[anti-abuse-wg] UCEPROTECT DNSBL possibly abusive practice and RIPEStat Blacklist entries widget

Do you see email providers of significant size using it?

--srs
________________________________
From: anti-abuse-wg <anti-abuse-wg-bounces at ripe.net> on behalf of Christian Teuschel <cteusche at ripe.net>
Sent: Wednesday, March 3, 2021 9:57:50 PM
To: anti-abuse-wg at ripe.net <anti-abuse-wg at ripe.net>
Subject: Re: [anti-abuse-wg] UCEPROTECT DNSBL possibly abusive practice and RIPEStat Blacklist entries widget

Dear colleagues,

RIPEstat is a neutral source of information and we aim to provide users
with access to as many data sources as possible to provide insights.

UCEProtect was added as a data source prior to 2010 and is still used by
several network operators to filter traffic into their networks.
Including it as a data source in RIPEstat allows users to see whether
resources are included in their lists.

RIPE NCC does not pay for, support or endorse their practices, although
we understand that continuing to include UCEProtect as a data source
could be misunderstood as such. We also do not use their lists to filter
traffic on our services.

Our goal remains to provide the best visibility and tools for network
operators to diagnose their networks. We have also heard your feedback
regarding including more RBLs. It is something that we have considered
in the past, and we are open to revisiting this.

RIPEstat is driven by the community. We would like to hear from you
about whether including UCEProtect as a data source is useful.

Regards,
Christian

On 02/03/2021 00:08, Kristijonas Lukas Bukauskas via anti-abuse-wg wrote:
> Hello,
>
> I noticed that RIPE NCC uses uceprotect-level1, uceprotect-level2 and
> uceprotect-level3 in RIPEStat Anti Abuse Blacklist Entries widget.
>
> There have been controversial positions about this blacklist recently:
>
> 1)
> https://success.trendmicro.com/solution/000236583-Emails-being-rejected-by-RBL-UCEPROTECL-in-Hosted-Email-Security-and-Email-Security
> <https://success.trendmicro.com/solution/000236583-Emails-being-rejected-by-RBL-UCEPROTECL-in-Hosted-Email-Security-and-Email-Security>
> 2) https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html
> <https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html>
>
>
> UCEPROTECT blacklists the whole range of IP addresses, including the
> full IP range of some autonomous systems:
>
> UCEPROTECT states, '/Who is responsible for this listing? YOU ARE NOT!
> Your IP was NOT directly involved in abuse but has a bad neighborhood.
> Other customers within this range did not care about their security and
> got hacked, started spamming, or were even attacking others, while your
> provider has possibly not even noticed that there is a serious problem.
> We are sorry for you, but you have chosen a provider not acting fast
> enough on abusers'/) [http://www.uceprotect.net/en/rblcheck.php
> <http://www.uceprotect.net/en/rblcheck.php>].
>
> It asks for a fee if some individual IP address wants to be whitelisted
> (http://www.whitelisted.org/ <http://www.whitelisted.org/>),
>
> It abuses people who decide to challenge their blacklist by publishing
> conversations in their so-called /Cart00ney/
> (http://www.uceprotect.net/en/index.php?m=8&s=0
> <http://www.uceprotect.net/en/index.php?m=8&s=0>;
> http://www.uceprotect.org/cart00neys/index.html
> <http://www.uceprotect.org/cart00neys/index.html>).
>
> And the other type of threatening: http://www.uceprotect.org/
> <http://www.uceprotect.org/>
>
> Does RIPE NCC have any position on this specific blacklist?
>
> Thank you!

--
Christian Teuschel
RIPE NCC | @christian_toysh

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20210303/95f70a4d/attachment.html>