Beginning last week, our organization started observing a larger than usual number of incoming web site visitors rejected by the UTM's Bad IP Address Reputation filter. Specifically, in the WAF logs, they show up as "Client is listed on DNSRBL fur.cal1.sophosxl.com." It was normal to have one or two of these in a month, but in August it's been 10-20 per day.
This morning I picked one address of a frustrated website visitor who was complaining about seeing a 403/Forbidden error. I plugged the address into a https://www.whatismyip.com/blacklist-check/?iref=ip-lookupblacklist lookup service and found it listed on, among others, cbl.abuseat.org. I went to the blacklist site to see if any further details were available, and saw this message:
IMPORTANT: Many CBL/XBL listings are caused by a vulnerability in Mikrotik routers. If you have a Mikrotik router, please check out the Mikrotik blog on this subject and follow the instructions before attempting to remove your CBL listing.
This makes some sense. Lots of consumer and prosumer routers are out there, unflashed and unpatched. But this vuln has been out there for years. Why is it suddenly blossoming now in my Sophos UTM RBL?
I'm curious if anyone else out there is seeing something similar.
Thank you for contacting the Sophos Community.
If possible please provide me a list of the IPs that you know are legit, so I can check with Labs why the RBL is categorizing as having a bad reputation. Please send me a PM with the IPs and also the log. You can obscure the log if you want I actually would only the IPs.
Also, I am curious if that is the RBL the UTM is using, please run the following commands:
It should tell you which RBL is being used.
Rather than using cc interactively, Emmanuel, I prefer to enter the following command:
cc get reverse_proxy blacklist dnsrbl_zones
Cheers - Bob
Thank you for the TIP!