[anti-abuse-wg] UCEPROTECT DNSBL possibly abusive practice and RIPEStat Blacklist entries widget

Hi Christian,

as IPv4 Broker, V4Escrow has been scanning IP blocks in blacklists 
almost since its inception. We've done this to offer interested parties 
enough information to do a due diligence as complete as possible (we 
also provide them with routing information history from ripe stats, 
whois and whowas information from whoever makes it available, transfer 
history, geolocation information, etc).

We've noticed that our customers appreciate it to know whether the IPs 
they want to transfer are listed in blacklists. Both offering parties 
are interested in this information (and most of the times they will 
'clean' the IPs before listing them for sale) and, more importantly, 
receiving parties.

We've noticed that a large majority of our customers will definitely 
refuse to purchase rights to IPs if these are listed in some specific 
blacklists while some others don't really care about that and only want 
to purchase the rights to the cheapest IPs. That's why sometimes the 
rights to the IPs listed in blacklists will sell for less.

 From our experience, one of the most important blacklist is the 
Spamhaus DROP. Then follow (in no particular order) the Spamhaus SBL, 
the Sorbs, the Barracudas, junkermail, justspam, spamrats, spamcop, 
uceprotect and a few others.

We've noticed that some blacklists require money to delist the blocks. 
We try to give them less importance when calculating the 'cleanliness' 
score of an IP block. We believe that the process of cleaning an IP or a 
  block of IPs should be swift and simple - as soon as the abuse has 
stopped (some blacklists remove an IP automatically after 7 days) or 
once the holder of the IPs can prove there is no more abuse coming from 
those IPs.

What we were amazed to see is that some IPs which have been allocated, 
returned to the free pool, re-allocated and then transferred (3-4 
different orgs over the timespan of 10-15 years) are still listed 
because the initial org has done something (wrong) in 2010.. That was 
very strange to see.. moreover, getting those IPs cleaned from some 
blacklists has proven to be very challenging.

We've generated a list of blacklists that we maintain constantly. I'll 
paste below the complete list of blacklists we check against with every 
IP block we broker:

