Re: Re: UCEProtect Level 3
James Hess wrote: >It's not the tool or list itself, but the horrible manner in which >someone chose to use the list. Exactly. We can't be responsible for what our users are doing. >Those places who chose to perform cut offs blindly based on the >listing are responsible, and have their own users to answer to.. The >UceProtect L3 website displays a very prominent admission of guilt >(they are open about their listing criteria): >"This blacklist has been created for HARDLINERS. It can, and probably >will cause collateral damage to innocent users when used to block >email." >So there should be little ignorance on the matter by users. The >value of the list is heuristic, for scoring, e.g. SpamAssassin score, >and use of the list should be combined with an informed decision, >before blocking mail from a sender based on it. Under those >conditions, lists like that can be quite useful. I will give you some more examples how it can be very useful: You can use it to block emails from systems with no PTR or Generic PTR's. You can use it to block emails from systems having non FQDN HELO/EHLO You can use it to block emails from systems which are also listed in very aggressive point blocklists (Single IP blocklists). You can use it to do excessive greylistings (i recommend at least 2 hours) to find out if the system will show up on other blocklists in the meantime. As you can see the only limit is your imagination. --- Claus von Wolfhausen Technical Director UCEPROTECT-Network http://www.uceprotect.net
Re: UCEProtect Level 3
On 2009/05/08 03:31 PM Claus v. Wolfhausen wrote: Why do you believe people which are using Level 3 are not aware what it is doing? The real problem is it's not just UCEProtect. http://www.senderbase.org/ I see too many IronPort's at ISP's using these reputation filters and blocking anyone who accidentally got infected with a virus for weeks on end well after the problem is solved.
Re: UCEProtect Level 3
On Fri, 8 May 2009 09:46:38 -0400 "Matt Liotta" wrote: > > On May 8, 2009, at 9:31 AM, Claus v. Wolfhausen wrote: > > > Why do you believe people which are using Level 3 are not aware > > what it is > > doing? > > I am guessing the emails from uninformed victims wondering why their > mail isn't getting through. > > Vigilantes always start out with the right intentions and then take > it too far. One day you are going to filter the wrong AS. You are blaming the wrong people. It is very clear on their website that this list should not be used for blocking. It states that there will be FPs and that you should use it as part of an overall scoring system. If you must blame someone, blame the idiots who use it to block email. -- John
Re: UCEProtect Level 3
Suresh Ramasubramanian wrote: On Fri, May 8, 2009 at 12:04 AM, Raleigh Apple wrote: Is anyone else out there aware that the UCEProtect Level 3 email blacklist blocks entire AS? Is there anyone out there aware of any significant (or larger than 'man and his dog on a DSL') mail provider using UCEPROTECT? dnsbl-1.uceprotect.net and dnsbl-2.uceprotect.net work good with SpamAssassin (scoring system). http://stats.dnsbl.com/ keeps some ham/spam stats on various lists. ymmv. Problems arise when 'admin' gets hands on inexpensive anti-spam appliance that makes enabling blacklists a checkbox on a web form with little or no documentation about each list. Ken -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: UCEProtect Level 3
On May 8, 2009, at 9:31 AM, Claus v. Wolfhausen wrote: Why do you believe people which are using Level 3 are not aware what it is doing? I am guessing the emails from uninformed victims wondering why their mail isn't getting through. Vigilantes always start out with the right intentions and then take it too far. One day you are going to filter the wrong AS. -Matt
Re: UCEProtect Level 3
