OVHcloud Community

Welcome to your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.

Blacklisted IP ranges by UCEPROTECTL3


#1

I have been facing issues with my email servers on OVH dedicated machines in both Canada and France.
It seems that there is a Swiss blacklist that is utilised by the likes of Microsoft (outlook, Hotmail, live etc etc) that is listing hoards of OVH’s IP ranges.
This has a direct negative impact on individual IPs on dedicated servers, and others I would imagine.
OVH informs me (by ticket return) that we have two options; 1) use IPv6 for outgoing SMTP or 2) ask the email service providers (to whom our emails can no longer be sent) to desist their use of the UCEPROTECT blacklist.
According to UCE OVH is one of the ASNs that are not configured correctly to avoid spam throughput via their servers/network.

Does anyone know how to set the SMTP out IP to work with IPv6? Because the second option is obviously pointless and it look like OVH is not going to buy their way out or alter their network accordingly!

Here is an extract from their lookup page (http://www.uceprotect.net/en/rblcheck.php)

What does it mean to be listed at the UCEPROTECT-Level 3?
UCEPROTECT Network operates three levels of blacklisting, so our users can make the decision how strong they want to filter.
While UCEPROTECT-Level 1 lists single IP’s only, UCEPROTECT Level-2 escalates and lists dirty allocations.
UCEPROTECT-Level 3 is the highest possible escalaion, complete Autonomus Systems (AS) get listed at Level 3 if there were too many Impacts from IP’s listed in Level 1 originating from said AS counted within the last 7 days.
If the provider harbours too many abusers and only has one ASN (Autonomus System Number) that logically means:
All IP’s of said provider get listed at Level 3 then.
Click here to see the Policy for UCEPROTECT-Level 3
While in fact UCEPROTECT-Level 3 is nothing than pure mathematics based on the Impacts from Level 1, one could best describe UCEPROTECT-Level 3 as a boycottlist.

As you should know now: It is not you, it is your complete provider which got UCEPROTECT-Level 3 listed.
Your IP 142.44.xxx.xx was NOT part of abusive action, but you are the one that has freely chosen your provider.
By tolerating or ignoring that your provider doesn’t care about abusers you are indirectly also supporting the global spam with your money.
Seen from this point of view, you really shouldn’t wonder about the consequences.

Therefore we recommend:
Please send a complaint to your provider and request they fix this problem immediatly.
Think about this: You pay them so that you can use the Internet without problems;

If they are ignoring your complaint or claiming they can’t do anything, you should consider changing your provider.
There are currently about 105,000 providers worldwide, but only a few hundred make it to get listed into UCEPROTECT-Level 3.

According to the statistics measured against the mailflow of several national authorities in Germany, Austria and Switzerland, those few providers which often end up in our Level 3 are responsible for 50 - 75% of all global spam, while almost no real mail came from their networks and ranges.

See: Inaccuracy and accuracy of UCEPROTECT-Level 3 during the last 4 weeks

We often get to hear the argument:
My provider is so hugh, and they have so many home users, it is almost impossible that they can create effective measures to prevent spam.
This statement is simply wrong and an excellent good example for a large but clean provider is DTAG (ASN 3320):

DTAG has about 34 million IP’s and the majority of their customers are likely to be home users.
In spite of this size you can nowadays see almost no spam from the DTAG address space.
Let’s see DTAG (ASN 3320) here.

An even more stunning example for a large but clean provider is Microsoft (ASN 8075):

Microsoft has about 37 million IP’s and they are likely running Windows, which is a primary target for cybercriminals, due to its high distribution.
In spite of this facts you can nowadays see almost no spam from the Microsoft address space.
Let’s see Microsoft (ASN 8075) here.

The question must be: If big providers like DTAG and Microsoft can so effectively prevent that their customers are sending spam, why can your provider not also do so?

The simple answer is: The Abuse Departements of providers NOT listed in our Level 3 are doing an excellent job, while those listed do not.

If your provider really wants to stop the excessive abuse coming from their ranges they would simply install some preventive measures.

This 4 little steps would make the difference - and could be done in less than one hour.

Can’t you make an exception for me?
We never make exceptions. Requests are futile. Only your provider can fix this problem.
Anyway our system respects IP’s which are registered at ips.whitelisted.org, these are excluded from Level 3.

