Dear Colleagues
We have a customer whose IP keep getting blocked by various CDN operators.
If we change his IP, this solved the issue for a couple of days, then he is blocked again. Actual IP: 87.102.212.133
At the moment, this IP is being blocked by the CDN used by:
klm.com nespresso.com easyjet.com
I opened a case with Amazon, as this is the ones that host the easyjet.com CDN but they replied that he is blocked 'upstream' by their customer easyjet.
Our customer called the Easyjet Helpdesk, but they have no clue what generates this error and sent him to is ISP :-/
We don't get any kind of complaints regarding the IP of this customer.
https://multirbl.valli.org/lookup/87.102.212.133.html
Two entries on blacklist I am not familiar with. One of them about an email misconfiguration?
All the customer is seing on the webpage is:
=== snipp === Access Denied
You don't have permission to access "http://www.easyjet.com/" on this server.
Reference #18.57d61202.1634833697.32bab06 === snapp ===
Any hints on how to solve or what blocking provider is used (all pages show a very similar message with similar ID) are appreciated.
PS: Yes, google is finding reports of this exact issue. None I found provided any useful hint on what causes the issue.
Mit freundlichen Grüssen
-Benoît Panizzon-
Hi,
Did you check if the customer's network is maybe infected with some botnet or spambot that triggers honeypots?
Clearly, if the IP changes and the customer gets blocked again, it is something being caused by the source IP...
Netflow... Netflow all the things ;)
Greets, Jeroen
--
On 20211026, at 09:19, Benoit Panizzon benoit.panizzon@imp.ch wrote:
Dear Colleagues
We have a customer whose IP keep getting blocked by various CDN operators.
If we change his IP, this solved the issue for a couple of days, then he is blocked again. Actual IP: 87.102.212.133
At the moment, this IP is being blocked by the CDN used by:
klm.com nespresso.com easyjet.com
I opened a case with Amazon, as this is the ones that host the easyjet.com CDN but they replied that he is blocked 'upstream' by their customer easyjet.
Our customer called the Easyjet Helpdesk, but they have no clue what generates this error and sent him to is ISP :-/
We don't get any kind of complaints regarding the IP of this customer.
https://multirbl.valli.org/lookup/87.102.212.133.html
Two entries on blacklist I am not familiar with. One of them about an email misconfiguration?
All the customer is seing on the webpage is:
=== snipp === Access Denied
You don't have permission to access "http://www.easyjet.com/" on this server.
Reference #18.57d61202.1634833697.32bab06 === snapp ===
Any hints on how to solve or what blocking provider is used (all pages show a very similar message with similar ID) are appreciated.
PS: Yes, google is finding reports of this exact issue. None I found provided any useful hint on what causes the issue.
Mit freundlichen Grüssen
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hi Jeroen
Did you check if the customer's network is maybe infected with some botnet or spambot that triggers honeypots?
Usually we learn about such incidents through GovCert or other complaints. We received none.
Clearly, if the IP changes and the customer gets blocked again, it is something being caused by the source IP...
Netflow... Netflow all the things ;)
We only have traffic counters, no detailed netflows :-)
The counters look normal. About 10:1 download:upload ratio, and similar to other customers.
Mit freundlichen Grüssen
-Benoît Panizzon-
I opened a case with Amazon
Are you sure Amazon is responsible? I mainly see Akamai as a CDN here. But maybe it's different, depending on the source IP address...
$ dig +short www.klm.com www.klm.com.edgekey.net. e40771.a.akamaiedge.net. 80.67.82.17 80.67.82.16
$ dig +short www.easyjet.com www.easyjet.com.edgekey.net. e6158.x.akamaiedge.net. 2.20.17.112
For Akamai, this may be of interest: https://www.akamai.com/us/en/clientrep-lookup/
Are you sure Amazon is responsible? I mainly see Akamai as a CDN here. But maybe it's different, depending on the source IP address...
Aeh! s/Amazon/Akamai/ sorry!
For Akamai, this may be of interest: https://www.akamai.com/us/en/clientrep-lookup/
I stumbled over this page, but discarded as I could not enter the affected IP.
I'm now sent the link to the affected customer. Let's see if he is getting any result.
Mit freundlichen Grüssen
-Benoît Panizzon-
-
Benoit Panizzon -
Jeroen Massar -
Markus Ritzmann