Vincent Canfield, admin of mail service and reseller hosting cock.li, discovered that his entire IP network was automatically listed in the DNSBL UCEPROTECT for port scanning from nearby virtual machines. Vincent's subnet was included in the Level 3 list, in which blocking is carried out by autonomous system numbers and covers entire subnets from which spam detectors were triggered repeatedly and for different addresses. As a result, the M247 provider disabled the announcement of one of its networks in BGP, effectively suspending service.
The problem is that dummy UCEPROTECT servers, which pretend to be open relays and detect attempts to send mail through themselves, automatically include addresses in the block list based on any network activity, without checking the network connection. A similar method of block listing is also used by the Spamhaus project.
To get into the block list, it is enough to send one TCP SYN packet, which can be used by attackers. In particular, since no two-way TCP connection handshake is required, it is possible to use spoofing to send a packet with a fake IP address and initiate any host on the block list. When simulating activity from multiple addresses, you can achieve blocking escalation to Level 2 and Level 3, which perform blocking by subnet and autonomous system numbers.
The Level 3 list was originally created to deal with providers that encourage malicious customer activity and do not respond to complaints (for example, hosting specially created to host illegal content or serve spammers). A few days ago, UCEPROTECT changed the rules for hitting the Level 2 and Level 3 lists, which resulted in more aggressive filtering and larger lists. For example, the number of entries in the Level 3 list has grown from 28 to 843 autonomous systems.
To counter UCEPROTECT, the idea was put forward to use address spoofing when scanning, specifying IPs from the range of UCEPROTECT sponsors. As a result, UCEPROTECT entered the addresses of their sponsors and many other innocent people into their databases, which created problems with email delivery. Sucuri's CDN network was also included in the blocking list.
Source: opennet.ru