Level 1: 138096 IP's, Level 2: 28543 Allocations, Level 3: 1190 ASN's. Last Updated: 21.10.2021 07:08 CEST
Help for ISPs
How to use
News and changes at Project UCEPROTECT-Network15.02.2021
After some providers complained that a spam run can be recorded on several of our trap servers, and thus spam traps could be rated higher than port scanners and hack attempts, we have just implemented the measures introduced yesterday as provider protection on all impacts, regardless of whether they are spamtrap hits, port scans, or hack attempts.
We hope you will take this unique opportunity and stay clean from now on ...
As part of our quality offensive, we introduced provider protection.
For this purpose we have today removed all listings that were listed in Level 1 because of port scans or hack attempts in order to set their impact counter to 0.
This measure removed several thousand allocations from level 2 and several hundred ASNs from level 3.
In the case of new port scanners and hacker listings in level 1, the 4 hour provider protection first takes effect.
This means that no further IMPACT is initially counted for 4 hours in order to prevent e.g. an AUTH hacker who is reported by several systems from succeeding in shooting complete allocations in level 2 with a single IP.
This gives the provider 4 hours to disconnect the abuser before further IMPACTS are counted from this IP.
The impact counter can therefore only increase by a maximum of 1 per 4 hours for port scanners or hack attempts per IP.
If the IP is still detected because of abuse 24 hours after it was listed in Level 1, the provider protection is reduced to one hour.
If the IP is still detected because of abuse after 48 hours in level 1, the provider protection is no longer applicable and every impact is counted indefinitely.
Anyone who, as a provider or carrier, is still listed in Level 2 or Level 3 despite these measures, either has, in our opinion, a non-existent or poorly functioning abuse department.
For quality reasons policies for level 2 and level 3 have been adapted to current developments and incidents.
In Level 2, instead of IP's in Level 1, impacts of IP's in Level 1 are used as the basis for calculation, after we have seen that providers are often not motivated to disconnect a spammer or bot after its IP has been listed in Level 1, because there was no consequence to keep them spamming.
In very special cases we have seen IP's of which hundreds of impacts were counted within 7 days, for which there is no plausible excuse, apart from ignorance on the part of the provider or intent.
From now on, every provider who does not stop abusers very quickly risks increasing the number of impacts and thus the probability of an escalation in level 2.
The new Level 2 Policy deliberately favors providers who take action quickly and consistently in the event of abuse, and it disadvantages providers who stand idly by in the event of abuse.
Here you can find the updated policy for level 2 . It is effective immediately.
Some of our users have asked us to relax the policy for level 3, here the SPAMSCORE that is required to be listed in level 3 has been increased from 20 to 50.
At the same time, as in level 2, from listed IPs in level 1 to impacts in level 1, and the lower listing limit was increased from 10 to 50.
Providers who still manage to be listed in Level 3 are really more than their own fault.
Quite honestly: Anyone who operates their own ASN with only 256 IPs and then hosts 70 or 80 spammers in it, from which 3000 or 4000 impacts emanate, deserves nothing else than to end up in level 3.
The new Level 3 Policy deliberately favors providers who take action quickly and consistently in the event of abuse, and it disadvantages providers who stand idly by in the event of abuse.
Here you can find the updated policy for level 3 . It is effective immediately.
Message to the DDOS event managers:
Smart providers keep their networks clean and install preventive measures against spammers. Stupid providers ignore their spammers, get listed, and pay criminals to run a DDOS against us.
The fact that you know botnet operators who carry out a DDOS for you shows that you not only ignore spammers, but host them willfully.
Why are you plain stupid?
You only managed to get our website offline for 4 hours because we simply zeroroute it, so that your DDOS did not work.
What could you achive? Nothing.
Only a copy of our database is running on the website, the main database is in a location that is inaccessible to you, and most of our users obtain our lists via RSYNC.
But let's assume you had a chance to get us completely offline, what would have happened?
Correct: You would have stayed listed until our users received the next current zone from us.
You morons would only have extended your listings. Congratulations.
The policy for level 2 was changed to a more stringent formula to prevent huge providers from tricking our system by splitting their spammers into several allocations or even rotating them within their ASN.
The new policy is much fairer and the change has resulted in new listings mainly for huge ASNs with many spammers.
Here you can find the updated Policy for level 2. It is effective immediately.
The policy for Level 3 was changed to SPAMSCORE in order to prevent providers from tricking our system by dividing their networks into several ASNs or receiving a license to spam by changing their allocations.
Quite honestly: Anyone who operates their own ASN with 1024 IP's and then hosts 70 or 80 spammers in it doesn't deserve anything other than to end up in Level 3.
The new policy is much fairer and the change has resulted in new listings, mainly for very small ASNs with many spammers.
Here ist the adjusted and immediately valid Policy for Level 3.
We did adjust the policy for Level 3 by adding an upper limit of 10000 IPs to prevent huge ASNs, which spread massive spam, to fly under Level 3's radar, because of their sheer size.
Here ist the adjusted and immediately valid Policy for Level 3.
Payment service provider Paypal really believe that they can treat long-standing customers like shit and withhold their money for no reason, but with all kinds of tricky excuses from their Terms and Conditions for some days, weeks, or even months.
In our opinion, they are clearly asking to boycott them.
That's the reason why we do no longer accept Paypal, and why we recommend, that every owner of a Paypal account, who does not want to come into the same situation, should remove any money from their Paypal account immediately, and to close the account, after the balance is Zero and all money was removed successfully.
After receiving numerous complaints about constantly changing prices in USD and EURO, we have decided to quote our prices in Swiss francs (CHF) only.
In addition, by eliminating the exchange rate risk, we were able to lower our prices by around 10%.
Paypal automatically converts your local currency into CHF, if necessary, so you do not suffer any disadvantages.
We introduced the pillory at our website so that anyone can see all of those black hat providers that managed to be currently listed in UCEPROTECT-Level 3.
We recommend to
Policies for Levels 2 and 3 were adjusted to be more effective against well known long time spammers.
Since UCEPROTECT-Network started to publish it's downloadable blocklists in RBLDNSD format (03.07.2007) almost all of our users which are using downloadable formats have switched to download RBLDNSD via RSYNC.
Also UCEPROTECT-Mailserver Software is using the RBLDNSD format since V4.0
Therefore the other formats (Postfix / Sendmail access, Qmail, UCEPROTECT-Software Version 3.5 and older) and also the HTTP download option via WGET became obsolete and will no longer be offered after 01.01.2010
If you are still using these formats or if you download via WGET, we strongly recommend that you switch to using us either via DNS or to download our blocklists via RSYNC in RBLDNSD format only.
Details how to use RSYNC and RBLDNSD can be found here.
UCEPROTECT-Network now maintains a HIGH-TRUST whitelist too.
For details see:
We have installed a feedback-loop for interested companies or providers.
If you want to be alerted by email on status changes of your ASN or you want daily or even hourly reports (with exact timestamps) of abusers within your ASN by email, feel free to subscribe here:
We have installed the new policies for Levels 2 and 3 as announced.
If you have not already done so, please read policies for Level 2 and 3 now.
We will soon install new policies for Levels 2 and 3 to reduce risk of false positives while making them more effective.
Please read Policies for Level 2 and 3.
Project UCEPROTECT-Network has chosen to mirror it's own zones (UCEPROTECT Level 1, 2, 3) and BACKSCATTERER.ORG zones only.
Other lists form external vendors formerly mirrored by us were dropped
Project UCEPROTECT-Network now offers all zones available also for download with RSYNC in RBLDNSD format.
Details how to use RSYNC can be found here.
UCEPROTECT-Level 1 was cleaned up, and is now one of the most accurate and reliable blacklists again.
UCEPROTECT Level 1 does no longer list backscatterer and sender callout abusers. A new list was established for that reason:
Details see: http://www.backscatterer.org
Project Management was changed for quality reasons.