Difference between revisions of "WAF 350000"

From Atomicorp Wiki
Jump to: navigation, search
m
m
Line 9: Line 9:
 
'''Description'''   
 
'''Description'''   
  
This rules detects that an IP address connecting to your server is listed on the xbl.spamhaus.org blacklist run by the SpamHaus project.  They describe this RBL as:
+
This optional rule detects that when an IP address connecting to your server is listed on the xbl.spamhaus.org blacklist run by the SpamHaus project.  They describe this RBL as:
  
 
"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."
 
"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."
Line 15: Line 15:
 
'''False Positives'''
 
'''False Positives'''
  
There are no known False Positives for this, however if you believe this is a false positive, it is recommended that you report this to the spamhaus project.  '''Atomicorp does not run this RBL, and therefore can not address false positives with IPs.'''  You can access their website here:
+
If you believe this is a false positive, report this to the spamhaus project.  '''Atomicorp does not run this RBL, and therefore can not address false positives with IPs.'''  You can access their website here:
  
 
http://www.spamhaus.org/xbl/
 
http://www.spamhaus.org/xbl/

Revision as of 12:14, 29 October 2012

Rule ID

350000

Alert Message

Global RBL Match: IP is on the xbl.spamhaus.org Blacklist

Description

This optional rule detects that when an IP address connecting to your server is listed on the xbl.spamhaus.org blacklist run by the SpamHaus project. They describe this RBL as:

"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."

False Positives

If you believe this is a false positive, report this to the spamhaus project. Atomicorp does not run this RBL, and therefore can not address false positives with IPs. You can access their website here:

http://www.spamhaus.org/xbl/

Configuration Notes

This ruleset requires a very fast local DNS server. If you do not have a local and fast DNS server, you should not use RBL rules. The system will not serve up any webpages until the DNS lookup completes, and if you do not have a fast local DNS server this can result in the false impression that the web server is "slow". The server is actually not impacted by the rules, the server is simply waiting on the DNS server to respond to a query. So the web server, when using RBL rules, will only be as fast as the DNS server it is using.

Similar Rules

WAF_377777

Outside References

http://www.spamhaus.org/

Personal tools