[anti-abuse-wg] UCEPROTECT DNSBL possibly abusive practice and RIPEStat Blacklist entries widget

El jue, 04-03-2021 a las 17:16 +0100, Christian Teuschel wrote:
> Hi Elvis and Suresh, dear colleagues,
> 
> Putting exact numbers on how many operators are using UCEProtect is
> difficult, but through feedback from users, network operators and
> members we understand that it is in use and that the provisioning of
> this RBL on RIPEstat has value.
> 
> If I am reading the feedback in this discussion correctly, the
> sentiment
> is leaning towards adding more RBLs instead of less and if that is
> the
> case we are going to look into how and when we can achieve this.
> Please
> let me know if that is aligned with your requirements/expectations.
> 
> Best regards,
> Christian

Hello Christian

I think there are two issues at hand here.

First one is the realiability of uceprotect. A dnsbl SHOULD be neutral.
A blacklist which accepts payments for delisting seems shady by itself,
even if actually done with the best intentions. Due to this it has long
been considered as not a source to trust or care about (unlike their
policy with many other blacklists). But a network choosing to care (or
not) for a blacklist, or a BL deciding to seek payments, are their own
decisions.
However, what I find really worrying are the reports of uceprotect
intentionally increasing their to list more addresses, or even
inserting "hits" for ip addresses which cannot have produced
the alledged hits. This would make them misleading at best, if not
directly mischievous.
PLease note this is just from a technical point of view. Issues of
"non-professionalism" are a separate matter.
A blacklist operator should be able to know why and even justify, if
needed, why it listed an IP address. To a trusted third party, for
instance. If it is / became a predatory blacklist, that's enough reason
not to include it, as that would be a way of promoting it.


Second issue is the number of entries. I would consider that the more
(good) blacklists included, the better. I would still not include a
predatory blacklist there, as the mere listing gives them a sense of
legitimacy.
This can be conflated with the number of lists but is actually
different. If you include many blacklists (e.g. mxtoolbox checks 94),
it's easier to include lower-quality ones, as the exposure given to
them is more diluted. If you only list a couple of lists, that makes
them look like they are "the important ones". Even if it was never the
intent.


Best regards



PS: And yes, the NP-hard problem is telling apart the good from the
evil. In some cases it can be simple, but it often is not.

-- 
INCIBE-CERT - Spanish National CSIRT
https://www.incibe-cert.es/

PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys

====================================================================

INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
las redes y sistemas de información" that transposes the Directive (EU)
2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and
information systems across the Union.

====================================================================

In compliance with the General Data Protection Regulation of the EU
(Regulation EU 2016/679, of 27 April 2016) we inform you that your
personal and corporate data (as well as those included in attached
documents); and e-mail address, may be included in our records 
for the purpose derived from legal, contractual or pre-contractual
obligations or in order to respond to your queries. You may exercise
your rights of access, correction, cancellation, portability,
limitationof processing and opposition under the terms established by
current legislation and free of charge by sending an e-mail to
dpd at incibe.es. The Data Controller is S.M.E. Instituto Nacional de
Ciberseguridad de España, M.P., S.A. More information is available
on our website: https://www.incibe.es/proteccion-datos-personales
and https://www.incibe.es/registro-actividad.

====================================================================