WAF rule "Block clients with bad reputation"

It sounds like the RBL is being populated too aggressively.   They recently had a problem with a change to ClamAV that started blocking good email as hostile, so one possibility is that the two problem are somehow related.   At any rate, the same RBL is probably used for all installations and all versions of UTM.   Please open a ticket with Sophos Support.

Still an issue and here is what I found it seem they want to blacklist all ip addresses and don't care if it causes all kinds of issues

Outbound Email Policy of The Spamhaus Project for this IP range:

This IP address range has been identified by Spamhaus as not meeting our policy for IP addresses permitted to deliver unauthenticated 'direct-to-mx' email to PBL users.

Important: If you are using any normal email software (such as Outlook, Entourage, Thunderbird, Apple Mail, etc.) and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on "SMTP Authentication" in your email program settings. For help with SMTP Authentication or ways to quickly fix this problem click here.

See also: http://www.spamhaus.org/faq/section/Spamhaus%20PBL

I guess that I figured this out sometime after the original post.

RBLs were created to block unwanted email, so the lists exclude any IP address that should not be running a mail server.   For example, if you are running a mail server from your cell phone, then your cell phone is probably infected with malware.   As a result, the RBLs include:

• Know bad actors
• IP addresses that are dynamically assigned, especially residential addresses (and apparently cell phones as well).

You could use both types of filtering for WAF if your WAF users were always connecting from a major business with a static IP address, and never from home or a hotel.   In most cases, this is not workable. 

There are actually two elements to this configuration:

• Block clients with bad reputation
• Skip remote lookups for clients with bad reputation

The first option uses a GeoIP database to exclude bad actors.   I have not yet used it, but another person on this forum has done so successfully.  So you want this optioin enabled, probably always.

Remote lookups are what use the RBLs.   Since the RBLs are poorly suited for WAF purposes, you will almost always want this option selected, so that the RBL is ignored.

By checking both options, you should be able to block some of the bad guys while still allowing access for your home users and cell phone users.

I guess that I figured this out sometime after the original post.

RBLs were created to block unwanted email, so the lists exclude any IP address that should not be running a mail server.   For example, if you are running a mail server from your cell phone, then your cell phone is probably infected with malware.   As a result, the RBLs include:

• Know bad actors
• IP addresses that are dynamically assigned, especially residential addresses (and apparently cell phones as well).

You could use both types of filtering for WAF if your WAF users were always connecting from a major business with a static IP address, and never from home or a hotel.   In most cases, this is not workable. 

There are actually two elements to this configuration:

• Block clients with bad reputation
• Skip remote lookups for clients with bad reputation

The first option uses a GeoIP database to exclude bad actors.   I have not yet used it, but another person on this forum has done so successfully.  So you want this optioin enabled, probably always.

Remote lookups are what use the RBLs.   Since the RBLs are poorly suited for WAF purposes, you will almost always want this option selected, so that the RBL is ignored.

By checking both options, you should be able to block some of the bad guys while still allowing access for your home users and cell phone users.