WHEN “WHITEHATS” BREAK BAD: UCEPROTECT.NET & OTHER MALICIOUS “REALTIME BLACKLISTS” (RBLs)

notdan
12 min readFeb 19, 2021

--

You see, if you pay them money, you’re not a spammer anymore! It’s like magic! Except, It’s Crime©!

VERSION TRACKING

v1: FEB 19 2021 — Full Story Published.
v2: JUN 29 2021 — Minor Updates, Clarifications.

PREFACE

It’s been a minute since we’ve all re-visited the (very) unfinished business of When “Good” Blacklists Break Bad. The last time we covered SPAMHAUS, and it went juuuuuuuuuuust fine! Just kidding! Yeahhhhnnnahhh, You may recall that was the time Bran Krepbsh tried to get me fired, as well as coming after @gexcolo from OvO Networks (AKA cock.li). Anyhoo… today we’re covering UCEPROTECT. It’s a very funny website that was built in the 1990s. (*website carbon-dating based on web design).

FIRST THINGS FIRST

Let’s check in with UCEPROTECT! As of the beginning of this write-up, this hilarious (extortion) service is accusing 938 ASNs and 159555 IP addresses of “bad behavior” or whateverthefck.

Let’s see the numbers by the end of the article!!

938 ASNs! Wow thats quite a jump in numbers, considering it was 40 yesterday! I wonder what’s happening? ;) We’ll check back in at the end of the article.

WTF IS UCEPROTECT?

UCEPROTECT is a criminal website designed to hold network administrators hostage until they pay a fee to be removed from a blacklist. The blacklist is (unexplainably) trusted by a few high-powered internet companies, and therefore being listed here can cause serious damage to your business.

Because UCEPROTECT’s blacklist is impacting legitimate businesses, people, and corporations, the act of demanding money in exchange for “protection from their blacklists” is also known as “Extortion”.

Webster’s Dictionary Definition & Explanation of the Word ‘Extort’.

Anyways, the very trendy, anti-pop Spam Blocklist Maintainer UCEPROTECT has started adding anyone who dares run masscan to the blacklists. That’s about the time we started paying attention.

IMPORTANT

I want to make it VERY CLEAR that the site is NOT run by characters out of Wolfenstein. The owner’s names are definitely not movie characters trying to kill people in the Nakatomi Plaza, either. Just because the names Claus Von Wolfhausen, and Dirk Lautenschlager are both admitted owners & associates of UCEPROTECT, does NOT mean they want to kill John McClane. 15 years worth of posts under these names with @uceprotect.net emails means nothing.

One has to wonder if the name used to originally register UCEPROTECT.NET (Dirk Lautenschlager) is actually the only real name associated to all of this, conosidering it’s the only name attached to legal documents in Germany, etc. Is Claus is a pseudonym? Is it just two jerk-offs running the site? The world may never (care enough to) know…

In case you’re wondering what my super 31337 methods were to find the owner’s info, I’m sorry to tell you I didn’t actually dox them. There was no effort to conceal any info. I literally just looked up the domain owner’s history, and Googled for 6 minutes. (/Krabs reference, lol.) Any name associated to UCEPROTECT is pertinent to this story, mainly due too the severity of crimes likely being committed by the owners, depending on the jurisdiction’s laws. People that have been victims of this extortion’s scheme may want to pursue legal action, and so the data is being made and kept public.

For anyone trying to call me a hypocrite on all this, the ‘notdan’ alias and my personal info was kept separate from my Twitter character for 10 years so I could do my art/commentary without concern for attribution. All good though, w/e ;)

THE RBL PROCESS & MASSCANS

UCEPROTECT aka Wolfenstein has decided long ago that scanning the internet is just as bad as spamming, and I’m going to just start saying Wolfenstein from here out because it’s way more funny.

The summary of how it works is: UCEPROTECT finds a spammer. They place the spammer’s IP/domain/netblock on their RBL (which stands for Realtime Blackhole List), the blackhole list is then sent to devices all over the world and used to block traffic in a coordinated manner. The devices ingesting these RBLs and blocking traffic purely based on them are typically garbage-tier spam filtering devices. But as stated above, UCEPROTECT (as well as a few others) have decided to start listing people who run simple SYN/masscans. They’ve decided running a masscan is just as bad as running a spam organization.

It’s important you understand that major internet transit companies — such as M247 — are able to use the RBL for blocking on a much more than just email traffic, and can implement filters based on RBL lists at a dangerous/higher level. In the case of M247, they were apparently de-listing and even stopped announcing BGP for a hosting provider, simply for a CUSTOMER’S actions. This means traffic from anyone included in the RBL would be denied transit on M247’s large network. Since masscans are being “found” by UCEPROTECT by looking for SYN traffic, anyone can falsely get another company placed on the lists by spoofing the traffic. This is known as ‘Spoof-Scanning’

M247 has actually de-linked customers simply for appearing on UCEPROTECT’s blocklist. UCEPROTECT offers a solution for anyone who lands on their lists, though: Pay Up. You see, UCEPROTECT doesn’t care who you are. If their poorly coded sensors decide you’ve done something “bad”, you get listed until you pay them to get delisted. Otherwise you’ll sit on their blacklist for an arbitrary amount of time they make up to be de-listed.

