More DNSBL Inclusion Policy Confusion - UCEPROTECT

UCEPROTECT is yet another DNS Blacklist. They track IP addresses possibly involved with spam. Email server administrators then can configure their servers to block messages originating from listed addresses.

I started paying attention to them because they seemed to be correctly tagging a lot of spam email that other DNSBL lists (and SpamButcher) were missing. As a spam filter author - I'm very interested in new methods of blocking junk mail. A little further research seemed in order.

Recently, I wrote an article on some ambiguities in the CBL's (Composite Blacklist) inclusion policy. Does UCEPROTECT have similar issues?

Let's take a look at an excerpt from the UCEPROTECT Level 1 policy:

Level 1 does exclusively list IPs with either wrong or missing or generic reverse dns (PTR), or dialups, or machines with exploitable security holes (for e.g. open proxy's, open relays, vulnerable webservers, virus infected machines) or which are using abusive techniques or which assigned to well known spammers.

If one of these conditions is fulfilled, and only one spamtrap is hit from such a system, its IP will become listed at UCEPROTECT Blacklist Level 1 automatically.

The English is a bit rough (they're German) - but it's not too hard to decipher.

To be listed, an IP address has to both be inherently suspicious (like being a dial-up or missing reverse DNS information) and have sent email to a spamtrap.

Later in the page they also mention that hitting a spamtrap over 50 times, or being the source of a spam message being reported by a UCEPROTECT member can get an address listed.

I like this approach. Some IP addresses are definitely more suspicious than others, but you wouldn't want to filter mail from them without a little further evidence (like seeing some spam from them).

Next step in my research was to download the actual UCEPROTECT database.

I came across this disclaimer in the first part of the file:

THIS IS UCEPROTECT-BLACKLIST LEVEL 1

It lists OPEN RELAYS, PROXYS, DIALUPS, SPAMMERS or Systems without R-DNS

BE WARNED: USING LEVEL 1 MIGHT ALSO BLOCK A FEW LEGAL MAILS !

WE DID OUR BEST TO PREVENT FALSE POSITIVES - BUT NOBODY IS PERFECT

If you cannot risk losing legal Mail you should not use any Blacklist.

From the sound of it, any system that's a dialup or lacks proper reverse-DNS (R-DNS) would possibly be listed in the database without meeting any other criteria.

While you could make a strict logical argument that that statement doesn't technically contradict the stated policy - it certainly gives you a different impression about the contents of the list.

Which statement correctly represents the content of UCEPROTECT Level 1? Who knows.

Blacklist operators seek to perform a public service. Their efforts would be all the more successful if they provided better documentation regarding their inclusion policies.

Without a good understanding of a blacklist's real inclusion policy, it's impossible for a server administrator to determine if using it would be appropriate for their configuration or not.

Back