Email spam is the bane of all our existences. On the other hand, being able to send (legit) emails to customers and actually have them land in inboxes is absolutely essential to run just about any business. With that in mind, a variety of Email Blacklists came about and are maintained by various organizations, to help ESP’s sort out the good senders from the bad. But what happens when a particular Email Blacklist goes from being a force for good, to rather blatant monetary extortion?
As a business owner, it is both frustrating and costly when, despite never sending spam and always doing things the “right way”, we end up on a blacklist that causes our emails to be bounced. Our customers don’t receive purchase receipts, replies to support tickets, forgot password reset emails, or even just ordinary responses to their inquiries. They take the “lack of reply” (as they perceive it) to mean we don’t care, aren’t a professional business, or you-name-it. Getting our emails bounced is enormously damaging to our reputation.
Such is the struggle I’ve been having with a blacklist called UCEPROTECT-Level 3 (or UCEPROTECTL3).
My first awareness of them started last February when we noticed certain emails we tried to send were bouncing back to us. The bounce messages indicated that our IP address was blacklisted, so I popped over to MXToolBox and did a search. Over 100+ blacklists all showed a green checkmark, meaning we were not blacklisted, except for one — and only one — which had us blacklisted: UCEPROTECT-L3.
I followed the links to UCEPROTECT and found this:
Note this part of their explanation:
As you should know now: It is not you, it is your complete provider which got UCEPROTECT-Level 3 listed.
Your IP [xxx.xxx.xxx.xxx] was NOT part of abusive action, but you are the one that has freely chosen your provider.
By tolerating or ignoring that your provider doesn’t care about abusers you are indirectly also supporting the global spam with your money.
Seen from this point of view, you really shouldn’t wonder about the consequences.
What a wonderfully arrogant statement!
Let’s stop and try to understand exactly what we are seeing here. UCEPROTECT has decided to blacklist, not me personally, but ALL IP ADDRESSES belonging to my host — in this case, Digital Ocean. That’s over 2+ million IP’s, according to their own numbers!
Digital Ocean is one of the largest cloud hosting providers in the U.S. When you run a company that big, I’m sure some small percentage of spammers will make it into the system. THAT DOESN’T MEAN *I* SHOULD BE PUNISHED! I’ve done nothing wrong, as UCEPROTECT admits.
BUT WAIT! There is a “solution” to this problem. UCEPROTECT offers a “whitelisting” service called whitelisted.org. For the low low price of just 25 CHF (Swiss Francs) per month, I can get my IP address taken off the blacklist:
In other words, first they CREATE the problem, then conveniently they have a solution which, coincidentally, requires my money? Excuse me, but why do I suddenly feel like I’m dealing with these guys:
Seriously, how is this fucking legal? This is extortion, pure and simple.
“Hey guys, lets ban the biggest cloud provider in America and see who pays up.”
“Good idea! But what if they done nothing wrong?”
“Who cares? Fuhgeddaboutit!”
From the emails that were bouncing — mostly @hotmail, @outlook, and @live addresses — it was clear Microsoft relies heavily on UCEPROTECT for the email services they own. There were others, for example GMX, but mostly it’s the hotmail/outlook domains that are a big problem, because so many people use them.
I went through the process of contacting the various postmasters of these services, seeking to get our IP address unblocked. GMX had the best response — to their credit — they responded and whitelisted our IP for their service within 24 hours. As for Microsoft? Not so easy. Their support is incredibly hard to get in contact with. I did manage to get through and have my IP address whitelisted a couple of times, but it never lasted very long. Obviously they must sync their internal list with UCEPROTECT on a regular basis, and because we were still on that blacklist, we would end up right back where we started from.
What about Digital Ocean? Can’t they do anything about this? It’s no secret I love Digital ocean — it’s a great service in many ways. However their response to this situation was profoundly disappointing.
In fairness, I never contacted Digital Ocean support directly about this. I didn’t see the point after reading this post on the DO forums, where people reported getting this email response from Digital Ocean:
DigitalOcean is not a dedicated email host and does not have a postmaster to maintain our IP reputation. As a result, some DigitalOcean IP ranges are blacklisted. We do not recommend sending mail from our platform directly and we will not request delisting. We will not prevent you from sending mail, but you will be at the mercy of the IP reputation if you choose to do so. Here are some possible workarounds if you choose this route:
Request delisting from the blacklist provider when possible. If you are receiving bounce backs due to the blacklist, the error message usually includes a link that shows you where you can submit a delist request.