	"0spam.fusionzero.com",
	"0spamtrust.fusionzero.com",
	"0spam-killlist.fusionzero.com",
	"0spamurl.fusionzero.com",
	"uribl.zeustracker.abuse.ch",
	"ipbl.zeustracker.abuse.ch",
	"rbl.abuse.ro",
	"uribl.abuse.ro",
	"spam.dnsbl.anonmails.de",
	"dnsbl.anticaptcha.net",
	"dnsbl6.anticaptcha.net",
	"orvedb.aupads.org",
	"rsbl.aupads.org",
	"block.ascams.com",
	"superblock.ascams.com",
	"aspews.ext.sorbs.net",
	"ips.backscatterer.org",
	"b.barracudacentral.org",
	"bb.barracudacentral.org",
	"list.bbfh.org",
	"l1.bbfh.ext.sorbs.net",
	"l2.bbfh.ext.sorbs.net",
	"l3.bbfh.ext.sorbs.net",
	"l4.bbfh.ext.sorbs.net",
	"all.v6.ascc.dnsbl.bit.nl",
	"all.dnsbl.bit.nl",
	"ipv6.all.dnsbl.bit.nl",
	"bitonly.dnsbl.bit.nl",
	"rbl.blakjak.net",
	"netscan.rbl.blockedservers.com",
	"rbl.blockedservers.com",
	"spam.rbl.blockedservers.com",
	"list.blogspambl.com",
	"bsb.empty.us",
	"bsb.spamlookup.net",
	"query.bondedsender.org",
	"plus.bondedsender.org",
	"dnsbl1.dnsbl.borderware.com",
	"dnsbl2.dnsbl.borderware.com",
	"dnsbl3.dnsbl.borderware.com",
	"dul.dnsbl.borderware.com",
	"blacklist.sci.kun.nl",
	"whitelist.sci.kun.nl",
	"dul.blackhole.cantv.net",
	"hog.blackhole.cantv.net",
	"rhsbl.blackhole.cantv.net",
	"rot.blackhole.cantv.net",
	"spam.blackhole.cantv.net",
	"cbl.anti-spam.org.cn",
	"cblplus.anti-spam.org.cn",
	"cblless.anti-spam.org.cn",
	"cdl.anti-spam.org.cn",
	"cml.anti-spam.org.cn",
	"cbl.abuseat.org",
	"rbl.choon.net",
	"rwl.choon.net",
	"ipv6.rbl.choon.net",
	"ipv6.rwl.choon.net",
	"dnsbl.cyberlogic.net",
	"bogons.cymru.com",
	"v4.fullbogons.cymru.com",
	"v6.fullbogons.cymru.com",
	"origin6.asn.cymru.com",
	"tor.dan.me.uk",
	"torexit.dan.me.uk",
	"ex.dnsbl.org",
	"in.dnsbl.org",
	"rbl.dns-servicios.com",
	"dnsbl.calivent.com.pe",
	"dnsbl.mcu.edu.tw",
	"dnsbl.net.ua",
	"dnsbl.othello.ch",
	"dnsbl.rv-soft.info",
	"dnsblchile.org",
	"dnsrbl.org",
	"list.dnswl.org",
	"vote.drbl.caravan.ru",
	"work.drbl.caravan.ru",
	"vote.drbldf.dsbl.ru",
	"work.drbldf.dsbl.ru",
	"vote.drbl.gremlin.ru",
	"work.drbl.gremlin.ru",
	"bl.drmx.org",
	"dnsbl.dronebl.org",
	"rbl.efnet.org",
	"rbl.efnetrbl.org",
	"tor.efnet.org",
	"bl.emailbasura.org",
	"rbl.fasthosts.co.uk",
	"bl.fmb.la",
	"communicado.fmb.la",
	"nsbl.fmb.la",
	"sa.fmb.la",
	"short.fmb.la",
	"fnrbl.fast.net",
	"88.blocklist.zap",
	"hil.habeas.com",
	"accredit.habeas.com",
	"sa-accredit.habeas.com",
