From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: Web Site blocked as hostile. Not sure if this is correct or not Date: Tue, 15 Aug 2023 15:51:00 +0000 Message-ID: <104477fe-009c-41f5-9723-c590b72231ce@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2506927311935840918==" List-Id: --===============2506927311935840918== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Adolf, thank you for raising this. There used to be a time where Peg Tech Inc. was hijacking a lot of stolen AFR= INIC IPv4 networks. They have a conglomerate of Autonomous Systems, I'll look into= it and see whether the issue is still ongoing. That having been said, a lot of Autonomous Systems being manually listed in t= he "hostile networks" category stems from Spamhaus ASN-DROP listings. Alas, this= feed was suspended in October 2021, and I am not aware of any other publicly avail= able ASN blocklist that offers a comparable false positive rate. As soon as ASN-DROP - eventually - comes back, I hope to ditch most of our cu= stom hostile entries for Autonomous Systems. My gut feeling is that the approach o= f just incorporating their data works pretty well with the (E)DROP lists, and saves = us an ongoing maintenance task for which I unfortunately lack spare time at the mom= ent. :-/ Thanks, and best regards, Peter M=C3=BCller > Hi Peter, > Searched in the spamhause drop.txt file and there is only one network range= that starts with 107 and that is >=20 > 107.182.240.0/20 ; SBL390277 >=20 > Peg Tech Inc are using 107.148.0.0/15 so definitely not in the range of any= of the spamhaus drop IP's. >=20 > Just checked the spamhaus edrop list and that has IP ranges that no closer = to not covering Peg Tech Inc. >=20 >=20 > Based on the above I think I am coming to the conclusion that the problem i= n bug#13236 is also causing this problem but where, when libloc is updated th= e hostile networks flag is set on this IP range even though neither of the sp= amhaus drop lists include it. >=20 > I think I will add it as additional input into the bug#13236 report later o= n today. >=20 > Regards, > Adolf. >=20 > On 15/08/2023 15:37, Adolf Belka wrote: >> Hi Peter, >> >> I am getting a DROP_HOSTILE for a web site, oldlinux.org >> >> Looking in libloc it shows up as hostile >> >> location lookup 107.148.241.134 >> 107.148.241.134: >> =C2=A0 Network=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 107.148.0.0/15 >> =C2=A0 Country=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : United States of America >> =C2=A0 Autonomous System=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : AS54600 - P= EGTECHINC >> =C2=A0 Hostile Network safe to drop: yes >> >> However in spamhaus it says that oldlinux.org and 107.148.241.134 have no = issues. >> >> I ran a couple of blacklist checkers on the ip. >> blacklistchecker.com came back with a pass on everything. >> dnschecker.org came back with a pass on everything except from dnsbl.spfbl= .net who have it flagged because it doesn't have an rDNS >> >> With the problems we are having currently with selective announcements of = networks, I wasn't sure if this problem I have encountered is coming from the= libloc database or is a real problem. >> >> oldlinux is hosted on the network from Peg Tech Inc hosting so maybe they = are a hoster of hostile networks but I don't know how to confirm this. >> >> I wasn't sure about raising a new bug on this, or adding it to bug#13236, = in case it was a real hostile network and should be blocked. >> >> >> Hoping you can help me with this. >> >> Regards, >> >> Adolf. >> >=20 --===============2506927311935840918==--