Forum Discussion

Rupert_Connell's avatar
Rupert_Connell
Icon for Altostratus rankAltostratus
Apr 17, 2018

"Spam Sources" blacklist category missing from IP Address Intelligence Categories area

In version BIG-IP ASM v 12.1.2, "Spam Sources" is the only one of the blacklist categories that is not in the IP Address Intelligence Categories area of the Security policy so cannot be selected for Learn, Alarm or Block.

 

I have implemented a tactical fix by using IP::reputation in an iRule, but this is CPU-intensive.

 

Is this a bug that will be resolved, or a design decision?

 

  • taunan_89710's avatar
    taunan_89710
    Historic F5 Account

    Rupert,

     

    This category is not present in ASM IPI as a design decision. We tracked this as ID380836. Effectively Spam Sources is only relevant to SMTP so it was not implemented in ASM. However AFM should contain all categories natively.

     

    Sorry for the trouble.

     

    • Rupert_Connell's avatar
      Rupert_Connell
      Icon for Altostratus rankAltostratus

      Hi Taunan,

       

      Thanks for the answer. Where can I track that ID, and make comments/suggestions to reverse the decision?

       

      We currently have large amounts of malicious application traffic coming from IPs marked as Spam Sources. It seems to me that end users shouldn't have had the option to select it removed, but rather should be allowed to use the full functionality offered by Brightcloud.

       

      Cheers,

       

      Ru.

       

    • taunan_89710's avatar
      taunan_89710
      Historic F5 Account

      The ID reflects a change in behavior, not a product defect, so tracking it with the F5 bug tracker isn't possible at this time.

       

      However I tend to agree this is still something that ASM could be allowed to block on. It never hurts to ask at least :)

       

      I would recommend that you open a support case and ask to do a Request for Enhancement to see this category added to ASM for native violation reporting and blocking.

       

      In the meantime the iRule does still allow the full functionality of Brightcloud and through use of the ASM::raise command you can create a custom violation for the spam sources category of IPs. If you have it licensed AFM will also be able to handle these categories extremely efficiently, before the HTTP engine is even engaged.

       

      Let me know if there's anything I can try to expand on.

       

    • Rupert_Connell's avatar
      Rupert_Connell
      Icon for Altostratus rankAltostratus

      Thanks,

       

      I'll look into both the RfE and AFM (which we don't currently have licensed), and come back if required.

       

      Cheers,

       

      Ru.