measured at the real mailflow of several authorities in Germany, Austria and Switzerland.
There are about 105000 providers all over the world. The statistics can also be interpreted this way, that those black sheeps which get it to end up in Level 3 are responsible for 50 to 75% of the global spam, while almost no real mail came from their ranges.