UCEPROTECT-NETWORK

Spammer listings within the last 7 days:
Level 1: 768001 IP's, Level 2: 10044 Allocations, Level 3: 304 ASN's. Last Updated: 28.07.2014 13:52 CEST
Realtime Outbreakmonitor
Deutsch
The Project
SPAM-FAQ
Blacklist Policy
Help for ISPs
Marketing Tips
How to use
Removal Policy
Contact us
Please donate
Sponsors
News
License
Query Database
Pillory
Netstatus
Statistics
Our Products

YOU ARE ISP AND YOUR NET RANGE GOT BLACKLISTED ?

We really feel sorry for you because this should not happen to respectable professional ISPs, and we do our best to prevent this.

Here are 4 things that we recommend in order to stay off the UCEPROTECT-Blacklists and the Backscatterer List:

1. Do not use abusive techniques on your systems, and also tell your customers with their own servers not to do so.

The following techniques are considered abusive, even though some seem to have become very popular.
Sender callouts (also known as Sender Verify or SAV) or any other kind of Backscatter.

Simply use common sense before turning on any new technique. If a technique or procedure makes your system capable of being a part of a DDOS against others, then you should not use it.

2. Ensure that large amounts of garbage cannot be sent through your mailservers / smarthosts.

Spammers will always try to send millions of emails for it to be worthwhile, it is a numbers game for them. On the other hand, you will not find many end users having a genuine need to send more than a few hundred, or at most a few thousand, emails per day per account.
Therefore it is advisable to establish appropriate transmission limits on all smarthosts. Users who have demonstrated that they do not abuse your infrastructure, and who claim to have a higher need, can easily be given higher limits or even no limits.
A much better approach is to detect abusers by monitoring your outbound mailservers logs with automated scripts.
It is very unlikely that regular users will send email to more than 10 undeliverable recipients per hour.
Users sending email to multiple undeliverable addresses within a short time frame are almost always spammers, therefore you should shutdown those accounts automatically and promptly.
UCEPROTECT-Appliances and Software has that feature, but it shouldn't be a big deal for any expirienced Unix Admin to build something like this by running a simple script that monitors the smtp-log and interacts with a database.
Use for e.G MYSQL and define a database where entries will be counted down 1 per hour and being removed if counter is 0.
Now let your script monitor your outgoing maillog and add every user to the database with a score of +1 which manages to send a mail which results in a 550 "No such user" at the targetsystem.
As soon as a User has a score of 10 temporary disable his smtp access by giving 450 errors to him.
What will happen then?
If a brave user just did misspell an emailaddress nothing will happen, he will get a counter of 1 in your database for the next hour, nothing else.
If a spammer sends his crap, he will have tons of invalid addresses in his database and so he will get over your limit within some seconds or latest minutes and then he will no longer be able to send mail for an hour.
After an hour his counter goes back to 9 and he can send emails again, but that will not help the spammer, because he will almost immediatly get to 10 again by sending mail to the next invalid user, resulting in another hour of waiting ...
Furthermore it should be no problem to filter all outgoing emails for viruses or other malware on each smarthost.

3. Ensure that your dynamic / dialups / homeusers cannot be abused as spam zombies.

Block all outgoing connections from client dynamic / dialups / homeusers to destination-port 25 TCP UNIVERSE if that destination is not your mailrelay / smarthosts and force them to connect to your mailrelays / smarthosts or smtp-submission instead.
Then, if a user's computer becomes infected by malware, propagation will be impossible or at least contained very quickly.
This way, any damage stays within limits and it will be unlikely that blacklists become aware of your system.
Your Homeusers will not be affected by this, because they can still use external mailsystems by using the SMTP-SUBMISSION Port 587 which is in common use since 10 years meanwhile.
For details about SMTP-Submission Port 587 see RFC 2476 which was published in 1998 and which is supported by almost all Freemailers and Webmailservices around the globe.
There is no logic reason why a homeuser with a dynamic IP should have the chance to connect to destination port 25 outside your networks, other than allowing spammers to abuse his computer as spambot.
DSL and Cable Providers which fail to block connects from their homeusers to destination port 25 are almost always at risk to end up in our Level 3, which means all their IP's will be blacklisted and therefore they will run in trouble with their business customers too.
Please also read Informations at MAAWG why to block Port 25.

4. Get clue about new customers, secure your servers and prevent open relays and open proxies at your dedicated line customers and at customers with static IP addresses.

Check your new customers before giving complete /24 nets to them. Use public databases as http://www.domaintools.com to check history for your new customers domains.
If they had multiple other hosters within a short timeframe before or if they have multiple brand new domains then you should be very carefull before allowing them to send unlimited emails.
If you are running a datacenter then secure your servers so that even dumb customers can't get hacked so easy.
A good idea to realize this is to install MODSECURITY on all servers.
Modsecurity is free and it can prevent the usual attacks against unpatched servers running insecure scripts, if configured well.

You can get Modsecurity here: http://www.modsecurity.org

Examine the IP addresses of customers with ‘statics’ regularly (e.g. weekly) with automated scripts for known weaknesses. Temporarily shut down those IP addresses that you find to have exploitable security holes that can lead to email abuse.

You will immediately have less work in your abuse department and less problems with blacklists.
On a long-term basis this will also maximize your profits...
We all know that you do not earn money with a flat-rate customer if his/her computer is busy 24/7 dispatching spam, viruses and worms to the world...
If you are actively preventing his/her computer from sending the crap, it is very unlikely that this customer will be able to send the traffic in other ways :-)

Note that, if every service provider worked in this way, there couldn’t be a spam nor a virus problem on this planet.

If you need technical assistance on making your network unattractive for spammers, or if you still search for a really efficient spam protective system for your infrastructure, do not hesitate to contact us.

We strongly recommend that you should also read and follow the suggestions from Anti Spam Technical Alliance (ASTA) which can be obtained from it's founding members:
AOL,Earthlink,Microsoft,Yahoo! or you can download ASTA Informations here at UCEPROTECT-Network.


© Copyright 2001-2014 by UCEPROTECT-Orga - All Rights reserved ! DISCLAIMER