Author: P.Z4 (2 Feb 11 8:29am)
Interesting problem - I just installed http:BL and a honey pot and immediately logged high threat level IPs from South Africa - the user is a trusted member of my site, but http:BL doesn't even show captcha to let him in. Below is the email that the internet provider sent me after the user complained to his provider - does it sound legit? If so, would it be safe to let those affected IP blocks through?
Dear Admin,
Their are about 10 x class C address blocks behind the SAIX caches, hence a couple of 1000 ADSL IPs. It is SAIX policy to transparent cache all shaped and unshaped ADSL IP addresses. Therefor the source IP address will always change to a network IP address of a cache appliance, hence you will see plenty sessions from the 198.54.202.0 and 196.25.255.0 segments. If you examine the HTTP header information, you should fine the real "Source IP" in the X-forward-for "field". The cache appliance will rewrite the HTTP header to reveal this info. Those 41.x.x.x. IPs that you seeing are IPNET edges with no web-cache appliances and usually are very small DSLAM sites.
The web-caches in SAIX are there to enhance the user's browsing experience and to reduce the high latency experience. Please bare in mind, the South Africa internet users are thousands of miles / kilometers away from international content.
Unfortunately many of these so called SPAM traps systems or Intrusion Detection Systems (IDS) does not have the intelligence to make the distinction between a NAT device, such a web-cache appliance.
for example...
host 196.25.255.194 -> 194.255.25.196.in-addr.arpa domain name pointer wblv-ip-pcache-4-vif0.telkom-ipnet.co.za
.
host 196.25.255.195 -> 195.255.25.196.in-addr.arpa domain name pointer wblv-ip-pcache-5-vif0.telkom-ipnet.co.za
.
We had many of these type of problems in the past and once the administrators knew what to look for, the problem was resolved.
If you have any abuse issues with any of the web-caches, please forward me your logs - Source IP, date, time and URL being accessed. If it is proven that a ADSL user has committed an offense, the user will get suspended by the SAIX abuse division.
Please let me know, if you are willing to unblock the webcache IP addresses. I would like to inform the ISP of your decision.
|