	"hul.habeas.com",
	"sohul.habeas.com",
	"hostkarma.junkemailfilter.com",
	"nobl.junkemailfilter.com",
	"dnsbl.cobion.com",
	"spamrbl.imp.ch",
	"wormrbl.imp.ch",
	"dnsbl.inps.de",
	"dnswl.inps.de",
	"rbl.interserver.net",
	"rbl.iprange.net",
	"iadb.isipp.com",
	"iadb2.isipp.com",
	"iddb.isipp.com",
	"wadb.isipp.com",
	"whitelist.rbl.ispa.at",
	"mail-abuse.blacklist.jippg.org",
	"dnsbl.justspam.org",
	"dnsbl.kempt.net",
	"spamlist.or.kr",
	"bl.konstant.no",
	"admin.bl.kundenserver.de",
	"relays.bl.kundenserver.de",
	"schizo-bl.kundenserver.de",
	"spamblock.kundenserver.de",
	"worms-bl.kundenserver.de",
	"spamguard.leadmon.net",
	"rbl.lugh.ch",
	"dnsbl.madavi.de",
	"blacklist.mailrelay.att.net",
	"bl.mailspike.net",
	"rep.mailspike.net",
	"wl.mailspike.net",
	"z.mailspike.net",
	"bl.mav.com.br",
	"rbl.megarbl.net",
	"dnsbl.forefront.microsoft.com",
	"bl.mipspace.com",
	"combined.rbl.msrbl.net",
	"images.rbl.msrbl.net",
	"phishing.rbl.msrbl.net",
	"spam.rbl.msrbl.net",
	"virus.rbl.msrbl.net",
	"web.rbl.msrbl.net",
	"relays.nether.net",
	"trusted.nether.net",
	"unsure.nether.net",
	"ix.dnsbl.manitu.net",
	"no-more-funn.moensted.dk",
	"wl.nszones.com",
	"sbl.nszones.com",
	"ubl.nszones.com",
	"dnsbl.openresolvers.org",
	"blacklist.mail.ops.asp.att.net",
	"blacklist.sequoia.ops.asp.att.net",
	"spam.pedantic.org",
	"pofon.foobar.hu",
	"ispmx.pofon.foobar.hu",
	"uribl.pofon.foobar.hu",
	"safe.dnsbl.prs.proofpoint.com",
	"bad.psky.me",
	"psbl.surriel.com",
	"whitelist.surriel.com",
	"all.rbl.jp",
	"dyndns.rbl.jp",
	"short.rbl.jp",
	"url.rbl.jp",
	"virus.rbl.jp",
	"rbl.schulte.org",
	"rbl.talkactive.net",
	"rbl.zenon.net",
	"rbl.realtimeblacklist.com",
	"access.redhawk.org",
	"eswlrev.dnsbl.rediris.es",
	"mtawlrev.dnsbl.rediris.es",
	"abuse.rfc-clueless.org",
	"bogusmx.rfc-clueless.org",
	"dsn.rfc-clueless.org",
	"elitist.rfc-clueless.org",
	"fulldom.rfc-clueless.org",
	"postmaster.rfc-clueless.org",
	"whois.rfc-clueless.org",
	"dnsbl.rizon.net",
	"mailsl.dnsbl.rjek.com",
	"urlsl.dnsbl.rjek.com",
	"dynip.rothen.com",
	"dnsbl.rymsho.ru",
	"rhsbl.rymsho.ru",
	"all.s5h.net",
	"public.sarbl.org",
	"rhsbl.scientificspam.net",
	"bl.scientificspam.net",
	"reputation-domain.rbl.scrolloutf1.com",
	"reputation-ip.rbl.scrolloutf1.com",
	"reputation-ns.rbl.scrolloutf1.com",
	"tor.dnsbl.sectoor.de",
	"exitnodes.tor.dnsbl.sectoor.de",
	"rf.senderbase.org",
