uceprotect.net claims to provide a blacklist of IP addresses that send spam. SMTP server operators can query the blacklist, and know to refuse mail from these IP addresses. That’s the theory. But there’s a problem though: uceprotect blocks IP address that do not send mail at all, much less send spam.
This is not that another IP in the same /24 subnet sent mail (Level 2 listing). Neither is it that another IP in the same autonomous system (AS) sent mail (Level 3 listing). No mail was sent. The amount of mail was zero. Nothing at all. The packet logs say it is so. They might have seen something, but it was not the sending of spam.
Uceprotect said a “SMTP impact” happened at this time, give or take one minute. They say our IP 192.0.46.200 sent SPAM. But it didn’t. It didn’t even send mail. We recorded every single packet on port 25/tcp. Nothing happened.
Reported incident timestamp:
2026-03-25 12:10:00 192.0.46.204Actual port 25/tcp traffic: we receive SYN’s and do not respond, and that’s all there is to it:
2026-03-25 09:59:36.174159 71.6.232.29.51246 > 192.0.46.204.25: Flags [S], seq 871362540, win 65535, options [mss 1460], length 0
2026-03-25 12:19:10.881113 89.42.231.182.40000 > 192.0.46.204.25: Flags [S], seq 1972282639, win 65535, length 0
2026-03-25 12:36:24.409636 65.49.1.73.50384 > 192.0.46.204.25: Flags [S], seq 2148688865, win 65535, length 0Don’t use uceprotect.net. They are blacklisting IPs for criteria other than sending SMTP – e.g. phoning in to a botnet, or doing some kind of non-SMTP scan. To prevent these IPs from sending SMTP when they have never sent SMTP is prior restraint. The claim that these IPs send mail is false.
Uceprotect.net is living in the past, where filtering port 25 was not an option, and every botnet could send spam.
Wait for uceprotect to publish the real criteria they use for listing, so that you can evaluate whether the listed IP’s correspond to your needs.
