UCEProtect and GDPR fallout

First thing this morning I got an email from a client that they were listed on the UCEProtect Level 3 blacklist. Mid-morning I got a message from a different client telling me the same thing. Both clients shared their bounce messages with me:

550  Conexion rechazada por estar o167890x0.outbound-mail.sendgrid.net[167.89.0.0]:56628 en la DNSBL dnsbl-3.uceprotect.net (ver Your ISP LATINET – TELPAN COMMUNICATIONS/AS11377 is UCEPROTECT-Level3 listed for hosting a total of 193 abusers. See: http://www.uceprotect.net/rblcheck.php?ipr=167.89.0.0)

(Note: the IP is not my client’s IP, it’s the start of the /17 assigned to SendGrid.)
Basically, UCEProtect listed half of SendGrid’s IP space (167.89.0.0/18). Looking at the publicly available data, it appears that in the last 48 hours, there was a lot of mail to UCEProtect’s spamtraps from part of SendGrid’s IP space. If I had to guess, I’d say this was GDPR related, particularly given that UCEProtect is run out of Europe. In fact, if we look at the listing graph from UCEProtect’s own website this is really clear.

As of 4 PM PDT they’re up to 263 IPs listed.
This is, really, no big deal. UCEProtect is not very widely used. Of my two clients, one had 5 emails bounce and one had 150, well under 0.0001% of their sends. Unfortunately, a lot of folks worry about any blacklisting, without really understanding that the vast majority of blacklists have almost no effect on mail delivery. The only way a listing can hurt is if you’re trying to send to a domain that uses a blacklist.
UCEProtect is not widely used and most folks will see little to no effect on email delivery due to this escalation. With that being said, it’s probably time to talk a little bit about UCEProtect as a list.

What they say about their list.

The UCEProtect lists are primarily spamtrap driven, although there are people who can manually add IPs. They have automated escalations, where if there is a specific number of listings over a certain period of time, surrounding space is listed. There are 3 levels.

  • Level 1 is a single IP listing. These are the IPs that are sending mail to the UCEProtect spamtraps. These listings are both automated (more than 50 emails from a single IP to the spamtrap network) and manual.
  • Level 2 is per allocation. They’re not completely transparent about how they determine allocation (and as I’ll talk about a little later, there is evidence some of the data they’re using is out of date). Basically, if multiple IP addresses in a range are on the list within a 7 day period, then they list more than a single IP.
  • Level 3 lists every email in a particular ASN if there are more than 100 IPs and >.2% of all IPs in that ASN on Level 1. This is, in UCEProtect’s own words, a list that will cause collateral damage to innocent users

Listings expire automatically 7 days after the mail stops. Listees can pay a fee to get delisted faster.

What’s this got to do with GDPR?

For the 2 of your who haven’t used email in the past 3 days, there has been an explosion of privacy policy updates and notifications sent out over the last 48 hors or so. Many of these updates are going to addresses that haven’t been mailed in a while. Thus, we can expect a lot of senders saw an increased volume of spamtrap hits for their mailings.
UCEProtect’s own listing graph shows a spike in listings starting mid-day Friday. (CEST is 2 hours ahead of UTC).

What happened overnight?

Because of the automated escalation scheme, over 75,000 IP addresses belonging to SendGrid were listed on the UCEProtect Level 3 list overnight. The listing encompassed all IPs announced by AS11377. UCEProtect states this ASN belongs to LATINET – TELPAN COMMUNICATIONS. The ASN was officially registered to SendGrid in June of 2012. Best we can tell, there was a list circulated around in 2007 listing current ASN assignments. I have no idea why UCEProtect is using a list more than a decade old, where they can directly query ARIN for current data through a website, FTP or whois (whois -a ‘a 11377’). Whatever the reason, it doesn’t fill me with confidence in the accuracy of the list.
Now that we’re (almost?) done with GDPR notifications, I expect these listings to age off and go away in the next week.

The good news

UCEProtect listings are unlikely to have any real impact on email delivery. These lists are just not that widely used. I also know SendGrid is aware of the issue and are working with clients who write into support.
My advice for anyone who is worried about blacklists that don’t affect email.

  • Note: I chose this IP because it’s the first IP in the range assigned to the ASN and these IPs are generally never used to send mail for technical reasons.

Related Posts

Some email related news

A couple links to relevant things that are happening in email.
M3AAWG released the Help! I’m on a Blocklist! (PDF link) doc this week. This is the result of 4 years worth of work by a whole lot of people at M3AAWG. I was a part of the working group (“doc champion” in M3AAWG parlance) and want to thank everyone who was involved and contributed to the process. I am very excited this was approved and published so people can take advantage of the collective wisdom of M3AAWG participants.
In other announcements, Gmail announced today on their Google+ page that that they were putting a new “unsubscribe” link next to the sender name when mail is delivered to the Promotions, Social or Forums tab. This appears to be the official announcement of the functionality they announced at the SF M3AAWG last February. It likely means that all users are currently getting the “unsubscribe” link. What Gmail doesn’t mention in that blog post is that this functionality uses the “List-Unsubscribe” header, not the link in the email, but I don’t think anyone except bulk mailers really care about how it’s being done, just that it is.
Also today Gmail announced they were going to recognize usernames with non-Latin or accented characters in the name. Eventually, they claim, they’ll also allow people to get Gmail addresses with accented characters.

Read More

Reading between the lines

Reading between the lines an important skill in deliverability.
Why? Over the last few years there’s been an increasing amount of collaboration between deliverability folks at ESPs and ISPs. This is great. It’s a vast improvement on how things were 10 years ago. However, there are still ongoing complaints from both sides. There probably always will be. And it’s not like a blog post from me is going to fix anything. But I see value in talking a bit about how we can improve our ability to collaborate with one another.

Read More

I subscribed to what?

Tomorrow is GDPR day. That’s the day when the new Global Data Protection Regulations take effect in the EU. I’m sure everyone reading this blog has seen dozens, if not hundreds, of blog posts, articles, webinars, and guidance docs about how to comply. I’m not going to rehash it because, other folks know this better than me.
There are a some things I’m finding fascinating watching  this whole GDPR thing.
First, the number of companies who have my addresses and I don’t know why. Take Newsweek (yes, the magazine people). They’re sending GDPR notifications to my LinkedIn address. I can’t figure out why they’re harvesting / buying addresses from LinkedIn. Then there’s SALESmango who are some company that started spamming me a few years ago and refuses to accept unsubscribe request. They’re sending me opt-in requests. Yeah, no, go away. I told you to stop, but wow, you won’t.
Another interesting piece is just how much I’ve signed up for over the last 18 – 20 years I’ve been using this set of addresses. Wow. So much mail. And, generally, I thought of myself as relatively careful in who I gave email addresses to. I don’t normally go around dropping addresses into forms but even a couple a month adds up over 20 years.
Then there are the companies violating CAN SPAM in one way or another. Sending mail to unsubscribed addresses and refusing to include an opt-out link are the two things I’ve seen regularly. Yeah, no. I think it’s safe to say that if I’ve opted out from receiving your mail, you should probably put my data away in a dark closet and not touch it again. But.. but.. but… But nothing. Go away. As for the lack of an unsubscribe link, get over yourself. You’re not that special. I don’t think that this really is something that counts for exemption.
Also, is there an official template? So many of these emails look identical. I have to give credit to whomever did it first. Because if plagiarism is the sincerest form of praise, you have an entire industry praising you.
Finally, it’s been amusing to watch the general frustration with all the GDPR mail. It seems many people are getting tired of the deluge. That’s OK, though, it should end by Saturday. Or so we can only hope.
 

Read More