Atomicorp

We noticed that WAF rule 397999 is blocking legit IE 6 user agents. Although this browser is very out-dated, some people are still using it, and they should not be prevented from viewing a web page. Apart from that we have also had reports of IE 8 users being blocked because of this rule, perhaps because of the regexp match on the user agent string. A false positive has been reported.

As a temporary measure I recommend everyone to disable rule 397999 if you don't want to block old IE clients.

I would love to have a re-direct to http://www.ie6countdown.com/educate-others.aspx

We could make that redirect the default for that rule, and make the rule to not shun by default.

I'd caution against that though, we added this rule because the percentage of malicious bots pretending to be MSIE6 versus actual MSIE6 users is so lopsided it was stopping nothing but attacks on all our honeypots and test customers. So, maybe a good compromise is a default redirect.

But if you guys have a lot of MSIE6 customers, that would be good to know. We do recognize we're in a slightly different business and maybe our honeypots and test customers dont see MSIE6 as much as you may. So your feedback on these kinds of rules would be invaluable.

Of course it is absurd that some people are still using MSIE 6, in our experience they are a rarity as well. They are now shut out of accessing web sites that are hosted on machines protected by the ASL WAF by default because of this new rule. Is that side-effect really necessary to combat bad bots?

That said, we suspect that other versions (non-IE6) are also being blocked by WAF rule 397999. See the false positive report filed under ASL case 29571.

The rule definitely cant block MSIE7-9, they never ever send a UA that contains:

Mozilla/4\.0 \(compatible\; MSIE 6\.0)

And thats what this rule looks for.

And the rule is now set to not shun by default.

Yeah, I was horrified to find a customer shunned because they were using IE6. Not because they were shunned, but because I didn't imagine anyone would be using IE6. It implies the system it is being run on potentially (and most likely) has not had security updates applied for years.

This does bring up an interesting about being notified of major changes, which I'll post about separately.