This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

large increase in IP addresses blocked by Sophos RBL

Beginning last week, our organization started observing a larger than usual number of incoming web site visitors rejected by the UTM's Bad IP Address Reputation filter. Specifically, in the WAF logs, they show up as "Client is listed on DNSRBL fur.cal1.sophosxl.com." It was normal to have one or two of these in a month, but in August it's been 10-20 per day. 

This morning I picked one address of a frustrated website visitor who was complaining about seeing a 403/Forbidden error. I plugged the address into a https://www.whatismyip.com/blacklist-check/?iref=ip-lookupblacklist lookup service and found it listed on, among others, cbl.abuseat.org. I went to the blacklist site to see if any further details were available, and saw this message:

IMPORTANT: Many CBL/XBL listings are caused by a vulnerability in Mikrotik routers. If you have a Mikrotik router, please check out the Mikrotik blog on this subject and follow the instructions before attempting to remove your CBL listing.

This makes some sense. Lots of consumer and prosumer routers are out there, unflashed and unpatched. But this vuln has been out there for years. Why is it suddenly blossoming now in my Sophos UTM RBL?

I'm curious if anyone else out there is seeing something similar. 



This thread was automatically locked due to age.
  • Hello JoeStern,

    Thank you for contacting the Sophos Community.

    If possible please provide me a list of the IPs that you know are legit, so I can check with Labs why the RBL is categorizing as having a bad reputation. Please send me a PM with the IPs and also the log. You can obscure the log if you want I actually would only the IPs.

    Also, I am curious if that is the RBL the UTM is using, please run the following commands:

    cc

    reverse_proxy

    blacklist

    dnsrbl_zones@

    It should tell you which RBL is being used.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    I can give you one of the IP addresses I checked, which belongs to a real person who wanted to visit the website; however, I cannot confirm anything about the state of the network she connected from (i.e. whether or not her router is compromised by spam bots).

    https://www.abuseat.org/lookup.cgi?ip=65.155.125.70

    I generally trust SpamHaus to know about sources of spam. This lady probably does have a problem in her environment. However, that's not so much my concern. I would like for her to be able to get to our UTM-protected website.

    Is it possible to fine-tune the UTM's blocklist to exclude SpamHaus? I'm more concerned about the Russian and Chinese IPs trying to reach misconfigured login pages that show up as soon as I disable the bad reputation filter.

  • Hello JoeStern,

    I searched and it does seem like that IP is blacklisted in our Portal. I opened a case with Labs (LAB-53096) for them to confirm, and see if they can find more info on this.

    You could create a WAF Exception for that Public IP to skip the Bad reputation check. and the UTM-Protected website.

    We check Spamhaus XBL for listing reputation. Do you also have Skip remote lookups for clients with bad reputation enabled?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Rather than using cc interactively, Emmanuel, I prefer to enter the following command:

    cc get reverse_proxy blacklist dnsrbl_zones

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob, 

    Thank you for the TIP!

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Joe, I had gotten Emmanuel involved in this earlier, and he had no idea this was the same problem.

    He just got another answer from Sophos Labs.  Unblock requests can be entered at https://www.sophos.com/en-us/labs.aspx, as well as at sorbs.net in your case.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA