Thread: AllowOverride: how and where?
View Single Post
  #4 (permalink)  
Old 07-03-2009, 01:19 AM
Spiral's Avatar
Spiral Spiral is offline
Registered User
  
Join Date: Jun 2005
Location: Area 51
Posts: 1,501
Spiral is on a distinguished road
Exclamation
Regarding your server having 1 GB of memory, that would bare bones
minimum to get away with running the full "Got Root" rules on a dedicated
server but I seriously worry about running that set on a VPS that only
has 1 GB of memory which is really pushing the threshold of things there.

As for the other, I got some good news and bad news for you ...

Quote:
2009-07-02 17:23:38 76.123.225.96 / HTTP/1.1 www.mysite.com Access denied with code 406 (phase 2). RBL lookup of 96.225.123.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ALERT"] 406

2009-07-02 17:23:35 76.123.225.96 /index.php HTTP/1.1 www.mysite.com Access denied with code 406 (phase 2). RBL lookup of 96.225.123.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ALERT"] 301
As for the error messages and rules you quoted, the visitors to your sites
are being flagged as blacklisted by Spamhaus as bad IPs and the reason
this is happening is because they recently combined their PBL data into
the new renamed list replacing XBL.

In plain English what happens is instead of just blacklisting visitors who are
known spammers from reaching your web sites, almost all visitors are now silently
getting blocked now if your visitors originate from most any known regular ISP
account such as you get with most cable modem and DSL providers so basically
just about everyone is getting blacklisted from your server. Because of this
recent change, at our own company, we DO NOT use Spamhaus anymore
and we recommend DO NOT recommend that anyone use Spamhaus
RBL blacklist databases to filter out traffic or email! We still have confidence in
SpamCop but our faith in Spamhaus is gone because of this change!

Combining those separate databases was well intentioned and meant to limit spam
traffic from non-server originating mail senders but instead had the unintentional
side effect of blocking massive amounts of web traffic from reaching web servers
for hosts that had previously relied on the earlier blacklist databases and did not
expect to see any changes like this coming down the line.

I would either delete all the Spamhaus rules from the "00_ASL_RBL.conf" file
where you store your Mod_Security "Got Root" rules and just use the
rules for SpamCop only (OR) just simply delete that file entirely and
then Mod_Security won't perform any RBL Blacklisting checking. The only difference
between the two is whether or not you keep SpamCop RBL checks or stop those.

You should be advised that many of the spam protection systems for
email and Exim's configuration itself may also perform Spamhaus checking
as well as many forum community and CMS applications so you might also
get legitimate visitors blocked elsewhere in your server as well and should
see about removing those checks as well.

Incidentally, we had the same thing happen to some of our servers a while
back and we were also pretty pissed when we found out that RBL checks
had been escalated from known spammers to all non-web server IPs
suddenly blocking most of our visitors without our knowledge. However
now that you are aware of this, you can take action to fix it. If you need
any assistance whatsoever, feel free to ask and I would be more than
willing to give you a hand with clearing that up.

While on the subject of major RBL blacklist databases, everyone should probably
know that one of the other major databases named SORBS is currently scheduled to
go out of business effective July 20th and at that time if anyone is using SORBS
for blacklist checks for your email or any program, you'll probably start getting a
lot of connections flagged as blacklisted by mistake as often happens when these
servers go out of business. That given if you are using SORBS for any RBL checks,
you may want to go ahead and remove that from your servers right now.

All of the above blacklist services (SORBS, Spamhaus, and SpamCop) will each tell you
that they themselves don't "blacklist IPs" but all that really means is that they don't
own the code on your server doing the actual IP blocking. They do however provide
the database information that many software applications and modules on your server
might use to in turn block user traffic --- and sometimes block legitimate users too!
Last edited by Spiral; 07-03-2009 at 01:39 AM.
Reply With Quote