Spamhaus rule blocks UNLISTED IP?

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
sven
New Forum User
New Forum User
Posts: 3
Joined: Thu Sep 16, 2010 7:59 am

Spamhaus rule blocks UNLISTED IP?

Unread post by sven »

Hi,

I added the ASL ruleset to my server, the riles include an IP check of the spamhaus.org blacklist.
Then my own IP ( 81.82.210.15) was blocked by this rule, but when ckecing it on spamhouse.org, it says my IP is notlisted!

check results of spamhaus.org sebsite:
81.82.210.15 is not listed in the SBL
81.82.210.15 is not listed in the PBL
81.82.210.15 is not listed in the XBL

But in my error logs:
[Thu Sep 16 13:46:02 2010] [error] [client 81.82.210.15] ModSecurity: Access denied with code 403 (phase 2). RBL lookup of 15.210.82.81.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/apache2/gotrootrules/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] [hostname "www.easynames.be"] [uri "/images/plan1.jpg"] [unique_id "TJIDelhQw80AACxpHAMAAAAF"]

How can that be?
(when i do a NSLOOKUP of 15.210.82.81.xbl.spamhaus.org on my webserver, it returns
Server: 88.80.192.118
Address: 88.80.192.118#53

** server can't find 15.210.82.81.xbl.spamhaus.org: NXDOMAIN

)

thanks for any answers!
Sven
sven
New Forum User
New Forum User
Posts: 3
Joined: Thu Sep 16, 2010 7:59 am

Re: Spamhaus rule blocks UNLISTED IP?

Unread post by sven »

I now removed the RBL rules and it works fine..

But anyhow, if anyone knows a solution, it's welcome!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Spamhaus rule blocks UNLISTED IP?

Unread post by mikeshinn »

Are you using the realtime or delayed rules? If you are a realtime rules customer, please send a support request to support@atomicorp.com with your account information (I can't find you in our system, so if you are a customer you need to let us know your account details with your request).

As an aside, this isn't a rule issue. The RBL engine is very simple: If your DNS setup returns a match, mod_Sec will fire, if not it won't - theres literally no way for the rule to get the answer wrong. Your issue could be a local configuration issue, or just luck - RBLs change in realtime, so you may have just missed it being on their list. One minute it could be on their list, the next its not.

Again, if you are a paid customer please open a support request and we would be happy to look into this for you, including logging into your system to see if you do have a DNS issue.
sven
New Forum User
New Forum User
Posts: 3
Joined: Thu Sep 16, 2010 7:59 am

Re: Spamhaus rule blocks UNLISTED IP?

Unread post by sven »

Thanks for the answer!

No, I am not a customer yet, but I'm gonne be soon I think!
(first I will configure my server with the delayed rules, my goal is to be sure my JOOMLA services are really secured... Does the realtime protection offers special protection for this?)
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Spamhaus rule blocks UNLISTED IP?

Unread post by mikeshinn »

Thanks for the answer!
Our pleasure. We've not seen a case where its the rule, per se, because the logic is so simple but we have seen cases where either local or upstream DNS issues caching records longer than they should, but honestly thats rare - most of the time its just that spamhaus' data is usually nice and dynamic so by the time you go back and look its usually changed to reflect the current state of that IP (safe). Of course, the question in this case is did that happen?
No, I am not a customer yet, but I'm gonne be soon I think!
(first I will configure my server with the delayed rules, my goal is to be sure my JOOMLA services are really secured... Does the realtime protection offers special protection for this?)
They do. The realtime rules contain additional security rules, performance enhancements and bug fixes, as well as Just In Time Patches for applications, including Joomla, and Positive Security rules for popular web applications including Joomla.
spaceout
Forum Regular
Forum Regular
Posts: 112
Joined: Wed Mar 19, 2008 10:22 pm

Re: Spamhaus rule blocks UNLISTED IP?

Unread post by spaceout »

I see a lot of false positives if I enable the RBL as well. Including the Google and Yahoo bots :( I'm a customer but I don't know how to check if there is a DNS problem?

Message: [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "48"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] Access denied with code 403 (phase 2). RBL lookup of 2.65.249.66.xbl.spamhaus.org succeeded at REMOTE_ADDR.

http://whois.domaintools.com/66.249.65.2

Edit: Facebook also seems to get blocked yet it's not listed on the spamhaus.org site...

Message: [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "48"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] Access denied with code 403 (phase 2). RBL lookup of 251.181.63.69.xbl.spamhaus.org succeeded at REMOTE_ADDR.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Spamhaus rule blocks UNLISTED IP?

Unread post by mikeshinn »

You should contact the RBL operator if you find that their system is returning incorrect answers. As previously mentioned, the code in mod_security is very simple, it just asks your DNS server is theres a match, if your DNS server (or whatever you have configured as DNS on your server) says there is then its reported as a match. All that line is telling you is that your DNS server(s) are returning that IP as being on that RBLs list at the time the query is done. RBLs are real-time, they change so you be running into cases where the RBL operator recognized the IP was on the list incorrectly and removed it, or someone else reported it as a false postive.

mod_security doesn't control those RBLs or your DNS server(s), so the first place to look is with your DNS, and if your DNS isn't the issue then contact the RBL operator with your false positive report.
Post Reply