UCEPROTECT — Extorting sysadmins and ISP’s.

Intro

For a lot of years I have been managing my own servers. One of these servers is used as a mail server. Security it is very important to me. I have setup SPF, DKIM, DMARC and even DANE records in order to ensure that my mail is authentic and delivered.

First glance

By default, the website is delivered over HTTP without encryption. It goes without saying that HTTPS should be the default in 2021. The website is full of words and sentences in all caps. The text on the website contains several typo’s and could have been written by a 13 year old Minecraft player.

Ironic sponsoring

They claim to have a decent list of sponsors. Unsurprising, many of them are also listed as spamming ISP’s/ASN’s.

  • IN-Mirror 2 — CtrlS Datacenters Ltd.

Stats

I discovered that they have a webpage for their stats. As a geek, I am a sucker for stats. One graph stood out, the amount of listings for an ASN.

Insane amount of ASN’s listed — Source: http://stats.uceprotect.net/?page=su

UCEPROTECT on level 3 listings

UCEPROTECT has a page on level 3 listings. Level 3 listings are listings for ISP’s (also known as ASN’s). They refer to DTAG but seem to lack the knowledge that there is a difference between an ISP that offers servers and an ISP that offer internet access to home users.

Contacting UCEPROTECT

I decided to contact my ISP in regards to this issue. They stated that they were aware of this issue. A really small percentage of their servers/IP-addresses were listed, which caused that their entire ASN to become listed. They are unable to contact them as they have blocked all means of communication (because they are listed). In order to contact them, they have to pay to whitelist an IP-address on their own websites OR wait 7 days before the listings expire. Obviously 7 days is a long time.

Key example of a legitimate company — Source: http://www.uceprotect.net/en/contact.php

Third party reviews

There are a lot of negative reviews out there with a lot of similar complaints. This company/project is definitely run by some guys (Claus von Wolfhausen and Johann Steigenberger) on an attic instead of a professional business.

Conclusion

UCEPROTECT has recently altered their listing policy in order to increase the amount of ASN’s blocked. This causes an incredible amount of collateral damage. They extort ASN’s to pay for delisting or contact. They only offer paid services to ISP’s and sysadmins. All they care about is money. They do not care if they have to extort ISP’s or sysadmin’s.

TL;DR

  • Email providers: Never UCEPROTECT as a DNSBL, use a legitimate DNSBL, such as Spamhaus.
  • ISPs: Never pay UCEPROTECT — this is a scheme
  • Sponsors of UCEPROTECT: Why are you sponsoring this malicious project?
  • UCEPROTECT: Change your contact methods, publish your “company” address and listen to the feedback.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store