Snapshot and create a new Droplet for a new IP address. Note that this does not guarantee you won’t run into the same issues due to the reasons previously discussed. If you’d like to redeploy for a new IP, please follow this guide:
How to Migrate Droplets Using DigitalOcean Snapshots
https://www.digitalocean.com/docs/images/snapshots/how-to/migrate-droplets/
If you must send mail, we suggest partnering with a mail relay provider like SendGrid or Mailgun, etc. These providers already have relationships with real-time blacklist aggregators (RBLs) like SORBS and Spamhaus and have a postmaster that works to ensure their reputation is kept clean. These links have some additional information:
Why You May Not Want To Run Your Own Mail Server
https://www.digitalocean.com/community/tutorials/why-you-may-not-want-to-run-your-own-mail-server
Droplet Limits
https://www.digitalocean.com/docs/droplets/#limits
In other words, they don’t really care. Sure Sendgrid and Mailgun are great services, and I’ve used them for certain projects, but for my own business I actually prefer running my own mail server. I like the increased level of control over my own mail. Isn’t that the whole point of using a cloud provider like Digital Ocean? To have full control over my servers (without going to the extreme cost of bare metal)?
I’m not the only one who feels this way or has had this issue. The above post I mentioned has racked up over 50K views, and a lot of excellent comments from other users — but stunning silence from DO itself.
I happened across other posts about this issue around the interwebs also:
https://news.ycombinator.com/item?id=26064722
https://www.reddit.com/r/sysadmin/comments/eur4ju/removal_from_uceprotectl3_blacklist/
Clearly it’s not just me.
So what can be done about this situation? The answer from UCEPROTECT is… to give them money. The answer from Digital Ocean is… send your emails somewhere else. Neither of these are acceptable solutions to me.
As a practical matter (because I had no other choice) I was forced to move my outgoing emails to a different, non-Digital Ocean server. (Basically I just setup a mail relay system so all my DO-hosted servers’ mail now passes through one of my non-DO servers.) That sucks in principle, because I shouldn’t be forced to move or waste my time when I’ve done nothing wrong. But what else can I do? I don’t (at the present time) have the time or money to sue UCEPROTECT, which I’m sure would be a long and expensive process given they are in Switzerland, while I’m based in the U.S. Besides, if I want to stay in business, I need to be able to reach my customers. So here we are.
Nevertheless, there should be a better solution to this. It is for this reason I say the following:
TO MICROSOFT — and any other ESPs who use the UCEPROTECT blacklist:
Stop using UCEPROTECT. It’s that simple. Do you really want to support a blatant extortion racket? I mean seriously, they blacklist 2+ million IPs all in one go, admit that we did nothing wrong directly, and then want money to take us off the list? Come on. There are 100’s of blacklists to choose from, you don’t need UCEPROTECT. Maybe start with this post from Jeff Huckaby: The 8 Email Blacklists You Should Actually Care About.
TO DIGITAL OCEAN:
You’re a big company with lots of lawyers. Please take the needs of your own customers seriously and go sue the pants off of UCEPROTECT. Take those Swiss scammers for everything they’re worth. That’s the only way to shut them down, and I would be a loyal customer forever if you did.
TO UCEPROTECT:
You arrogant Teutonic assholes deserve to die a horrible, painful death. Seriously, are your mothers aware of how you scam people to make your living? You ought to be ashamed of yourselves. Fuck. You.
Much more unveiling background info about that ‘company’, run by a German citizen who has gone into hiding in Non-EU Switzerland: https://www.aaroncake.net/misc/showthought.asp?thought=57
This is very frustrating, and I am a DO customer too to I feel your pain. Unfortunately your anger should be directed to DO. They don’t police their IP range effectively.
If Microsoft’s 37 million IP addresses and DTAG’s 24 million IP addresses can avoid listing, DO can and should stop their rot.
I’ve stopped recommending DO to clients. They’re not worth the hassle.
Every word carved in stone! Can’t agree more. This madness must stop. Large (and small) companies must stop using UCEPROTECT.
I couldn’t have said it better myself. Good post. I’ve been dealing with this headache for some time and it seems never-ending. Your suggested solution is the correct one, and I wish I had the confidence to believe companies like Google, Microsoft, etc. would actually follow it. I’m fairly certain Google is using the list for filtering – I’ve seen delivery issue instances that seem to correlate pretty directly.