	"query.senderbase.org",
	"sa.senderbase.org",
	"bl.score.senderscore.com",
	"score.senderscore.com",
	"singular.ttk.pte.hu",
	"dnsbl.sorbs.net",
	"problems.dnsbl.sorbs.net",
	"proxies.dnsbl.sorbs.net",
	"relays.dnsbl.sorbs.net",
	"safe.dnsbl.sorbs.net",
	"nomail.rhsbl.sorbs.net",
	"badconf.rhsbl.sorbs.net",
	"dul.dnsbl.sorbs.net",
	"zombie.dnsbl.sorbs.net",
	"block.dnsbl.sorbs.net",
	"escalations.dnsbl.sorbs.net",
	"http.dnsbl.sorbs.net",
	"misc.dnsbl.sorbs.net",
	"smtp.dnsbl.sorbs.net",
	"socks.dnsbl.sorbs.net",
	"rhsbl.sorbs.net",
	"spam.dnsbl.sorbs.net",
	"recent.spam.dnsbl.sorbs.net",
	"new.spam.dnsbl.sorbs.net",
	"old.spam.dnsbl.sorbs.net",
	"web.dnsbl.sorbs.net",
	"korea.services.net",
	"geobl.spameatingmonkey.net",
	"backscatter.spameatingmonkey.net",
	"badnets.spameatingmonkey.net",
	"bl.spameatingmonkey.net",
	"fresh.spameatingmonkey.net",
	"fresh10.spameatingmonkey.net",
	"fresh15.spameatingmonkey.net",
	"bl.ipv6.spameatingmonkey.net",
	"netbl.spameatingmonkey.net",
	"uribl.spameatingmonkey.net",
	"urired.spameatingmonkey.net",
	"netblockbl.spamgrouper.to",
	"bl.spamcannibal.org",
	"bl.spamcop.net",
	"_vouch.dwl.spamhaus.org",
	"pbl.spamhaus.org",
	"sbl.spamhaus.org",
	"sbl-xbl.spamhaus.org",
	"swl.spamhaus.org",
	"xbl.spamhaus.org",
	"feb.spamlab.com",
	"rbl.spamlab.com",
	"all.spamrats.com",
	"dyna.spamrats.com",
	"noptr.spamrats.com",
	"spam.spamrats.com",
	"spamsources.fabel.dk",
	"bl.spamstinks.com",
	"dul.pacifier.net",
	"bl.suomispam.net",
	"dbl.suomispam.net",
	"gl.suomispam.net",
	"multi.surbl.org",
	"srn.surgate.net",
	"dnsrbl.swinog.ch",
	"uribl.swinog.ch",
	"rbl.tdk.net",
	"st.technovision.dk",
	"dob.sibl.support-intelligence.net",
	"dbl.tiopan.com",
	"bl.tiopan.com",
	"dnsbl.tornevall.org",
	"r.mail-abuse.com",
	"q.mail-abuse.com",
	"rbl2.triumf.ca",
	"wbl.triumf.ca",
	"truncate.gbudb.net",
	"dunk.dnsbl.tuxad.de",
	"hartkore.dnsbl.tuxad.de",
	"dnsbl-0.uceprotect.net",
	"dnsbl-1.uceprotect.net",
	"dnsbl-2.uceprotect.net",
	"dnsbl-3.uceprotect.net",
	"ubl.unsubscore.com",
	"virbl.dnsbl.bit.nl",
	"all.rbl.webiron.net",
	"babl.rbl.webiron.net",
	"cabl.rbl.webiron.net",
	"crawler.rbl.webiron.net",
	"stabl.rbl.webiron.net",
	"ips.whitelisted.org",
	"blacklist.woody.ch",
	"ipv6.blacklist.woody.ch",
	"uri.blacklist.woody.ch",
	"db.wpbl.info",
	"bl.blocklist.de",
	"dnsbl.zapbl.net",
	"rhsbl.zapbl.net",

