We are sorry you are having issues with UCEPROTECT.


Not many companies use UCEPROTECT (and definitely not providers like Google or Yahoo), so you’ve most likely been made aware of this issue by a blacklist scan(ner), and not because of your emails being rejected. In most cases, you can simply ignore the listing, as it won’t have any affect on your server.

Having said that, we would like to explain why there are so many listings on UCEPROTECT. In early 2021 they changed their criteria, which has led to many more blacklistings. To understand why, it is necessarry to look at their criteria in some detail. If you simply want to know what this means for you, please skip the following technical part.

----- Technical Information -----

UCEPROTECT is a DNS-based blacklist that can be used by any mail server to filter or even outright reject emails. It has three different levels that can be checked:

Level 1: lists individual IPs that were observed sending emails to spamtraps, or being involved in network abuse. These are automatically delisted 7 days after the last impact. (impact = a spamtrap hit or network abuse hit).

Level 2: Lists a /24 range (with 256 IPs) when there have been 4 or more impacts from IPs within that range, or up to a /15 range (with 131,072 IPs) when there have been 141 or more impacts from within that range.

Level 3: Lists all IPs from a single network (ASN) when there have been a certain amount of impacts within that network. This amount is based on the total amount of IPs the network has.

In early 2021 the criteria for both level 2 and level 3 were changed. In both cases, the changes have resulted in many more ranges and entire networks being listed.
Source: http://www.uceprotect.net/en/index.php?m=12&s=0

* Level 2 Criteria
For level 2, the criteria used to be that 5 or more single IPs being listed on level 1 would cause a /24 level 2 listing. On February 8th, 2021, that was changed to be 4 or more impacts. This means a single IP that has 4 impacts can cause the entire /24 it is part of to become listed on level 2.

Due to this change, there are a lot more /24 ranges, and even some /16 or /15 ranges, that are listed on level 2, and it is much harder to prevent that from happening.

* Level 3 Criteria
In the past, a level 3 listing would occur when 0.2% or more of all IPs from that network got listed on level 1. This meant that there were few level 3 listings. On January 18th, 2021 that policy was changed to 0.02% (a tenfold decrease in the amount of IPs needed to cause a level 3 listing). Due to this change, a large amount of companies, including many of our competitors, suddenly found themselves listed on level 3.

Naturally, this caused quite a commotion within the webhosting and anti-abuse communities. On February 8th, 2021, UCEPROTECT decided to again change the criteria for level 3. Now, the important statistic is impacts. If there are more impacts than 0.05% of total IPs, the entire network is listed on level 3.

For reference, the complete list of networks that are listed on level 3 can be seen here:
http://www.uceprotect.net/en/l3charts.php

UCEPROTECT themselves admit that level 3 is "draconic" and "will cause collateral damage to innocent users when used to block email". That is why they recommend using it in a scoring system, and not to outright reject emails.
Source: http://www.uceprotect.net/en/index.php?m=3&s=5

----- Impact for Backlayer -----

Due to these changes, a single IP can cause an entire /15 (with 131,072 IPs) to become blacklisted on level 2. In fact, a handful of IPs with a lot of impacts can cause our entire network (with over 2 million IPs) to get blacklisted on level 3. This is something we have seen happen, and it goes to show how broken the system is. The amount of false positives is astounding.

We monitor UCEPROTECT on a daily basis, and we take action against IPs that get multiple impacts. However, we have observed numerous times that even though an IP was locked, and there is no network traffic on it, UCEPROTECT continues to see impacts from it. This should not be possible.

Unlike most other blacklists where IPs are automatically delisted after a few hours or days, or where IPs can be manually delisted, on UCEPROTECT IPs are listed until a week after their last impact. This means that there are individual listings that have long since been resolved, that are still impacting level 2 and level 3 listings. The only option to delist IPs earlier is to pay UCEPROTECT for express delisting, but we cannot support such a system in good conscience.

The three issues mentioned above mean we cannot guarantee IPs won’t be blacklisted on level 2 as part of a larger network, or even on level 3 as part of our entire network. It also means we cannot offer an easy or quick solution.

Not many companies or mail servers use UCEPROTECT. However, if you are having issues with your emails being rejected, please contact those recipients via other means, and advise them of the change in criteria for level 2 and 3, and the recommendation of UCEPROTECT itself not to use level 2 or 3 to outright reject emails.

Final Conclusions

UCEProtect is a blocking list that is losing more and more credibility due to its removal and also blocking method, little by little it is being less and less used by servers and Internet providers as a parameter to block email.

If you have any difficulties or if you have any suggestions of things that have not been mentioned, you can write us here 

Was this answer helpful? 1240 Users Found This Useful (0 Votes)