How can my providers total IP-space be removed from UCEPROTECT-Level 3?
After your provider has fixed those excessive problems, UCEPROTECT-Level 3 listing will be removed automatically and free of charge as soon as the causal Level 1 listings and with them their Impacts will expire and decrease below Level 3 escalation limit.
Every IP temporary listed at Level 1 expires 7 days after we have seen the last abusive action originating from there.
Automatic expiration is free of charge, because it does not require manual work.
If your provider don’t want to wait for free expiration, they can optionally order expedited express delisting, which is charged a total of for all IP’s and ranges under their ASN.
Orders for expedited express delisting are processed by external service providers, therfore it cannot be offered for free.
Please note that payment is not a solution, but limiting abuse is.
Therfore it is important that those excessive problems which have caused the listing at Level 3 are fixed in first place, otherwise your providers complete IP-space might end up in Level 3 again within a short timeframe.


OVH on UCE Blacklist
#2

Hello.

Wanted to let you know you’re not alone - and I suspect you’re much more affected than I.
But I can confirm I’m routing SMTP via. a VPS with all relevant checks in place my side; DKIM / DMARC / SPF - but I’m getting bounced by other parties such as Microsoft due to the L3 block.

Same exact response from OVH, looks like it’s just written out and pasted to each individual which contacts.

I suppose OVH could create an IP Range for SMTP traffic and sell these IP’s to customer who want a clean IP range.


#3

Well, I don’t know about you but I can’t see why OVH cannot comply with the suggestions, would it affect a range of their customers? If so, are not those customers behaving in ways that are not acceptable to the standards outlined by UCEPROTECT?
I don’t understand the view “we refuse to adjust our policies” when it seems that those policies clearly allow abusive behaviour on their network. Surely we all want a spam free world do we not? I am looking at moving away from OVH if they continue to drag me into their refusal to comply.


#4

My host is also blacklisted by gmail/googlemail, whether because of UCEPROTECTL3 (which persists, currently they cite 3,389 messages caught in their spam traps coming from OVH-hosted IP addresses) or Google’s own blacklists I’m not sure.

I can’t afford my customers not getting my emails, will have to look at switching to a better host even if it costs more :frowning:


#5

I want to know is there any specific criteria to be in blacklist because my friend just use smoker word and got blacklisted and he was wondering why it’s happened. Anyone can guide me more about it please. Thanks.


#6

Update my side, attempted to spin up EC2 just as a mail-relay for outbound SMTP. However, they wouldn’t lift the outbound TCP/25 restriction for my use case. Personal Email / Micro-Business email.


#7

Same for me. For VPS and Dedicated IPs.


#8

Hi Everyone,

I have the same problem with OVH been listed under UCEPROTECT-Level3 which seems to block delivery of mails to users of Outlook, Yahoo, Verizon
Did somebody found a solution? A side from paying UCEPROTECT to be whitelisted:rage:
In the case of Outlook.com (MS) I’m trying to use sendersupport.olc.protection.outlook.com/snds/addnetwork.aspx but it keeps crashing with error messages :frowning:


#9

Same here. We need a solution for that.


#10

Its not you or your IP necessarily, its the entire block of IPs assigned to OVH, because OVH allows abuse of IPs within that block.


#11

Hello EricR1.
Unfortunately paying for ips.whitelisted.org does not help the situation. My IP’s on OVH are perfectly clean barring that L3 block. I’ve since paid for one month renewal on ips.whitelisted.org (just to test the waters) and it certainly makes it report back clean on mxtoolbox. However, Microsoft still outright block my connections from that IP address still, so I would advise - don’t expect to pay for whitelisted.org and expect to be able to email Microsoft-based users.
I’ve since reached out to another company (Vultr.com) and expressed my issues with this block. They ban TCP/25 outbound by default but allowed me to open a support ticket with them, explained my situation and they allowed me to spin up a cheap VPS there for a mail relay.
So until OVH sort their stuff out - I guess I’ll be a happy customer of Vultr just for relaying emails through a clean IP Address.

Amazon AWS outright declines requests to open TCP/25 outbound for anything other than large enterprises - and they also advise the use of AmazonSES first.
Azure do similar to above.

