WAF 350000
Rule ID
350000
Alert Message
Global RBL Match: IP is on the xbl.spamhaus.org Blacklist
Description
This rules detects that an IP address connecting to your server is listed on the xbl.spamhaus.org blacklist run by the SpamHaus project. They describe this RBL as:
"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."
False Positives
There are no known False Positives for this, however if you believe this is a false positive, it is recommended that you report this to the spamhaus project. Atomicorp does not run this RBL, and therefore can not address false positives with IPs. You can access their website here:
Configuration Notes'
This ruleset requires a very fast local DNS server. If you do not have a local and fast DNS server, you should not use RBL rules. The system will not serve up any webpages until the DNS lookup completes, and if you do not have a fast local DNS server this can result in the false impression that the web server is "slow". The server is actually not impacted by the rules, the server is simply waiting on the DNS server to respond to a query. So the web server, when using RBL rules, will only be as fast as the DNS server it is using.
Similar Rules
Outside References