Beginning last week, our organization started observing a larger than usual number of incoming web site visitors rejected by the UTM's Bad IP Address Reputation filter. Specifically, in the WAF logs, they show up as "Client is listed on DNSRBL fur.cal1.sophosxl.com." It was normal to have one or two of these in a month, but in August it's been 10-20 per day.
This morning I picked one address of a frustrated website visitor who was complaining about seeing a 403/Forbidden error. I plugged the address into a https://www.whatismyip.com/blacklist-check/?iref=ip-lookupblacklist lookup service and found it listed on, among others, cbl.abuseat.org. I went to the blacklist site to see if any further details were available, and saw this message:
IMPORTANT: Many CBL/XBL listings are caused by a vulnerability in Mikrotik routers. If you have a Mikrotik router, please check out the Mikrotik blog on this subject and follow the instructions before attempting to remove your CBL listing.
This makes some sense. Lots of consumer and prosumer routers are out there, unflashed and unpatched. But this vuln has been out there for years. Why is it suddenly blossoming now in my Sophos UTM RBL?
I'm curious if anyone else out there is seeing something similar.
This thread was automatically locked due to age.