Hope this helps.
This is something OVH need to sort and I’d advise (if there is an OVH employee), incorporate a policy on outbound TCP/25 similar to Vultr. Get users to open a support ticket to open said port and explain their use case. Heck, even get some ID evidence or something to make them accountable to any spam they send!


#12

Careful this has nothing to do with L3 block. For microsoft you need to contact them, and ask them to manually remove it from the blacklist. Microsoft isn’t using any RBL afaik.
You can do that by filling this form: https://support.microsoft.com/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75

Then after a few hours most likely you’ll receive an automated email saying “your IP doens’t qualify for mitigation” once you receive that, you answer to that email and ask more info regarding the subject and only then someone from microsoft will get in touch with you. I had the same problem few weeks ago regarding microsoft. And everything got sorted out.

Microsoft, gmail and others big providers do not fully comply with the norms, and because they’re big email providers they do their own game. Unfortunately it’s up to us to keep it up.


#13

Diogo J confused with RBL and Microsoft its own black list mitigation issue, this issue has nothing to do with msrp spamming blacklist which you do not require to contact with Microsoft.

This is just OVH excuse to not resolve issue rather than pointing others to do job for themselves.

Microsoft surprisingly using UCEPROTECT RBL from 1 to 3 and UCEPROTECT RBL’s should not be exist in the first place. because OVH use same handler when they obtain IP from ARIN or RIPE they blacklisted all OVH ip handlers which is about 20 handlers. in this 20 handlers there are thousands of IP addresses

I sent an email to OVH to rectify this issue and as a company OVH needs to pay 467euro x 20 handlers to first temporarily resolve this issue.
After they paid temporarily 1 month removal cost, OVH should contact microsoft to not use this RBL. Who Microsoft will listen just average Joe or OVH itself ? Ofcourse they will at least listen OVH whether they do action or not.

I suggested OVH to purchase 256ip address on my company handlers name, this is the only way getting rid of this problem. Once UCL3 blacklist all OVH handlers it won’t affect me because it’s under my name. if UCL3 will block all OVH Handlers one of them is (ASN 3320) it will not affect you. OVH refused also this idea.

OVH will lose a lot of customer because of this issue and they don’t seem to care instead of blaming others. If it was me I would have paid 467 euro x 20 handlers first to keep customer than in a month will try to resolve issue. not every mail server use IPv6 this won’t solve the issue neither contacting microsoft to not use UCL3 rbl

OVH closed ticket which I created without asking me if this issue resolved or not. If it was another person same day would have change OVH

I paid 1 month to UCL3 all my ip addresses to remove this blacklist because rather than loosing customer I prefer losing money it is an only option after all. They are asking me now renewal money but I didn’t pay they seem to be forget because IP still not showing blacklisted again.

This is email I sent to OVH

"if you check any of my ip address you can find uceprotect level 3 has been black listed OVH ASN 16276 as a result all ip’s under these ASN has been black listed by uceprotect. Hotmail and whoever companies use office 365 hosted email service, checked each emails against this UCEPROTECT black list to deliver emails. As a result I have received very urgent email from one of my customer saying that, they sent email to this address and this address couldn’t receive email because of my ip is in the uceprotect spam list.
They don’t have this problem before (with different provider they were) and asking me why we having this problem now. As a result I had to pay 1 month only subscription to 5 single ip addresses $176.95 to just remove 1 month removal fee to some of black listed ip addresses for me to keep my customer otherwise I will lose them.

if you check single IP itself doesn’t in blacklist it is the ASN 16276 OVH is in the level3 makes my ip also blacklisted.

I have now 2 options

a) change ovh to another provider who provides me 256 ip address different ASN for these 256 ip address

b) ask ovh to purchase 256 new ip address without neighbouring any one and brand new ASN without link to any other OVH ip address.

Please take this matter seriously because I need to solve this problem otherwise I will have to change service provider rather than loosing my customer.

IP’s
xxx x x xxx x x x xx x x x x


this is response I received
OVH
Hello,

Greetings from OVHcloud Support.

