bcoles
commented
3 years ago Thanks for the heads up. This is interesting.
Knowing that a domain / IP is on the UCEPROTECT blacklist is still useful information, even if their reasoning for blacklisting may or may not be dubious.
The sfp_uceprotect module reports matches as BLACKLISTED_* events (not MALICIOUS_* events). This is the most accurate event data type (of the available data types).
We don't have a data type for objects which are reported as blacklisted / malicious but are probably false positives and I don't think it would make sense to add one. I think there's more value in keeping this module than removing it.
As per all OSINT activities, it is up to the analyst to verify whether source data is relevant or a false positive.
mrcbax
UCEPROTECT has been known to arbitrarily list large blocks of IP addresses simply because a single server sent an email to one of their spam traps. Because of this every Linode, AWS, DigitalOcean, etc IP address is listed in their RBLs.
UCEPROTECT attempts to extort sysadmins by requesting payment for whitelisting from the blocklist.
They withdrew from the IETF a regulating body for RBLs after they determined that accepting payment for delisting is a major conflict of interest: https://mailarchive.ietf.org/arch/msg/asrg/aMzK5StZaPvampQtU5iu0fO-ojM/
You can read more about its many issues in several places:
https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html
https://en.wikipedia.org/wiki/Talk:Comparison_of_DNS_blacklists#Noting_issues_with_UCEPROTECT
https://www.linode.com/community/questions/2324/uceprotectnet-has-us-blacklisted
https://www.titanhq.com/blog/warning-ignore-pay-for-de-listing-blacklist-service/
https://community.spiceworks.com/topic/2170592-uceprotect-blacklist-scam
https://wordtothewise.com/2018/05/uceprotect-gdpr-fallout/
http://kontech.net/uceprotect-blacklist-scheme-2020/
https://twitter.com/search?q=uceprotect
https://www.lowendtalk.com/discussion/comment/3204705