large increase in IP addresses blocked by Sophos RBL

Beginning last week, our organization started observing a larger than usual number of incoming web site visitors rejected by the UTM's Bad IP Address Reputation filter. Specifically, in the WAF logs, they show up as "Client is listed on DNSRBL fur.cal1.sophosxl.com." It was normal to have one or two of these in a month, but in August it's been 10-20 per day. 

This morning I picked one address of a frustrated website visitor who was complaining about seeing a 403/Forbidden error. I plugged the address into a https://www.whatismyip.com/blacklist-check/?iref=ip-lookupblacklist lookup service and found it listed on, among others, cbl.abuseat.org. I went to the blacklist site to see if any further details were available, and saw this message:

IMPORTANT: Many CBL/XBL listings are caused by a vulnerability in Mikrotik routers. If you have a Mikrotik router, please check out the Mikrotik blog on this subject and follow the instructions before attempting to remove your CBL listing.

This makes some sense. Lots of consumer and prosumer routers are out there, unflashed and unpatched. But this vuln has been out there for years. Why is it suddenly blossoming now in my Sophos UTM RBL?

I'm curious if anyone else out there is seeing something similar. 

Parents
  • Hello JoeStern,

    Thank you for contacting the Sophos Community.

    If possible please provide me a list of the IPs that you know are legit, so I can check with Labs why the RBL is categorizing as having a bad reputation. Please send me a PM with the IPs and also the log. You can obscure the log if you want I actually would only the IPs.

    Also, I am curious if that is the RBL the UTM is using, please run the following commands:

    cc

    reverse_proxy

    blacklist

    dnsrbl_zones@

    It should tell you which RBL is being used.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Rather than using cc interactively, Emmanuel, I prefer to enter the following command:

    cc get reverse_proxy blacklist dnsrbl_zones

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Rather than using cc interactively, Emmanuel, I prefer to enter the following command:

    cc get reverse_proxy blacklist dnsrbl_zones

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children