Date: 2024-05-04 00:29
CONTENT WARNING: This post discusses sensitive topics, including misogyny. Reader discretion advised.
If you've ever went to set up a mail server (which is no easy task), you've likely run MxToolbox's Blacklists tool.
And, if your mail server is located on one of several different cloud computing, VPS, whatever you wish to call it, services, you may have noticed that you've been blocklisted by someone called UCEPROTECT. Naturally, you will think that you messed up your config (maybe SPF, DMARC, or reverse DNS weren't set up correctly), so you look at their website. And what a relic of the 2000s that website is. What you have just uncovered is a massive extortion scheme that has been operating for several years now, and has remained underground for the most part. This rabbit hole goes quite deep, so get ready to jump inside of it. I hope you don't mind dirt.
According to their website, UCEPROTECT was founded way back in 2001 with the goal of eliminating spam by creating a publicly available DNS blacklist. While they started by operating like a standard blocklist (simply blocking known bad IP addresses), they switched to a slighly...unconventional tactic for blocking spam. This tactic has become the stuff of legend, and also has led to a lot of, shall we say, fallout between both the company and its 'customers'. I'm talking, of course, about their levels of IP blocking.
When a spammer is reported to UCEPROTECT, the IP address for its mail server gets blocked. This is as conventional if it gets, however, this IP address gets designated a "Level 1" block, which is a direct IP ban. What UCEPROTECT then do is far from conventional.
Once the initial IP address is blocked, the entire IP address range (specifically the /24 subnet) is blocked as well, meaning all 255 IPs in that range are given a "Level 2" block.
This is, shall we say, a very aggressive strategy. I should probably clarify that not every bad IP address leads to an entire L2 block. This only happens after repeated L1 blocks in that IP range. In theory, this sounds like a pretty good system. Block IP ranges if that range has a history of spam, and everyone's happy. Except not really. This underhanded technique catches a lot of innocent bystanders. Users who just want to run genuine servers are forced into paying (spoiler alert!) for removal from their blacklist, because of someone else sending spam.
If you thought it would stop at IP ranges extrapolated from L1 blocks being themselves blocked, you'd be wrong. Almost every hosting provider has all of its IP addresses placed under a L3 blacklist. According to some random people on the Internet that I cannot find, about half of the entire Web is blocked under their L3 blocklist. This is, as you can imagine, problematic. It makes it almost impossible to not end up on a blacklist, since most major companies rely on such providers for their server needs; AWS hosts 1/3 of all Internet traffic, for instance.
If you visit the 'Removal Policy' section of their website, you find yourself being funneled into a website they run called Whitelisted, which allows you to pay just 25 CHF per month to get your IP address removed from their systems. Holy traffic funnel, Batman!
No, your eyes do not deceive you. Yes, they really are charging the equivalent of £22.01 or $27.62 to have your IP address removed from their servers. And if you have multiple mail servers, not even the Bat-Gods can save you.
For the record, a Netflix subscription is £17.99 for the highest plan, which is £4 less than the fee, meaning you can spin up a new server with a VPS server AND get a Netflix subscription if you pay that much money! Then again, UCEPROTECT will have blocked your hosting provider as well, so you're screwed either way.
If you look at all of that and decide to investigate their .org website a little further, you'll find their .org website. The fact that they use PHP 4.3.8 on Windows 2000 probably doesn't inspire confidence. Furthermore, the fact that it has a login box and doesn't use HTTPS should make you run far, far away.
But it's the content of the website that reveals their attitude towards their business. Underneath their logo that looks straight out of 2001 you'll find a link titled 'For public amusement we have published stupidsters sending cart00neys here.' If you are curious enough to click on it, you'll find an archive of emails dating back to 2007 with people asking to be removed from the list followed by their, shall we say, less than respectful response, complete with PII.
The most recent email listed on theis site is one of the most eye-opening things I've ever read, as it suggests so much with so little to say. I'll try to remain neutral in all of this, and I'd suggest you read it for yourself, since I may end up suggesting some things that may be considered to be allegations.
The email starts off on a 'high note':
It's been almost 10 years since someone was stupid enough to spam on our sponsors and cry over us and our methods. This time, however, we have a premiere: A Woman. Actually, it reads more like a brat than a woman, because she seriously thinks she can achieve something with us or our sponsors by threatening a shit storm on social media. Ultimately, something like this could be extremely expensive for a brat who believes that she has to regulate things emotionally rather than objectively.
They then make what can only be neutrally described as gender stereotyping:
We assume that her favorite color is PINK, and that's why we have shown her gurgles in PINK. Our comments are in black.
After this, the entire email's header data (with email address and mailserver censored) is included, including the recipient's full name. I will not demonstrate this here.
The entirety of the web page is essentially a massive targeted attack at someone who asked a simple question, and includes many, many insults about the individual's intelligence, moral character, and so on, with vague threats of a lawsuit. This is not how a real company operates, and suggest two things:
It could be argued that the web page could be submitted for a Surrealist art competition, where it would get placed second, only beaten by an AI-generated image of a cat with the text "this is not a cat".
Their website (the main one, not the .org) offers that companies purchase their spam detection software, which uses their servers to block spam emails. Going to the .com website cited there leads to a placeholder page promising that the UCEPROTECT will be released soon.
Does any of this matter? Well, not really. UCEPROTECT hasn't been respected for at least a decade now. Any sysadmin worth their salt will ignore them entirely, and no major email provider even considers their blocklist for their spam filters. There are plenty of other, more reliable spam lists out there, who do not use such aggressive techniques to make a quick buck off of people who don't know better and do not publicly insult those who voice genuine complaints.
But the 'cart00neys' section of their website does have a tangible impact, albeit a small one. Their conduct is unacceptable for a business with corporate sponsors, and I urge all companies associated with them to abandon ship. 20 years too late is better than never, right?