Question asked by SmarterUser - May 2, 2015 at 7:15 AM
I'm seeing that nearly every message we receive is flagged with UCEProtect Level 2 and UCEProtect Level 3.  Are others seeing the same thing, or am I just operating in the dark fringes?  :-)
Related to that, can someone explain to me what the Enabled option is for next to Required Lookup Value for RBL/URIBL's?  Don't really understand the effect it has.

4 Replies

Reply to Thread
Joe Wolf Replied
May 2, 2015 at 2:36 PM
I'm going to express my opinion... take it or leave it.
There's nothing wrong with using UCEProtect Level 1, but to use Level 2 or 3 is completely irresponsible and illogical.  
For an IP Address to be on Level 1 the need to have actually sent spam. Nothing wrong with that.
Level 2 blocks large blocks of IP Addresses if there happens to be a spammer withing that block of IP Addresses.  So they block servers that have never sent any spam but UCEProtect considers them guilty by association.  UCEProtect warns that Level 2 should only be used for very strict spam filtering and that you will block valid messages if you use this level.  
Level 3 is insanity.  UCEProtect even WARNS you that this is for "Draconic" spam filtering and "NOTE: By using Level 3 for blocking, be prepared to lose some required mails too. DO NOT BLAME US, YOU HAVE BEEN FOREWARNED!".  
UCEProtect is misused so much that many accuse them of nothing short of extortion.  If you happen to have a server inside a data center and the entire ASN is blocked by Level 3 (which is very common) you must pay to have your IP Address whitelisted.  
I am all for blocking spammers, but Level 2 and Level 3 block many valid servers.  Those levels have nothing to do with specific spammers and using them you are contributing to the UCEProtect 'extortion'.
SmarterUser Replied
May 2, 2015 at 3:01 PM
Thanks, Joe.  I am happy to have your assessment as confirmation, and have removed them.  I don't much care for the heavy handed approach.
Scarab Replied
May 4, 2015 at 4:20 PM
We still use L2 & L3 *BUT* we score both with such a small score that it is for the purposes of tilting the scales if they have failed other RBLs but otherwise wouldn't be a high enough score to be marked as Spam. So, on a 10-20-30 (Low-Med-High) weight scale, we give L2 a score of 4 and L3 a score of 2. In such a case, as a supplement to other Anti-Spam checks, they can still be useful (as if there is nothing else wrong with the email they won't be marked as Spam), but otherwise they are responsible for far too many false positives if you give them a significant weight.
Scarab Replied
May 5, 2015 at 2:24 PM
Just to clarify I do not recommend using L2 and L3 for blocking, it's purpose should be used only for weighing. The reason we don't rely on any one RBL is because every single one of them is going to have false positives. That is why a weight system is used requiring multiple positives before a message is marked as Spam. Oftentimes with Snow-shoe Spam or Recent Spam it won't be flagged on many RBLs when you receive it. If a message hits only one RBL but is also on L2 and L3 then it gets flagged, whereas without L2 and L3 it wouldn't.

In my experience spam comes from the exact same network providers and the spammers cycle through the same small group of network providers. Many network providers contributing to Spam either do not have the ability to secure, monitor, and police their networks, have either a non-existent ToS or Abuse Policy regarding Spam, or exist entirely to cater to Spammers (who pay very well). As long as a Spammer only abuses their network once a month most network providers look the other way (as long as their check clears the bank). Most RBLs are far too quick to forget past transgressions and thus don't catch the majority of Spammers (BARRACUDA and SENDERBASE for example will drop Friday's Spammers from their RBLs by the time I get to work on Monday morning from the weekend).

Which is precisely why I find L2 and L3 useful. Yes, there are going to be false positives (and potentially a lot of them which is why they warn you that you shouldn't use them to block but only to weigh), but they are also going help catch Spam that no one else does. Personally, I don't find that they catch as many false positives as one might think from UCEProtect's warnings. In our last Anti-Spam Audit back in March we discovered that L1 is responsible for flagging 3% of Spam. L2 and L3 are responsible for 2% and 0.1% respectively. In the two weeks span we audited we had not a single email wrongly flagged as Spam by L2 and L3. They are a lot more useful and accurate than most of SORBS RBLs (with the exception of SORBS-RECENT) and SPAMHAUS RBLs (with the exception of SPAMHAUS-SBL2).

Reply to Thread