"Spam Sources" blacklist category missing from IP Address Intelligence Categories area

Question

In version BIG-IP ASM v 12.1.2, "Spam Sources" is the only one of the blacklist categories that is not in the IP Address Intelligence Categories area of the Security policy so cannot be selected for Learn, Alarm or Block.&nbsp;
I have implemented a tactical fix by using IP::reputation in an iRule, but this is CPU-intensive.&nbsp;
Is this a bug that will be resolved, or a design decision?&nbsp;

taunan_89710 · Answer

Rupert,  
&nbsp;
This category is not present in ASM IPI as a design decision.  We tracked this as ID380836.  Effectively Spam Sources is only relevant to SMTP so it was not implemented in ASM.  However AFM should contain all categories natively.&nbsp;
Sorry for the trouble.&nbsp;

rupert_connell · Answer

Hi Taunan,&nbsp;
Thanks for the answer. Where can I track that ID, and make comments/suggestions to reverse the decision?&nbsp;
We currently have large amounts of malicious application traffic coming from IPs marked as Spam Sources. It seems to me that end users shouldn't have had the option to select it removed, but rather should be allowed to use the full functionality offered by Brightcloud.&nbsp;
Cheers,&nbsp;
Ru.&nbsp;

taunan_89710 · Answer

The ID reflects a change in behavior, not a product defect, so tracking it with the F5 bug tracker isn't possible at this time.  
&nbsp;
However I tend to agree this is still something that ASM could be allowed to block on.  It never hurts to ask at least :)&nbsp;
I would recommend that you open a support case and ask to do a Request for Enhancement to see this category added to ASM for native violation reporting and blocking.&nbsp;
In the meantime the iRule does still allow the full functionality of Brightcloud and through use of the ASM::raise command you can create a custom violation for the spam sources category of IPs.  If you have it licensed AFM will also be able to handle these categories extremely efficiently, before the HTTP engine is even engaged.&nbsp;
Let me know if there's anything I can try to expand on.&nbsp;

rupert_connell · Answer

Thanks,&nbsp;
I'll look into both the RfE and AFM (which we don't currently have licensed), and come back if required.&nbsp;
Cheers,&nbsp;
Ru.&nbsp;

rupert_connell · Answer

So, I have an answer. The dev team are targeting including the Spam Sources category in the next major revision (14.x), and are tracking it under Bug ID 532521.&nbsp;

Forum Discussion

"Spam Sources" blacklist category missing from IP Address Intelligence Categories area

7 Replies

Recent Discussions

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

The Power of IP Intelligence (IPI)

Enriching AFM with public domain Threat Intelligence

Intelligent Proxy Steering - Office365

IP-Intelligence and IP-Shunning

About IP intelligence