Best of 2021 – UCEPROTECT: When RBLs Go Bad

As we shut out 2021, we at Security Boulevard needed to focus on the preferred articles of the yr. Following is the following in our collection of the Best of 2021.

Realtime Blackhole Lists (RBLs) generally is a useful gizmo in your safety arsenal. You might not know you’re utilizing them, however all electronic mail suppliers and firm electronic mail servers leverage these companies to confirm whether or not servers and IP addresses are sending spam or different abusive content material towards a identified record of offenders.

These companies use a quantity of strategies to compile lists of IP addresses reputed to ship spam, principally populating them utilizing honeypots drawing them in with “poison” electronic mail addresses to behave as victims. They leverage the DNS service usually identified for routing site visitors by changing Domain names into IP addresses. In this context, RBLs function a helpful database of identified abusive IP addresses that you simply in flip can “blackhole” as a nasty response is given a loopback handle by the RBL. has a very good quick clarification and historical past of the expertise.

Usually, we don’t take care of Realtime Blackhole Lists whereas managing the WAF — they’re extra associated to electronic mail, and solely often will our malware elimination workforce might must make elimination requests for a shoppers’ internet hosting servers IP addresses as half of the remediation course of.

That being stated, a big quantity of our shoppers have just lately reported seeing DNS warnings from MXToolbox whereas utilizing our product.

After an intensive investigation, we found that the RBL supplier uceprotect[.]web has listed a variety of IPs (together with our personal) as notable reputed spammers, even if many servers should not even arrange or succesful of sending electronic mail content material.

To assist make clear the problem and supply insights for anybody receiving warnings from UCEPROTECT, right here’s a deep dive into the scenario with a bit of background context on utilizing and troubleshooting RBLs thrown in for good measure.

Using RBLs to Block Spam

RBLs have been round for about 25 years.

There are a big quantity of RBLs at the moment in existence which all leverage a big selection of standards for itemizing and delisting addresses. Normally, you’ll wish to use 3 or extra revered RBLs to determine and block spam.

Most seemingly, nevertheless, you’ll don’t have any selection if you’re utilizing an anti spam product in both your electronic mail consumer or on the e-mail server itself, since preset RBLs are sometimes designated as half of their filtering course of.

Checking RBLs for Listings

A big quantity of instruments are available to automate checking if your individual server and even dwelling ISP connection has been listed by one of these RBLs.

The mostly used answer is MXToolbox, which can also be obtainable as an API and exams a mail server IP handle towards 86 DNS based mostly RBLs.

If you’re checking a big quantity of servers or IP addresses for RBL itemizing, chances are you’ll wish to subscribe to MXToolbox, RBLmon (, or another comparable service. You may additionally script one thing to examine an inventory of domains towards an inventory of most popular RBLs.

I’ve discovered very adaptable, and personally use the bash script here, which permits me to examine a full Class C IP vary (256 addresses) in lower than 5 minutes towards 5 respected RBLs.

UCEPROTECT: A Blocklist Scam

As mentioned briefly within the introduction, I just lately witnessed some unhealthy behaviour from the RBL supplier uceprotect[.]web.

Over the weekend, I obtained 2 warnings from RBL monitoring companies.

UCEPROTECT Level 1 Warning

Notice this assertion:

It means abusive exercise was seen from IP straight inside the final 7 days.”


Concrete allegation:

Portscans or hacking makes an attempt have been seen towards an UCEPROTECT-System from IP”

This is actually unattainable. is the general public IP handle of our Sucuri WAF, which forwards requests by way of a again finish IP handle to our shoppers internet hosting server. Our public IPs are by no means seen to make requests — they solely ever settle for requests, it’s the best way our AnyCast community works.

In this context, I actually don’t assume these guys perceive what concrete means.

Payment in Return for “Express Delisting”

Here’s their recommendation on eradicating the blocklisting:

Mostly contaminated PC’s but additionally potential an hacker that has damaged into their system are the rationale on this case.

They ought to examine all programs behind their IP with an precise Ant-ivirus/Anti-Trojan/Anti-Rootkit device.”

We are sure there is no such thing as a malware on our servers, we’ve a world class popularity for stopping and figuring out malware. It could be nice at this level if they’d given us some clue as to why they assume this and publicly claiming {that a} hacker has damaged into our server.

And though they’ve given us no proof on the allegation or supplied extra info on the malware detected, they do have an alternative choice:

Express delisting ransom payment

An “Express delisting” choice button is out there, which takes us to the next message:

How can the IP be faraway from UCEPROTECT-Level 1?