If the owners of UCEPROTECT decide they don’t like you, there’s nothing to stop them from changing their policy to leave you on the blacklist forever, because there is ZERO oversight. Again, M247 is a known customer/ingests UCEPROTECT RBLs as of February 2021. M247 has datacenter/network presence in over 110 countries, they provide services for organizations like Microsoft Teams Contact Center, and they provide transit for countless other major companies that you very likely deal with.

BUT RBLs STOP A LOT OF BAD TRAFFIC

They really don’t do that well at stopping spam these days. They were more effective in the 90s when the internet was a fraction of what it is today. For exactly how RBLs and the ecosystem works, Google how RBLs work, or click here, and you’ll get the idea.

The TL;DR is: It’s completely safe to say that UCEPROTECT knows beyond a reason of a doubt, that their RBL (it’s literally got BLACKLIST/BLACKHOLE in the fucking NAME) is being used to deny traffic to anyone listed in their RBL. This is why what they are doing is criminal extortion.

As far as the effectiveness of RBLs, it’s pretty widely known that they are garbage and have little to no effect on spam filtering when stacked against modern methods. Machine learning/AI, heuristics, velocity-checking, and other modern techniques are the only solutions that stand a chance at effectively blocking spam in an age where I can swap IPs every 2 minutes via $CLOUDPROVIDER if I want.

“Easily Fooled by Evolving Techniques” — I agree, lol.

If you use an email service that isn’t run by a large corporation like Google/Gmail, Hotmail, Yahoo, etc you already know that you get way more spam on those services. If you don’t, consider yourself lucky I guess. The bottom line is RBL-only based solutions suck, and most small email services are stuck using them because they’re cheaper. Because they suck.

UCEPROTECT AND U

Have you ever thought to yourself “Hmmmm, I like doing legal internet research, so I’ll scan the internet — just like Shodan does!” and then you fire off a masscan? No?? Well, what the fuck? WHY NOT? God damnit, DO IT! You totally should.. it’s fun! Besides, Shodan.io and other public scan repos typically only show you like 50% of the stuff on the internet. In addition to Shodan, there’s Binary Edge (shouts!!), Censys.io, and plenty more — and they’re all perfectly good resources, but there’s something to be said for Doing It Yourself. Plus, there’s a ton to be found doing it solo, so fuckin’ start doing it! It’s 100% legal, it’s not invasive, and it’s not harming anyone. But that’s not what a handful of companies, including UCEPROTECT, want you to believe.

Anyways, if you masscan 0.0.0.0/0 from a dumb provider like Online.net (now ScaleWay) you’ll find that your new shiny $50 VPS is cancelled for AUP violation! Yes, if you happen to scan UCEPROTECT’s (really pretty obviously-located) honeypots.. and they decide to send your provider an email saying “YOU’RE BLACKLISTED; PAY US.” (actual UCEPROTECT email, true story, definitely not embellished to make a point). The hosting provider either pays them the ransom, or Wolfenstein will add your hosting provider’s netblocks/ASN to the RBL and whatever other idiotic companies subscribe to this service will cease to acknowledge your existence.

While it is ultimately the end-user, like M247, who implements a block rule or carries out an AUP violation de-link, they are doing so based on bad information coming from UCEPROTECT. UCEPROTECT claims they can’t possibly know what the companies who ingest their RBLs are doing with the data, however unfortunately for UCEPROTECT, term RBL literally has BLACKLIST/BLACKHOLE in the fucking NAME and therefore it’s obvious what is happening with the data.

WELL FUCK, WHO CARES THOUGH?

You may be thinking “well, I just wont rent from these small providers that would trust this lunatic..” and I’ll be fine. But that’s where the problem lies.

Massive companies like m247, godaddy, Contabo, and most surprisingly apparently Microsoft are listening to these abuse emails and de-linking other hosting companies that you may very well be using today.

Have a look at these way more professionally written articles and posts:

(continued below…)

IM BORED

Yeah yeah, I get it. It’s not a sexy story. It’s not a sexy thing to even really give a shit about, but this is an escalating war on security researchers who want to remain private.

Back when PACKET.TEL was starting research, many knew who the frontman was (yes hello!) but very few knew some of the other people who did amazing work behind the scenes, or who sat on our board, etc. Some (many) people prefer working without attention, and that’s cool. I just simply refused to sign up and “justify” why we were scanning the internet, and submit documentation and ID in order to do something totally legal.

WE WERE SCANNING THE INTERNET BECAUSE FUCK YOU, THAT’S WHY.