Why do you believe people which are using Level 3 are not aware what it is doing? We have given a very detailed description how it works and also recommendations how to use it. See: http://www.uceprotect.net/en/index.php?m=3&s=5 Additionaly we are writing BIG FAT warnings also into the downloadable zonefile See: http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-3.uceprotect.net gz As you can see we don't make a secret out of what it is: A boycottlist. Therefore we have to assume that those which are using it for blocking do exactly know what they are doing. It clearly depends on where you are and where you expect mail from, if you can or cannot use it for blocking.According to Al Iverson's stats (which didn't get updated since summer 2008) it looks like it is not doing so much false positives if used in North America.See: http://stats.dnsbl.com/uce3 html If used in Germany, Austria or Switzerland it even looks better: See our stats: http://stats.uceprotect.net/week.html Of course it will almost always be necessary to use a whitelist in combination with ASN-Blocking. YMMV Claus von Wolfhausen UCEPROTECT-Network -Original Message- From: Raleigh Apple [mailto:rapple at rapidlink.com] Sent: Thursday, May 07, 2009 1:34 PM To: nanog at nanog.org Subject: UCEProtect Level 3 Is anyone else out there aware that the UCEProtect Level 3 email blacklist blocks entire AS? r
Re: UCEProtect Level 3
On Thu, May 7, 2009 at 3:10 PM, D'Arcy J.M. Cain wrote: > It is. I understand what they are trying to do but we were cut off > from some places because someone else in the huge upstream we are with > did something that appeared to be spam. It's too broad of a brush. It's not the tool or list itself, but the horrible manner in which someone chose to use the list. Those places who chose to perform cut offs blindly based on the listing are responsible, and have their own users to answer to.. The UceProtect L3 website displays a very prominent admission of guilt (they are open about their listing criteria): "This blacklist has been created for HARDLINERS. It can, and probably will cause collateral damage to innocent users when used to block email." So there should be little ignorance on the matter by users. The value of the list is heuristic, for scoring, e.g. SpamAssassin score, and use of the list should be combined with an informed decision, before blocking mail from a sender based on it. Under those conditions, lists like that can be quite useful. If you try hard enough, you can find virus scanners that identify clean system-critical files as possible malware, and firewalls that identify normal surfers as evil hackers... If you have that software and didn't do the research, that's your problem. If you have that software and set it to automatically delete files, or if you have the overzealous firewall and you wrote a script to IPban based on firewall log, the firewall is not responsible for _that_ problem. The list/tool provider is only an accomplice, to the extent that they misinform you, or encourage you to use the list/tool in a poor way given the tool's limitations -- -J
RE: UCEProtect Level 3
We had complaints about our entire ASN being listed too, due to a bunch of infected hosts in a sub-allocated /23 (out of our nearly /16 of space). The best part is they don't bother to report the abuse, they just block the entire ASN, not terribly productive. John van Oppen Spectrum Networks LLC Direct: 206.973.8302 Main: 206.973.8300 Website: http://spectrumnetworks.us -Original Message- From: Skywing [mailto:skyw...@valhallalegends.com] Sent: Thursday, May 07, 2009 10:31 PM To: Suresh Ramasubramanian; Raleigh Apple Cc: nanog@nanog.org Subject: RE: UCEProtect Level 3 I seem to recall that Mailstreet/MXlogic firewalls off (not rejects at SMTP level) any AS listed in UCEProtect, at least of about a year or so ago. - S -Original Message- From: Suresh Ramasubramanian Sent: Thursday, May 07, 2009 22:25 To: Raleigh Apple Cc: nanog@nanog.org Subject: Re: UCEProtect Level 3 On Fri, May 8, 2009 at 12:04 AM, Raleigh Apple wrote: > Is anyone else out there aware that the UCEProtect Level 3 email blacklist > blocks entire AS? > Is there anyone out there aware of any significant (or larger than 'man and his dog on a DSL') mail provider using UCEPROTECT? -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: UCEProtect Level 3
On Fri, May 8, 2009 at 11:00 AM, Skywing wrote: > I seem to recall that Mailstreet/MXlogic firewalls off (not rejects at SMTP > level) any AS listed in UCEProtect, at least of about a year or so ago. > > - S > I would be very surprised indeed if MX Logic did something like that. srs
RE: UCEProtect Level 3
