Forum Discussion
"Spam Sources" blacklist category missing from IP Address Intelligence Categories area
Rupert,
This category is not present in ASM IPI as a design decision. We tracked this as ID380836. Effectively Spam Sources is only relevant to SMTP so it was not implemented in ASM. However AFM should contain all categories natively.
Sorry for the trouble.
- Rupert_ConnellMay 16, 2018Altostratus
Hi Taunan,
Thanks for the answer. Where can I track that ID, and make comments/suggestions to reverse the decision?
We currently have large amounts of malicious application traffic coming from IPs marked as Spam Sources. It seems to me that end users shouldn't have had the option to select it removed, but rather should be allowed to use the full functionality offered by Brightcloud.
Cheers,
Ru.
- taunan_89710May 16, 2018Historic F5 Account
The ID reflects a change in behavior, not a product defect, so tracking it with the F5 bug tracker isn't possible at this time.
However I tend to agree this is still something that ASM could be allowed to block on. It never hurts to ask at least :)
I would recommend that you open a support case and ask to do a Request for Enhancement to see this category added to ASM for native violation reporting and blocking.
In the meantime the iRule does still allow the full functionality of Brightcloud and through use of the ASM::raise command you can create a custom violation for the spam sources category of IPs. If you have it licensed AFM will also be able to handle these categories extremely efficiently, before the HTTP engine is even engaged.
Let me know if there's anything I can try to expand on.
- Rupert_ConnellMay 16, 2018Altostratus
Thanks,
I'll look into both the RfE and AFM (which we don't currently have licensed), and come back if required.
Cheers,
Ru.
- Rupert_ConnellMay 21, 2018Altostratus
So, I have an answer. The dev team are targeting including the Spam Sources category in the next major revision (14.x), and are tracking it under Bug ID 532521.
- Stanislas_Piro2May 21, 2018Cumulonimbus
Hi,
Even if F5 includes SPAM sources in ASM or APM, it won't be recommended to use this source for non SMTP traffic. Most of SPAM sources uses dynamic IP assigned by Internet providers.
I have a customer who configured AFM to block All malicious sources, including SPAM sources. ==> Lots of legitimate clients were blocked by SPAM source because the ISP assigned an IP address previously detected as SPAM. this source was then removed!
- Rupert_ConnellMay 22, 2018Altostratus
Thanks Stanislas,
In our case, however, the ratio is definitely heavily weighted to malicious actors, and we have only had the occasional legitimate client, who have been able to remove their IP from the source via the brightcloud process.
This is why it's good to have the option, as everyone's situation will be different :)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com