Recently, UCE Protect has placed over a thousand new ASNs on their blacklist. Unfortunately, our ASN (AS16276) has been affected by this. To view the list of other affected ASNs and the number of new ASNs added, please check the following links:

http://www.uceprotect.net/en/l3charts.php
http://stats.uceprotect.net/?page=su

Our legal abuse team has reached out to UCE Protect in order to remove our ASN from the blacklist. Ultimately, UCE Protect wants all of the newly blocked ASNs to pay for express delisting. Like all major providers, OVHcloud does not pay for blacklist delisting as it is a service outside of our control. Paying for delisting on blacklists only leads to an increase in blacklisting overall and ultimately hurts the industry.

UCE Protect claims automatically delist ASNs after 1 week, which we hope will happen but as it is outside of our control, we cannot provide any guarantees regarding this.

If you are currently affected by this, we recommend the following:

  1. To send your mail via IPv6. UCE Protect does not blacklist emails sent via IPv6. All of our OVHcloud services come with at least a single IPv6 address which you can configure. All major email providers now support IPv6.

  2. Ask the receiving party to contact their mail provider and request that they don’t use the UCE Protect blacklist for the time being.

We thank you for your understanding on this. OVHcloud is committed to having an open trusted cloud and it is through the cooperation of users like you that will allow us to continually improve our service going forward.

Regards,


ME

Ofcourse you see this problem from your side I understand that but addressing the issue is wrong. I can’t ask microsoft to not use UCEEPROTECT for its users not logical that’s their service.

I agree with you to not pay UCEPROTECT but unfortunately I don’t work for company I have my own company so I can’t just simply say to my customer deal with it instead of resolving it. They will simply cancel the contract with me.

I just don’t understand this Why OVH can’t provide me 1 C class IP and ASN under my name so even they black list all OVH ASN’s my one won’t be affected.

"OVHcloud does not pay for blacklist delisting as it is a service outside of our control."
this is true this service absolutely invented for profit hard to send email and pay for express delisting,
But you guys not right way to solve this problem. Why OVH doesn’t implement such a way to prevent this issue by offering everybody different ASN and not single IP neighboring policy. If I want to get 16 static ip OVH should not give ip address within same C class to others preventing bad neighboring. I am willing to pay once to not having this kind of problem. you also will know what the problem customer and ban from your network to make safest network. I just don’t seem you and your legal team wants to solve this issue once and for all.

I sense that you trying solve this issue like this is not our problem deal with directly UCEPROTECT, ofcourse you are employee of OVH and you don’t care if OVH lost its some customers. I need concrete solid future proof solution and solution you gave me in your email is not just solve the issue.

OVH
Hello,

Something to note about our IP ordering system is it will choose and allocate you an IP from our available IP pool at random. So if you’re looking for an IP within a specific range, I’m afraid that is not technically feasible as there’s already a limited amount of IPs we have and for security reasons, they will be delivered at random.

and after this email they closed ticket what a company


#14

I cannot seem to understand who is the vilan here and how us, customers can do about it.

Is it UCE who is trying to get delist payments or is OVH properly not taking care of their network?

I really need to take action because mail delivery issues hurts any business.

Moving away from OVH will result in triple the costs for the same VPS so it’s not an easy decision.


#15

I just came across this thread and how unfortunate this is. I was going to move my small DirectAdmin server to OVH but with UCE blacklisting OVH’s ASN it’s pretty much out of the question.

As I understand it, even paying to have a single IP address whitelisted won’t fully workaround the issue with some large providers like Microsoft still blocking the incoming email, otherwise I would’ve done that. I see earlier on in this thread someone mentions replying to Microsoft’s initial “not possible to mitigate” email, but I guess this isn’t a guarantee that every genuine person will be able to get this resolved.

EDIT: Apparently not many places even use the UCE 3 blacklist as it’s rather draconian (hope that’s true), and Microsoft (for example) is a separate matter but again contacting them doesn’t guarantee they will agree to remove you from their own blacklist - if you’re on it.


#16

We are facing the same problem. I have informed OVH but they simply don’t seem to care if we go or not. Their last response is that nobody uses UCEPROTECT but all our clients are complaining and we are now standing the risk of losing clients.

Lewis, I would strongly suggest you don’t make the move to OVH. You think Microsoft and Google don’t but I think they do. Many of our emails to Microsoft and Google are being affected. Clients are constantly complaining with the threat of leaving and this has been a problem for nearly three months now.

We have now started looking at moving to other servers. We may not count as 1 client, but if together we inform OVH that we are leaving then they might get their act together.

I really do hope that they fix the issue soon.