Every IP short-term listed at Level 1 will probably be eliminated robotically (and free of cost) as quickly as it’s not a supply of abuse for 7 days.

Automatic expiration is free of cost, as a result of it doesn’t require guide work.

If you don’t wish to await expiration, expedited specific delisting of this IP from Level 1 will be optionally obtainable at a  cost through the use of one of the payservicebuttons above.

Orders for expedited specific delisting are processed by exterior service suppliers, therfore it can’t be supplied at no cost.

Please additionally word that specific delisting solely is smart after the issue which precipitated the Level 1 itemizing is mounted.

If the issue isn’t mounted, it’s principally only a query of time till the IP may find yourself listed in UCEPROTECT Level 1 once more.

Basically what this implies is in case you don’t wish to wait 7 days to be taken off their record, you possibly can pay 89 CHF (about $100) and to cowl their price of them urgent a delete button. By their very own admission there is no such thing as a due diligence concerned on this elimination, as chances are you’ll be relisted if you’re later discovered to be nonetheless abusing their programs.

They justify utilizing an exterior service supplier as a proof for why the service can’t be supplied at no cost — as a result of you understand they’d actually like to supply this specific service at no cost, you possibly can simply really feel it.

Further down the web page, we’ve one other warning that’s utilized to the entire subnet, giving an RBL itemizing to 255 neighbouring IP addresses:

The first paragraph continues justifying the itemizing, though they now declare it’s resulting from extreme spamming.

According to the desk above allocations get listed at Level 2 if there are too many Level 1 listings (spam sending IP’s) in that ranges and too many Impacts have been counted.

In different phrases: One or a number of networks which your IP belongs to have ship an excessive amount of spam inside the final week.”

Remember, none of these IP addresses are incapable of sending electronic mail. Here within the subsequent paragraph, they contradict themselves, saying it was your IP that was spamming:

Who is answerable for this itemizing?

You and the opposite Level 1 listees inside that vary. Your IP was additionally seen in a spamming, so you possibly can’t declare to be harmless.”

Threats & Security Issues

There are lots of different unconventional and eyebrow-elevating claims on their web site. For instance, on the Removal Policy tab, the subpages embrace the next the warning:

RBL Warning Doxing

Their banner informs website guests that in case you complain about their behaviour and notify them of any impending authorized motion, they may each dox you and feed your electronic mail handle to spammers electronic mail scrapers, in addition to record the IP handle that you simply contacted them from. Not very GDPR compliant.

And whereas we’re on the topic of GDPR compliance and safety on the whole, the proprietor of this firm has a quantity of associated websites, none of which have SSL enabled. While that isn’t a problem if there is no such thing as a login portal, the location is described to be supposed for “Executive members” and does have a cleartext login that requires a username and password. And all operating on a 20-yr-previous working system and 17 yr previous model of PHP, which supply a very good indication of their safety practices — or lack thereof.

Improper security on login no SSL

You may assume that that is some remoted incident, however sadly it’s not.

I’ve had a server for over 6 years on the identical IP handle with a properly-identified internet hosting firm that I exploit for private tasks and testing, and it’s price noting that this server can also be incapable of sending electronic mail — I’ve port 25 (the service which servers use to relay emails) totally blocked, because it attracts consideration and fills up my logs with failed login makes an attempt. That doesn’t stop UCEPROTECT from itemizing that IP as malicious on their RBL as properly.

Level 3 Blacklisting UCEPROTECTTo date, UCEPROTECT has blocked a complete of 2404096 of Sucuri’s IP addresses resulting from a declare that 937 spam emails have been despatched in over every week interval.

Our IPs aren’t the one ones impacted by this malicious RBL, nevertheless. They have additionally blocked Barracuda’s email servers, a extremely revered safety firm. Warnings about UCEPROTECT can be discovered from respected sources together with KonTech, Linode, TitanHQ, spiceworks, and Word to the Wise, together with discussions about their most up-to-date marketing campaign on Twitter.


Monitoring your individual servers and IPs is nice apply. It will be an early warning that you’ve some unhealthy behaviour occurring in an workplace, an contaminated workstation sending out spam, and may clarify emails you despatched going lacking.

That being stated, I strongly encourage web site homeowners to disregard realtime blackhole listings the place cost for elimination is required. Many firms have already blocked the UCEPROTECT server globally, as they’re famend for his or her shady techniques and false positives.

Don’t be delay utilizing good RBLs for his or her appropriate goal, even the nice ones will typically make a mistake — an actual false constructive — however they appropriate it with out fuss and don’t maintain your popularity for ransom.

Related Posts