I seem to recall that Mailstreet/MXlogic firewalls off (not rejects at SMTP level) any AS listed in UCEProtect, at least of about a year or so ago. - S -Original Message- From: Suresh Ramasubramanian Sent: Thursday, May 07, 2009 22:25 To: Raleigh Apple Cc: nanog@nanog.org Subject: Re: UCEProtect Level 3 On Fri, May 8, 2009 at 12:04 AM, Raleigh Apple wrote: > Is anyone else out there aware that the UCEProtect Level 3 email blacklist > blocks entire AS? > Is there anyone out there aware of any significant (or larger than 'man and his dog on a DSL') mail provider using UCEPROTECT? -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: UCEProtect Level 3
On Fri, May 8, 2009 at 12:04 AM, Raleigh Apple wrote: > Is anyone else out there aware that the UCEProtect Level 3 email blacklist > blocks entire AS? > Is there anyone out there aware of any significant (or larger than 'man and his dog on a DSL') mail provider using UCEPROTECT? -- Suresh Ramasubramanian (ops.li...@gmail.com)
RE: UCEProtect Level 3
Anyone who reads their description of it would be: http://www.uceprotect.net/en/index.php?m=3&s=5 Are you one of the ASes they blacklist on that list? >-Original Message- >From: Seth Mattinen [mailto:se...@rollernet.us] >Sent: Thursday, May 07, 2009 11:44 AM >To: nanog@nanog.org >Subject: Re: UCEProtect Level 3 > >Raleigh Apple wrote: >> Is anyone else out there aware that the UCEProtect Level 3 email >> blacklist blocks entire AS? >> > > >http://lmgtfy.com/?q=uceprotect+level+3
Re: UCEProtect Level 3
On Thu, 7 May 2009 16:21:26 -0400 Rich Kulawiec wrote: > (a) This discussion should probably be happening someplace other > than NANOG (spam-l or mailop, perhaps?), and True. I didn't bring it up but this is my last post on the subject. > (b) If you feel that UCEProtect L3 paints with too broad a brush, > then you're certainly free not to use it. I happen to agree with you > on this particular level of this particular DNSBL for my particular > applications, so I don't use it either. However: I'm aware of other > folks who are using it quite effectively as *part* of a scoring system. I don't use it but my problem was that other ISPs whose clients were trying to email my clients were using it. -- D'Arcy J.M. Cain | Democracy is three wolves http://www.druid.net/darcy/| and a sheep voting on +1 416 425 1212 (DoD#0082)(eNTP) | what's for dinner.
Re: UCEProtect Level 3
On May 7, 2009, at 4:10 PM, D'Arcy J.M. Cain wrote: It is. I understand what they are trying to do but we were cut off from some places because someone else in the huge upstream we are with did something that appeared to be spam. It's too broad of a brush. Indeed. That is the sort of vigilantism that leads to filtering chaos. What happens when other ASNs start filtering the entire AS of UCEProtect's upstream(s) as a response? -Matt
Re: UCEProtect Level 3
We stopped using UCEProtect in most places recently after using for I think a year or two -- Level 2 was blacklisting giant-sized netblocks (ie, most Cablevision cablemodem IP Space, twice, as well as large chunks of AboveNet space, and that's just what I noticed). - Original Message - From: "Raleigh Apple" To: nanog@nanog.org Sent: Thursday, May 7, 2009 2:34:01 PM GMT -05:00 US/Canada Eastern Subject: UCEProtect Level 3 Is anyone else out there aware that the UCEProtect Level 3 email blacklist blocks entire AS? r
Re: UCEProtect Level 3
On Thu, 7 May 2009 13:43:14 -0500 "Aaron Wendel" wrote: > Yes. Is that a problem? It is. I understand what they are trying to do but we were cut off from some places because someone else in the huge upstream we are with did something that appeared to be spam. It's too broad of a brush. -- D'Arcy J.M. Cain | Democracy is three wolves http://www.druid.net/darcy/| and a sheep voting on +1 416 425 1212 (DoD#0082)(eNTP) | what's for dinner.
Re: UCEProtect Level 3
On 2009/05/07 08:34 PM Raleigh Apple wrote: Is anyone else out there aware that the UCEProtect Level 3 email blacklist blocks entire AS? Yes. We don't use them anymore.
Re: UCEProtect Level 3
Raleigh Apple wrote: > Is anyone else out there aware that the UCEProtect Level 3 email > blacklist blocks entire AS? > http://lmgtfy.com/?q=uceprotect+level+3
RE: UCEProtect Level 3
Yes. Is that a problem? -Original Message- From: Raleigh Apple [mailto:rap...@rapidlink.com] Sent: Thursday, May 07, 2009 1:34 PM To: nanog@nanog.org Subject: UCEProtect Level 3 Is anyone else out there aware that the UCEProtect Level 3 email blacklist blocks entire AS? r