<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"> <meta name="Generator" content="Microsoft Word 15 (filtered medium)"> <style></style> </head> <body lang="EN-IN" link="blue" vlink="purple" style="word-wrap:break-word"> <div class="WordSection1"> May I suggest that you add as many more blocklists as you can (RBL is a specific blocklist founded by MAPS and now acquired by Trend Micro so that term isn�t used in the industry), as long as they are well maintained and conform to best practices. <o:p></o:p> <o:p> </o:p> Thanks<o:p></o:p> --srs <o:p></o:p> <o:p> </o:p> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"> From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Christian Teuschel <cteusche@ripe.net> Date: Tuesday, 9 March 2021 at 3:07 PM To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] UCEPROTECT DNSBL possibly abusive practice and RIPEStat Blacklist entries widget<o:p></o:p> </div> <div> Dear colleagues, Thinking about a course of action - it looks there is an agreement to have more RBLs on RIPEstat. It would be good to have a list of candidates that the community feels would be useful. Once we have this list, we can perform a feasibility analysis and present this to the community. We can then take it from there. Let me know if this approach works for you. Best regards, Christian On 04/03/2021 17:16, Christian Teuschel wrote: > Hi Elvis and Suresh, dear colleagues, > > Putting exact numbers on how many operators are using UCEProtect is > difficult, but through feedback from users, network operators and > members we understand that it is in use and that the provisioning of > this RBL on RIPEstat has value. > > If I am reading the feedback in this discussion correctly, the sentiment > is leaning towards adding more RBLs instead of less and if that is the > case we are going to look into how and when we can achieve this. Please > let me know if that is aligned with your requirements/expectations. > > Best regards, > Christian > > On 04/03/2021 09:54, Elvis Daniel Velea wrote: >> Hi Christian, >> >> while it may be useful to have their data source, it only shows the RIPE >> NCC favors one or two operators and I think that is damaging to the >> whole idea of being impartial. >> >> You either include a good list of blacklist operators and their data or >> none. Including only a couple will lead to the impression that only >> those are important enough to be considered by the RIPE NCC. >> >> my 2 cents, >> Elvis >> >> On 3/3/21 8:27 AM, Christian Teuschel wrote: >>> Dear colleagues, >>> >>> RIPEstat is a neutral source of information and we aim to provide users >>> with access to as many data sources as possible to provide insights. >>> >>> UCEProtect was added as a data source prior to 2010 and is still used by >>> several network operators to filter traffic into their networks. >>> Including it as a data source in RIPEstat allows users to see whether >>> resources are included in their lists. >>> >>> RIPE NCC does not pay for, support or endorse their practices, although >>> we understand that continuing to include UCEProtect as a data source >>> could be misunderstood as such. We also do not use their lists to filter >>> traffic on our services. >>> >>> Our goal remains to provide the best visibility and tools for network >>> operators to diagnose their networks. We have also heard your feedback >>> regarding including more RBLs. It is something that we have considered >>> in the past, and we are open to revisiting this. >>> >>> RIPEstat is driven by the community. We would like to hear from you >>> about whether including UCEProtect as a data source is useful. >>> >>> Regards, >>> Christian >>> >>> On 02/03/2021 00:08, Kristijonas Lukas Bukauskas via anti-abuse-wg wrote: >>>> Hello, >>>> >>>> I noticed that RIPE NCC uses uceprotect-level1, uceprotect-level2 and >>>> uceprotect-level3 in RIPEStat Anti Abuse Blacklist Entries widget. >>>> >>>> There have been controversial positions about this blacklist recently: >>>> >>>> 1) >>>> <a href="https://success.trendmicro.com/solution/000236583-Emails-being-rejected-by-RBL-UCEPROTECL-in-Hosted-Email-Security-and-Email-Security"> https://success.trendmicro.com/solution/000236583-Emails-being-rejected-by-RBL-UCEPROTECL-in-Hosted-Email-Security-and-Email-Security</a> >>>> >>>> <<a href="https://success.trendmicro.com/solution/000236583-Emails-being-rejected-by-RBL-UCEPROTECL-in-Hosted-Email-Security-and-Email-Security">https://success.trendmicro.com/solution/000236583-Emails-being-rejected-by-RBL-UCEPROTECL-in-Hosted-Email-Security-and-Email-Security</a>> >>>> >>>> 2) <a href="https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html"> https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html</a> >>>> <<a href="https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html">https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html</a>> >>>> >>>> UCEPROTECT blacklists the whole range of IP addresses, including the >>>> full IP range of some autonomous systems: >>>> UCEPROTECT states, '/Who is responsible for this listing? YOU ARE NOT! >>>> Your IP was NOT directly involved in abuse but has a bad neighborhood. >>>> Other customers within this range did not care about their security and >>>> got hacked, started spamming, or were even attacking others, while your >>>> provider has possibly not even noticed that there is a serious problem. >>>> We are sorry for you, but you have chosen a provider not acting fast >>>> enough on abusers'/) [http://www.uceprotect.net/en/rblcheck.php >>>> <<a href="http://www.uceprotect.net/en/rblcheck.php">http://www.uceprotect.net/en/rblcheck.php</a>>]. >>>> It asks for a fee if some individual IP address wants to be >>>> whitelisted >>>> (http://www.whitelisted.org/ <<a href="http://www.whitelisted.org/">http://www.whitelisted.org/</a>>), >>>> It abuses people who decide to challenge their blacklist by publishing >>>> conversations in their so-called /Cart00ney/ >>>> (http://www.uceprotect.net/en/index.php?m=8&s=0 >>>> <<a href="http://www.uceprotect.net/en/index.php?m=8&s=0">http://www.uceprotect.net/en/index.php?m=8&s=0</a>>; >>>> <a href="http://www.uceprotect.org/cart00neys/index.html">http://www.uceprotect.org/cart00neys/index.html</a> >>>> <<a href="http://www.uceprotect.org/cart00neys/index.html">http://www.uceprotect.org/cart00neys/index.html</a>>). >>>> And the other type of threatening: <a href="http://www.uceprotect.org/">http://www.uceprotect.org/</a> >>>> <<a href="http://www.uceprotect.org/">http://www.uceprotect.org/</a>> >>>> Does RIPE NCC have any position on this specific blacklist? >>>> >>>> Thank you! >>> >> >> > -- Christian Teuschel RIPE NCC | @christian_toysh<o:p></o:p> </div> </div> </body> </html>