Out of all these, in the past couple of years we have stopped using some 
(see the following list, and more) as we were getting bogus data/responses:

bl.emailbasura.org
rbl.megarbl.net
bl.spamcannibal.org
hartkore.dnsbl.tuxad.de
dunk.dnsbl.tuxad.de
v6.fullbogons.cymru.com
query.senderbase.org
sa.senderbase.org

Hope this can help.

Kind regards,
Elvis Velea
V4Escrow CEO
www.v4escrow.com

On 3/12/21 12:51 AM, Christian Teuschel wrote:
> Dear colleagues,
> 
> I can see a few suggestions for additional blocklists to include. It
> would be helpful if we could get any others by 19 March.
> 
> We will then get started on an analysis that we will share with the
> community a little later in the year.
> 
> Kind regards
> Christian
> 
> On 09/03/2021 10:37, Christian Teuschel wrote:
>> Dear colleagues,
>>
>> Thinking about a course of action - it looks there is an agreement to
>> have more RBLs on RIPEstat. It would be good to have a list of
>> candidates that the community feels would be useful. Once we have this
>> list, we can perform a feasibility analysis and present this to the
>> community.  We can then take it from there.
>>
>> Let me know if this approach works for you.
>>
>> Best regards,
>> Christian
>>
>> On 04/03/2021 17:16, Christian Teuschel wrote:
>>> Hi Elvis and Suresh, dear colleagues,
>>>
>>> Putting exact numbers on how many operators are using UCEProtect is
>>> difficult, but through feedback from users, network operators and
>>> members we understand that it is in use and that the provisioning of
>>> this RBL on RIPEstat has value.
>>>
>>> If I am reading the feedback in this discussion correctly, the sentiment
>>> is leaning towards adding more RBLs instead of less and if that is the
>>> case we are going to look into how and when we can achieve this. Please
>>> let me know if that is aligned with your requirements/expectations.
>>>
>>> Best regards,
>>> Christian
>>>
>>> On 04/03/2021 09:54, Elvis Daniel Velea wrote:
>>>> Hi Christian,
>>>>
>>>> while it may be useful to have their data source, it only shows the RIPE
>>>> NCC favors one or two operators and I think that is damaging to the
>>>> whole idea of being impartial.
>>>>
>>>> You either include a good list of blacklist operators and their data or
>>>> none. Including only a couple will lead to the impression that only
>>>> those are important enough to be considered by the RIPE NCC.
>>>>
>>>> my 2 cents,
>>>> Elvis
>>>>
>>>> On 3/3/21 8:27 AM, Christian Teuschel wrote:
>>>>> Dear colleagues,
>>>>>
>>>>> RIPEstat is a neutral source of information and we aim to provide users
>>>>> with access to as many data sources as possible to provide insights.
>>>>>
>>>>> UCEProtect was added as a data source prior to 2010 and is still used by
>>>>> several network operators to filter traffic into their networks.
>>>>> Including it as a data source in RIPEstat allows users to see whether
>>>>> resources are included in their lists.
>>>>>
>>>>> RIPE NCC does not pay for, support or endorse their practices, although
>>>>> we understand that continuing to include UCEProtect as a data source
>>>>> could be misunderstood as such. We also do not use their lists to filter
>>>>> traffic on our services.
>>>>>
>>>>> Our goal remains to provide the best visibility and tools for network
>>>>> operators to diagnose their networks. We have also heard your feedback
>>>>> regarding including more RBLs. It is something that we have considered
>>>>> in the past, and we are open to revisiting this.
>>>>>
>>>>> RIPEstat is driven by the community. We would like to hear from you
>>>>> about whether including UCEProtect as a data source is useful.
>>>>>
>>>>> Regards,
>>>>> Christian
>>>>>
>>>>> On 02/03/2021 00:08, Kristijonas Lukas Bukauskas via anti-abuse-wg wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I noticed that RIPE NCC uses uceprotect-level1, uceprotect-level2 and
>>>>>> uceprotect-level3 in RIPEStat Anti Abuse Blacklist Entries widget.
>>>>>>
>>>>>> There have been controversial positions about this blacklist recently:
>>>>>>
>>>>>> 1)
>>>>>> https://success.trendmicro.com/solution/000236583-Emails-being-rejected-by-RBL-UCEPROTECL-in-Hosted-Email-Security-and-Email-Security
>>>>>>
>>>>>> <https://success.trendmicro.com/solution/000236583-Emails-being-rejected-by-RBL-UCEPROTECL-in-Hosted-Email-Security-and-Email-Security>
>>>>>>
>>>>>> 2) https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html
>>>>>> <https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html>
>>>>>>   
>>>>>> UCEPROTECT blacklists the whole range of IP addresses, including the
>>>>>> full IP range of some autonomous systems:
>>>>>>    UCEPROTECT states, '/Who is responsible for this listing? YOU ARE NOT!
>>>>>> Your IP was NOT directly involved in abuse but has a bad neighborhood.
>>>>>> Other customers within this range did not care about their security and
>>>>>> got hacked, started spamming, or were even attacking others, while your
>>>>>> provider has possibly not even noticed that there is a serious problem.
>>>>>> We are sorry for you, but you have chosen a provider not acting fast
>>>>>> enough on abusers'/) [http://www.uceprotect.net/en/rblcheck.php
>>>>>> <http://www.uceprotect.net/en/rblcheck.php>].
>>>>>>    It asks for a fee if some individual IP address wants to be
>>>>>> whitelisted
>>>>>> (http://www.whitelisted.org/ <http://www.whitelisted.org/>),
>>>>>>    It abuses people who decide to challenge their blacklist by publishing
>>>>>> conversations in their so-called /Cart00ney/
>>>>>> (http://www.uceprotect.net/en/index.php?m=8&s=0
>>>>>> <http://www.uceprotect.net/en/index.php?m=8&s=0>;
>>>>>> http://www.uceprotect.org/cart00neys/index.html
>>>>>> <http://www.uceprotect.org/cart00neys/index.html>).
>>>>>>    And the other type of threatening: http://www.uceprotect.org/
>>>>>> <http://www.uceprotect.org/>
>>>>>>    Does RIPE NCC have any position on this specific blacklist?
>>>>>>
>>>>>> Thank you!
>>>>>
>>>>
>>>>
>>>
>>
>