This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Facebook blocked by DNSRBL (black.rbl.ctipd.astaro.local)

A colleague found that he can not create a Facebook post linking to our company blog post (internal server behind UTM9 WebServer Protection). It seems... that the Facebook IP has been blacklisted by DNSRBL (black.rbl.ctipd.astaro.local)...

I've no idea who I should report this to, if at all, so I'm writing here asking for directions for the future.

For reference, here's the log:

2018:07:31-10:17:58 firewall httpd[5579]: [authz_blacklist:warn] [pid 5579:tid 4113341296] [client 31.13.124.204:18428] Client is listed on DNSRBL black.rbl.ctipd.astaro.local
2018:07:31-10:17:58 firewall httpd: id="0299" srcip="31.13.124.204" localip="<REDACTED>" size="246" user="-" host="31.13.124.204" method="GET" statuscode="403" reason="dnsrbl" extra="Client is listed on DNSRBL black.rbl.ctipd.astaro.local" exceptions="-" time="49875" url="/about-us/news/Pages/DevMonday--5.aspx" server="<REDACTED>" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="W2AbNqwQBQEAABXLlagAAAA0"
2018:07:31-10:19:44 firewall httpd[5579]: [security2:error] [pid 5579:tid 3800939376] [client 66.249.73.91] ModSecurity: Rule 89648d0 [id "981004"][file "/usr/apache/conf/waf/modsecurity_crs_outbound.conf"][line "84"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "<REDACTED>"] [uri "/solutions/sharepoint"] [unique_id "W2Abn6wQBQEAABXLlakAAABZ"]
2018:07:31-10:19:44 firewall httpd[5579]: [security2:error] [pid 5579:tid 3800939376] [client 66.249.73.91] ModSecurity: Rule 87dd458 [id "970003"][file "/usr/apache/conf/waf/modsecurity_crs_outbound.conf"][line "123"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "<REDACTED>"] [uri "/solutions/sharepoint"] [unique_id "W2Abn6wQBQEAABXLlakAAABZ"]

 

EDIT:

What's strange is that I also went to https://dnsrbl.org/delist.html to manually check the IP (assuming this IS the official DNSRBL site), and that IP was never listed... yet, it's clear UTM thinks it is... What's going on?



This thread was automatically locked due to age.
  • Cześć Mateusz,

    black.rbl.ctipd.astaro.local is the local cache of the Cyren IP Reputation check. You check the reputation of your IP address at http://www.cyren.com/ip-reputation-check.html.

    While waiting for this to be fixed, just make an exception for this for your IP and related FQDNs.

    Cheers - Bob
    PS Moving this to the Web Server Security forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA