Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

UCEPROTECT introduces a new line of defense

147 views
Skip to first unread message

Claus v. Wolfhausen

unread,
Sep 23, 2008, 11:12:02 AM9/23/08
to
Hi all,

to fix the problem that spam is very often seen from "real servers" where
spammers are sending with complete networks and very fast changing addresses
these days, UCEPROTECT is introducing an additional zone:

dnsbl-0.uceprotect.net (UCEPROTECT-Level 0)

Please note that Level 0 is NOT a blocklist, it is a collaborative delaylist.

Listing policy is quite simple:
Whenever something hits a spamtrap which does not qualify for an automatic
listing in Level 1 it will get listed in the Level 0 for a maximum of 3 hours.

Level 0 is extreme fast:
Average time between an impact and the IP being known to all mirrors out there
is between 2 minutes 30 seconds to latest 5 minutes.

As soon as an IP is listed at Level 0 it shows up as "LISTINGRISK HIGH - on our
radar" when testing it at our website.

Different to greylisting, sense of Level 0 is not to see if a server comes
back, sense is to win time and have nominations reviewed by an operator before
shooting suspect systems up in Level 1.

Every IP listed in Level 0 will automatically be removed as soon as it gets
moved to Level 1 or is removed by an operator, otherwise it will expire in
latest 3 hours.

Level 0 is exclusive available by DNS because it would take too much time to
download by rsync or wget.

Please DO NOT USE Level 0 in scoring systems and DO NOT USE Level 0 for
blocking. IGNORING THAT WARNING MIGHT RESULT IN HIGH FALSE POSITIVES!

Level 0's intended use is to give a tempfail (4xx Error) to listed systems,
nothing else.

If used as intended there is no risk to loose, but a chance to delay real mail.

Level 0 is still experimental and we want your feedback to get an idea how
effective it is to catch those spammers not known yet to any other list
available out there.

During the test-period we did intentionally NOT document it at our website,
because we do want only email-experts are using and testing it.

Our internal test with UCEPROTECT-Systems running the upcoming Version 4.1 in
betatest are indicating that it will be a successor but we want to make sure it
is usefull for other systems too before making Level 0 an "official part" of
our DNSBL.

Test-period will end at 01.12.2008 - 00:00 CET.
We will announce in nanabl and nanae if Level 0 will become an official Level
after that date.

Thank you for your interest in UCEPROTECT.

--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net

--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.

D. Stussy

unread,
Sep 25, 2008, 7:07:26 AM9/25/08
to
"Claus v. Wolfhausen" <use-reply-...@remove-this.com> wrote in
message news:gbb473$dkh$2...@ulm.shuttle.de...
> Hi all,
> ...

Let us know when you introduce "Level 4" - blocking of all of IPv4 address
space. ;-)

--
"Don't execute programs. Execute spammers instead. Poor programs."
- Tron (updated to 2008).

Shmuel (Seymour J.) Metz

unread,
Sep 25, 2008, 10:14:19 AM9/25/08
to
In <gbb473$dkh$2...@ulm.shuttle.de>, on 09/23/2008
at 03:12 PM, use-reply-...@remove-this.com (Claus v. Wolfhausen)
said:

>If used as intended there is no risk to loose, but a chance to delay real
>mail.

While I wouldn't lose any sleep over it, there is a risk to loses real
mail if the SMTP client[1] is broken. Specifically, if the client treats a
4yz response as a permanent failure.

[1] Keep in mind that "client" refers to role; an MTA is typically
both a client and a server, in different sessions.

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

Larry M. Smith

unread,
Oct 2, 2008, 4:44:43 PM10/2/08
to
D. Stussy wrote:
> "Claus v. Wolfhausen" <use-reply-...@remove-this.com> wrote in
> message news:gbb473$dkh$2...@ulm.shuttle.de...
>> Hi all,
>> ...
>
> Let us know when you introduce "Level 4" - blocking of all of IPv4 address
> space. ;-)
>

Don't forget "Level 6" - Blocking more IPs than there are molecules in
the moon!


SgtChains

D. Stussy

unread,
Oct 3, 2008, 8:12:20 AM10/3/08
to
"Larry M. Smith" <Usene...@FahQ2.com> wrote in message
news:H-qdndqV9OgBs3jV...@supernews.com...

> D. Stussy wrote:
> > "Claus v. Wolfhausen" <use-reply-...@remove-this.com> wrote in
> > message news:gbb473$dkh$2...@ulm.shuttle.de...
> >> Hi all,
> >> ...
> >
> > Let us know when you introduce "Level 4" - blocking of all of IPv4
address
> > space. ;-)
> >
>
> Don't forget "Level 6" - Blocking more IPs than there are molecules in
> the moon!

That's next decade (only a couple of years away) - as there really isn't
much spam that has been IPv6 delivered yet - else someone would have added
an IPv6 dnsbl by now.

Martijn Lievaart

unread,
Oct 5, 2008, 7:27:20 PM10/5/08
to
On Fri, 03 Oct 2008 12:12:20 +0000, D. Stussy wrote:

> That's next decade (only a couple of years away) - as there really isn't
> much spam that has been IPv6 delivered yet - else someone would have
> added an IPv6 dnsbl by now.

I actually do get spam over ipv6, but indeed it's a trickle.

M4

Herb Oxley

unread,
Oct 8, 2008, 9:38:01 PM10/8/08
to
"Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> wrote:

> While I wouldn't lose any sleep over it, there is a risk to loses real
> mail if the SMTP client[1] is broken. Specifically, if the client treats a
> 4yz response as a permanent failure.

> [1] Keep in mind that "client" refers to role; an MTA is typically
> both a client and a server, in different sessions.

Are there any currently-supported SMTP programs which treat a 4xx as a
permanent failure?

I recall some *early* versions of MS Exchange Server (4.0 and maybe 5.0
GA) doing this; however anyone still using those versions for Internet
email likely have far greater problems than the above such as being SMTP
hijacked for open-relay-spam.

I think what UCEPROTECT is doing is a great idea as I've seen an increase
in spam from Yahoo which was sent via Yahoo Mail accounts likely created
in bulk and Yahoo having to play whack-a-mole with them.

--
The published From: address is a trap.

Shmuel (Seymour J.) Metz

unread,
Oct 12, 2008, 10:47:51 AM10/12/08
to
In <gcgur1$ipc$2...@reader1.panix.com>, on 10/09/2008

at 01:38 AM, rest...@fastmail.fm (Herb Oxley) said:

>Are there any currently-supported SMTP programs which treat a 4xx as a
>permanent failure?

I'm not sure. If there are, I wouldn't let it affect the decision to send
a 4yz response. YMMV.

>I recall some *early* versions of MS Exchange Server (4.0 and maybe 5.0
>GA) doing this; however anyone still using those versions for Internet
>email likely have far greater problems than the above such as being SMTP
> hijacked for open-relay-spam.

Another reason for not cutting them any slack.

>I think what UCEPROTECT is doing is a great idea

Besides which, they're not forcing anybody to use their lists.

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

--

0 new messages