Home / user-420178

Maurice's questions

Martin Hope
Maurice
Asked: 2020-07-28 15:59:33 +0800 CST
  • 0

I was alerted by my Plesk server that an IP Address had been banned. Normally I don't check banned IPs, but this one happened to coincide with our site going down for 1 minute at the same time.

Banned the following ip addresses on Mon Jul 27 21:05:01 AEST 2020
216.239.38.21 with 154 connections

I use the Web Application Firewall (ModSecurity) that plesk provides

A quick check tells me it is a Google IP: https://whatismyipaddress.com/ip/216.239.38.21

Hostname:   any-in-2615.1e100.net
ASN:    15169
ISP:    Google
Organization:   Google

However, Google have instructions on how Verifying Googlebot

Example 1:

> host 66.249.66.1
1.66.249.66.in-addr.arpa domain name pointer crawl-66-249-66-1.googlebot.com.

> host crawl-66-249-66-1.googlebot.com
crawl-66-249-66-1.googlebot.com has address 66.249.66.1

I also thought "154 connections sounds malicious", but according to Google's own Change Googlebot crawl rate, it shows an example of 5 per second, which would be 300 a minute

The term crawl rate means how many requests per second Googlebot makes 
to your site when it is crawling it: for example, 5 requests per second.
    
You cannot change how often Google crawls your site, but if you want
Google to crawl new or updated content on your site, you can request a recrawl.

After running nslookup -type=ptr 216.239.38.21 I get the same hostname as above, which resolves to a spammy Google Blogger looking website.

So, the IP address is Googles, but it's a spammy looking Blogger.com website, so does that mean it was malicious or a false positive?

The fact that the hostname is any-in-2615.1e100.net leads me to beleive it's a fairly sophisticated spoofed IP address, seems bizarre. I was hoping someone with more technical experince might have futher insights.

web-application-firewall mod-security plesk googlebot ip-banning
Martin Hope
Maurice
Asked: 2017-06-14 18:46:23 +0800 CST
  • 3

I'm trying to verify the mail sent by our server. With our current DNS settings, sending mail from our server shows an SPF Neutral response.

I tried adding a combination of my server's IP and Domain. 

v=spf1 a mx ipv4:XXX.XX.XXX.XX -all
v=spf1 include:mydomain.com -all

Both these records showed no change, all mail sent from the server was still Neutral. So I tried combining all my existing SPF records like so: 

v=spf1 a mx include:mydomain.com ipv4:XXX.XX.XXX.XX include:cmail1.com include:mail.zendesk.com -all

I tested sending mail again and now get a SPF Fail response.

I've looked extensively online and I can't see how to fix my DNS entries so I can get a PASS on the SPF records. I don't know if I need additional CNAME, A, MX, or I'm missing something entirely.

I'm using a Plesk server with a fixed IPv4 address and using CloudFlare to manage my DNS and Name Servers.

Here is what a full fail response looks like: 

SPF:    FAIL with IP XXX.XX.XXX.XX
spf=fail (google.com: domain of [email protected] does not designate XXX.XX.XXX.XX as permitted sender) [email protected]
Received-SPF: fail (google.com: domain of [email protected] does not designate XXX.XX.XXX.XX as permitted sender) client-ip=XXX.XX.XXX.XX;
spf=fail (google.com: domain of [email protected] does not designate XXX.XX.XXX.XX as permitted sender) [email protected]
spf