I eventually realized I should incorporate, so I went as far as to register the company in a manner that made it impossible for anyone other than law enforcement to obtain the details of my board members. See my name anywhere?

https://wyobiz.wyo.gov/Business/FilingDetails.aspx?eFNum=160096042245038229217048135207251199185075013052

This may shock you, but I’ve never gotten a knock at my door for any activities that PACKET.TEL LLC was involved in. Why? Because we never did anything illegal, we have amazing legal council, and we ALWAYS PLAYED LEGALLY. Still, we had our servers terminated almost weekly. I personally lost thousands of dollars due to false claims of “hacking”, generated from simple port scan abuse emails from companies like Hetzner, UCEPROTECT, and randomly Spamhaus. Again, Spamhaus since corrected the issue. Oddly though, they refuse to admit it was ever a problem. Whatever.

OK GET TO THE POINT

Look, right now it’s jumped from “SPAM BAD” to “SPAM AND PORTSCANNING BAD!” — So, when is it going to jump to “RUNNING HONEYPOT BAD!!” or “SHODAN SAFARI BAD!!!!”?

Many in the infosec community can’t see the Forest For The Trees in situations like this, so then the big jerks like me have to go and cause a scene in order to draw attention to something that will very well have a chilling effect on legitimate, private security research — if it hasn’t already.

Speaking of which, let’s check in with UCEPROTECT, shall we?

lol i wonder why the numbers are going up

Wow! They’ve added 10,000 new direct IPs and 199 ASNs in only a few hours! I’m sure they’re system isn't being played with like a cheap cat toy right now.

Hilariously, Wolfenstein tried to secretly reset his own counters the other day, because basically all of the tech community has been blasting random SYN packets all over the internet for the past week because of this. haha. I love the internet sometimes. Look at these lolgraphs:

bahahahah

CLOSING THOUGHTS

Fuck UCEPROTECT. Fuck Hetzner. Fuck Spamha — no, wait… Spamhaus actually listened and stopped their crap.. whether they want to admit it or not. Spamhaus and friends are still vulnerable to some fun RBL attacks, though… but that’s for another day.

@vc and I have been the only two characters on the internet to successfully stand up to Spamhaus, ever. That includes Google. (Spamhaus’ History Of BS via Wikipedia). I just wanted to point that out because telling the story of Spamhaus’ Bullshit caused a lot of personal problems for us, but we still told it anyways. We earned personal attacks and even death threats, but in the end, you guys kicked ass and I can’t ever thank you enough for helping shape that story into one with a great ending. I’d like to think it serves as a reminder that anyone can take on bullies, especially if they’re trying to trample on your freedom of speech or any other rights you’re legally exercising.

THANKS TO THE ACTUAL GOOD GUYS

Big shouts to GREY NOISE (www.greynoise.io) who knows the difference between spoofable noise that doesn't matter, like a SYN packet, and a 3 way handshake/malicious scan traffic as demonstrated below:

That was allegedly a host that definitely probably wasn't mine, looking for RDPEUDP vuln hosts…

Andrew Morris and his great team spent countless hours putting together a platform that you can use FREE:

https://viz.greynoise.io

Enterprise subscriptions are reasonably priced.

Most importantly for GreyNoise and most other companies is…

THEY WONT TRY TO EXTORT YOU!!

woah, logic!!

So that’s why WE ALL LOVE 3-WAYS! I even made this shirt because of all this nonsense!

https://teespring.com/3-ways-are-cool
https://teespring.com/3ways-are-cool

Look. RBLs were a solution built in the 90s because the internet was a place that only a few losers like me (and maybe you) were on, so building small lists of “bad” ISPs made sense. However, that solution doesn't scale when you have the ability to use a cloud hosting provider for 2 hours and then move to a different provider and continue your operations.

Google’s Security Teams are amazing. They’ve developed some of the best spam blocking technology around, and I’d bet money they don’t solely rely on RBLs to block it. They use intelligently, well thought-out designs that use velocity, characteristics, trends, and other things in emails to determine if they might be spam. And yes, they maybe still use some RBLs, but I’ll eat my own dick if thats the only thing they use… and thats a way safer bet than John McAfee made regarding Bitcoin price (RIP John).

ARE YOU NOT ENTERTAINED?

Don’t worry. This is just the tip of the iceberg! I put my research on hold for a very long time due to the ugliness that Crapps threw my way, but I’m a *really* patient motherfucker. More fun is coming! PACKET.TEL LLC may not exist in the form it once did, but I accidentally paid the bill for my tax ID, so woops. It’s still a thing. Sorry! Might as well get some laughs. ;)

POSTLUDE

I dont find a lot to be fun anymore these days, if I’m being honest. But internet research is one area I still dig. So…

If you thought this article ruled, thank you. I love you.

If you thought this article sucked, well. ….haha you’re probably Wolfenstein or Kribz and you can get rekt. Fuck outta here!

IM OUT!!

Signed

Your Best Fiend,

@notdan on twitter.

@notdan on Medium.

--

--

notdan

RESARCH, I PROMISE ه҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿ Mildly entertaining at best