Message Board

Newbie/Basic Questions

Complaint from internet access provider from South Africa called SAIX

Author: P.Z4 (2 Feb 11 8:29am)

Interesting problem - I just installed http:BL and a honey pot and immediately logged high threat level IPs from South Africa - the user is a trusted member of my site, but http:BL doesn't even show captcha to let him in. Below is the email that the internet provider sent me after the user complained to his provider - does it sound legit? If so, would it be safe to let those affected IP blocks through?

Dear Admin,

Their are about 10 x class C address blocks behind the SAIX caches, hence a couple of 1000 ADSL IPs. It is SAIX policy to transparent cache all shaped and unshaped ADSL IP addresses. Therefor the source IP address will always change to a network IP address of a cache appliance, hence you will see plenty sessions from the 198.54.202.0 and 196.25.255.0 segments. If you examine the HTTP header information, you should fine the real "Source IP" in the X-forward-for "field". The cache appliance will rewrite the HTTP header to reveal this info. Those 41.x.x.x. IPs that you seeing are IPNET edges with no web-cache appliances and usually are very small DSLAM sites.
The web-caches in SAIX are there to enhance the user's browsing experience and to reduce the high latency experience. Please bare in mind, the South Africa internet users are thousands of miles / kilometers away from international content.

Unfortunately many of these so called SPAM traps systems or Intrusion Detection Systems (IDS) does not have the intelligence to make the distinction between a NAT device, such a web-cache appliance.

for example...
host 196.25.255.194 -> 194.255.25.196.in-addr.arpa domain name pointer wblv-ip-pcache-4-vif0.telkom-ipnet.co.za

.
host 196.25.255.195 -> 195.255.25.196.in-addr.arpa domain name pointer wblv-ip-pcache-5-vif0.telkom-ipnet.co.za

.

We had many of these type of problems in the past and once the administrators knew what to look for, the problem was resolved.
If you have any abuse issues with any of the web-caches, please forward me your logs - Source IP, date, time and URL being accessed. If it is proven that a ADSL user has committed an offense, the user will get suspended by the SAIX abuse division.

Please let me know, if you are willing to unblock the webcache IP addresses. I would like to inform the ISP of your decision.

Re: Complaint from internet access provider from South Africa called SAIX

Author: A.Degives Mas (6 Feb 11 12:49am)

Hogwash. They're blaming you - in a hardly veiled manner - for not contorting yourself into a pretzel and do quadruple checks on the nature of ill-behaving IP addresses. That's quite rude of them. And they're not entirely forthcoming about the alleged cleanliness of their address space. To wit, here's what the PHP database has to say about the two IP addresses that they helpfully offer up for closer scrutiny:

http://www.projecthoneypot.org/ip_196.25.255.194
http://www.projecthoneypot.org/ip_196.25.255.195

Interestingly, they have repeatedly requested whitelisting for those two. Upon which they got blacklisted again, proving themselves fools for suggesting that it is somehow the blacklister's fault that that they have a (very) bad reputation.

It's quite simple: stop behaving badly. Period. Then be patient, while trust is regained. If your IP address space is used properly, you'll be eventually taken off the blacklist, and moved to a regime of probation that can and will be revoked in a jiffy upon renewed abuse.

That's how it works.

So, I'd reply along these lines: "Thank you for indicating your willingness to clean up the mess left behind by some ill-behaving customers. As you appear to appreciate a good reputation, I am sure you'll also agree that verified and proven trust is your best passport to a clean slate. Therefor, I look forward to seeing clean reports coming in from your address space over a prudent period of time; until then, I wish you all the best in your customer retention efforts. Kind regards, XXX"

Besides, it's not the first time an operative of a rogue address space sends in stuff like that, only to hammer you upon notification of whitelisting.

Post Edited (6 Feb 11 2:23am)