Bypass Spamhaus IP blocks in Cloudflare?

Is there a way to configure Cloudflare to ignore Spamhaus IP blocks? I’m starting to get more and more normal everyday people who somehow have an IP that’s on Spamhaus getting blocked from accessing my site/app.

The problem is fixed by allowing their IP through Access Rules, but it is happening too often. I’d prefer to automate it or ignore Spamhaus altogether for site visitors. My app does not use email, so I’m not concerned about that.

What Cloudflare product are you discussing here? If you are referring to the WAF or Cloudflare proxy, this is the first I have ever heard of suggested that any Spamhaus listings are evaluated. Do you have Cloudflare log data that supports that?

I ask out of genuine interest and a desireto know more snout the situation you are describing. Depending on what list the IP is on, my initial suspicion is that the presence on a Spamhaus list is coincidental. If the listing was related to a comprised host or an IP pool or range that was observed engaging in unsavory activity, it may have overlap on many lists, including one published by Spamhaus.

Thanks for your response. I’m referring to WAF.

The reason I believe it is Spamhaus is because whenever this issue has occurred, I look up the IP address and sure enough it’s always listed on Spamhaus, and usually only on Spamhaus (at least according to a few tools I’ve tried).

Here is the tool I use most with an example search: https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a172.58.188.59&run=toolpage

image

When I add the IP to be allowed via access rules, it fixes it.

I am considering creating an API that captures any IPs my clients use, and then automatically adds that to the allowed list in Cloudflare. This seems like a hacky solution that I’d rather not do if there is a better way.

1 Like

I suspect MXToolbox is only checking email related lists. Other than Spamhaus, most of those lists are not ideal for general use.

I ran the IP from your screenshot though the IP lists at Firehol and was surprised that it didn’t even have a single hit.

It wasn’t in AbuseIPDB either, but it is allocated to a mobile provider, so the chance of it being reused across multiple customers is almost certain and that brings an increased chance of malicious activity.

I agree with your assessment that automatically adding client IPs to the allow list is not the ideal first option.

A Spamhaus lookup shows that address is only on the PBL which ships only be evaluated by email gateways since that list is comprised of hosts that should not send email as reported by their network operators.

Cisco Talos didn’t have anything new to add.

I’m interested to see if we get some additional input on this topic.

1 Like

Thanks for your research. You bring up an interesting point regarding the address only being on the PBL for Spamhaus. Even my own IP address is on Spamhaus for that reason, and I’ve never experienced any connectivity issues with my app. So perhaps the real cause is something else.

Do you (or anyone) know where I may find logs in Cloudflare that could tell me if they blocked a specific IP for any reason? Perhaps Cloudflare is incorrectly identifying some people as a bot, or something like that.

The Security Events in your dashboard may give you additional insight.

https://dash.cloudflare.com/?to=/:account/:zone/security/events

1 Like

Out of personal curiosity, @jon36, did the assumptions / belief of the Spamhaus blocks to be relevant originate from you, or from the people you refer to with “normal everyday people” mentioned in your first post?

I’m somehow agreeing with @epic.network on:

And interested in information like:

  • Do you have any error codes / output to share?

  • Perhaps any screenshots of the actual block / error pages that was seen?

  • Anything else, that might help us get to the bottom of this (and also, as to how Spamhaus was being assumed to be involved)?

2 Likes

@DarkDeviL The belief of possible Spamhaus blocks originated from me, since it was the only “negative” thing I could find that these users had in common, so I wanted to test the idea by bypassing Spamhaus. But given some more information, like what @epic.network has shared, I don’t believe Spamhaus is the cause anymore.

Those “normal everyday people” I referred to are mostly non-technical. Many are senior citizens. I know they’re not up to anything shady.

They weren’t receiving any block / error pages because they’re using our mobile app. All they know is they couldn’t login. Using sentry.io, I’ve seen their connection was being rejected. Using server logs, I could see they weren’t ever hitting the servers. Cloudflare was preventing it. Adding their IP address to the “allowed” list has instantly fixed their issues.

I’m not sure yet why Cloudflare occasionally blocks some of our users. Fortunately, more than 99% of them are fine. I’ve adjusted some Cloudflare settings recently that I believe will help.