UCEPROTECT — Extorting sysadmins and ISP’s.
For a lot of years I have been managing my own servers. One of these servers is used as a mail server. Security it is very important to me. I have setup SPF, DKIM, DMARC and even DANE records in order to ensure that my mail is authentic and delivered.
Recently, I have had mail delivery issues. I quickly found out that my IP-addresses was listed with UCEPROTECT. Further investigation shows, that not my IP-address is listed but all of the subnets that ISP is using. My ISP has a lot of subnets in use. There are no spammers in my subnet or subnets near my IP-addresses.
Obviously, I wanted to get rid of this listing but before contacting them I decided to further investigate UCEPROTECT.
By default, the website is delivered over HTTP without encryption. It goes without saying that HTTPS should be the default in 2021. The website is full of words and sentences in all caps. The text on the website contains several typo’s and could have been written by a 13 year old Minecraft player.
THE CRAP WAS DELIVERED TO YOUR SYSTEM! Whether you read it or not does not matter to the spammer!!!
“Payment service provider Paypal really believe that they can treat long-standing customers like shit and withhold their money for no reason, but with all kinds of tricky excuses from their Terms and Conditions for some days, weeks, or even months.”
“several hundret abusive”
They claim to have a decent list of sponsors. Unsurprising, many of them are also listed as spamming ISP’s/ASN’s.
- IN-Mirror 1 — BEAM TELECOM PVT. LTD.
- IN-Mirror 2 — CtrlS Datacenters Ltd.
I discovered that they have a webpage for their stats. As a geek, I am a sucker for stats. One graph stood out, the amount of listings for an ASN.
As you can see, the amount of ASN’s recently skyrocketed. On the news page they explain that policy for ASN’s has changed. Clearly this did not set well with everybody. According to their news page they were offline due to DDoS-attacks.
UCEPROTECT on level 3 listings
UCEPROTECT has a page on level 3 listings. Level 3 listings are listings for ISP’s (also known as ASN’s). They refer to DTAG but seem to lack the knowledge that there is a difference between an ISP that offers servers and an ISP that offer internet access to home users.
They never provide ISP’s with proof. They will charge ISP’s for very limited data.
I decided to contact my ISP in regards to this issue. They stated that they were aware of this issue. A really small percentage of their servers/IP-addresses were listed, which caused that their entire ASN to become listed. They are unable to contact them as they have blocked all means of communication (because they are listed). In order to contact them, they have to pay to whitelist an IP-address on their own websites OR wait 7 days before the listings expire. Obviously 7 days is a long time.
While it goes against what it goes against my own policy, I figured I might pay for a delisting. However, the price was insane. To temporarily delist an IP-address they charge up to 90 CHF (€83,23)! For an ASN the “express delisting” costs 449 CHF (€414,98). Needless to say, these prices were not okay.
Maybe I could call them or contact them in any other way to explain the situation. You probably guessed it by now, they do not have a phone number or any other contact information published on their website. The contact form is blocked for listed IP-addresses. Using a VPN provider I was able to view the contact form and submit a questions. We are several days later and have not yet received a response. The dropdown menu is another hint to how legitimate this project is.
So before paying for a delisting, consider asking yourself, who am I paying and what for?
Third party reviews
There are a lot of negative reviews out there with a lot of similar complaints. This company/project is definitely run by some guys (Claus von Wolfhausen and Johann Steigenberger) on an attic instead of a professional business.
- UCEPROTECT Extortion Service: All Your Mails Are Belong To Us!
- UCEPROTECT Blacklist Scam
- Black List Fraud
UCEPROTECT has recently altered their listing policy in order to increase the amount of ASN’s blocked. This causes an incredible amount of collateral damage. They extort ASN’s to pay for delisting or contact. They only offer paid services to ISP’s and sysadmins. All they care about is money. They do not care if they have to extort ISP’s or sysadmin’s.
- Email providers: Never UCEPROTECT as a DNSBL, use a legitimate DNSBL, such as Spamhaus.
- ISPs: Never pay UCEPROTECT — this is a scheme
- Sponsors of UCEPROTECT: Why are you sponsoring this malicious project?
- UCEPROTECT: Change your contact methods, publish your “company” address and listen to the feedback.