I'm struggling with an RBL rule in mod_security under apache 2.2 that seems to be giving me a false positive. I see the following in the audit log (IP address redacted):
Message: RBL lookup of 4.3.2.1.sbl-xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_42_comment_spam.conf"] [line "21"] [id "981138"] [msg "RBL Match for SPAM Source"] [severity "CRITICAL"] [tag "AUTOMATION/MALICIOUS"]
The part that is driving me nuts is that if I do an nslookup on the name specified in the log message I get a result that it does not exist. Which as I understand it means that this address is not on the list. So why is mod_security getting a success?
I've also used the lookup service at spamhaus to confirm that the IP address is not black-listed.
What am I missing? It feels like something is being cached but I can't figure out where.
A bit more background, initially the host was using a DNS server that was (helpfully) returning addresses even when lookup was failing. I've switched the config to use the google servers (8.8.8.8 and 8.8.4.4) and now host and nslookup work as I expect. I've rebooted the server so in theory there's no in memory cache. I've also made sure the mod_security data files that would preserve the IP address are cleared. I know that's working since the initial lookup for the address appears as above, and subsequent ones, after the initial false success show the address as a known SPAM address.
The rule in question:
SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" \
"phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',\
tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',\
setvar:tx.automation_score=+%{tx.warning_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,\
expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"
