Senteniel Block Question

Worker Joined: Sep 09, 2004 Posts: 106 Location: Canada

I am not sure if its OK to post this here but I really need an answer and not sure where actually to address the question. Sorry if I am at the wrong Place.

Ever so offten senteniel is doing it job when it sees something that it don't like. However, I am a but concern if all of these blockings are hacking attempt or eligimate users just typing the wrong thing. Therefore, I am loosing visitors who gets block just because they type something wrong.

Can someone familar with Senteniel look at the following because almost everday I am getting this similar blocks and is now wondering mainly since I see this time its from aol. I am using Raven76

Thanks.

wondering if itDate & Time: 2006-07-08 10:35:21 CDT GMT -0500
Blocked IP: 172.202.140.132
User ID: Anonymous (1)
Reason: Abuse-Referer
String Match: xxxx:
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Query String: bobofindit.com/index.php?none
Get String: bobofindit.com/index.php
Post String: bobofindit.com/index.php
Forwarded For: none
Client IP: none
Remote Address: 172.202.140.132
Remote Port: 2240
Request Method: GET
--------------------
Who-Is for IP
172.202.140.132

OrgName: America Online
OrgID: AOL
Address: 22000 AOL Way
City: Dulles
StateProv: VA
PostalCode: 20166
Country: US

NetRange: 172.192.0.0 - 172.216.255.255
CIDR: 172.192.0.0/12, 172.208.0.0/13, 172.216.0.0/16
NetName: AOL-172BLK-2
NetHandle: NET-172-192-0-0-1
Parent: NET-172-0-0-0-0
NetType: Direct Allocation
NameServer: DAHA-01.NS.AOL.COM
NameServer: DAHA-02.NS.AOL.COM
NameServer: DAHA-07.NS.AOL.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-02-13
Updated: 2004-12-22

RTechHandle: AOL-NOC-ARIN
RTechName: America Online, Inc.
RTechPhone: +1-703-265-4670
RTechEmail: domains@aol.net

OrgAbuseHandle: AOL382-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-265-4670
OrgAbuseEmail: abuse@aol.net

OrgNOCHandle: AOL236-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-703-265-4670
OrgNOCEmail: noc@aol.net

OrgTechHandle: AOL-NOC-ARIN
OrgTechName: America Online, Inc.
OrgTechPhone: +1-703-265-4670
OrgTechEmail: domains@aol.net

Posted: Sat Jul 08, 2006 11:51 am

This one is common enough. They were blocked because their IP was hidden. Or more accurately, either AOL or the users firewall is substituting their true referer id with 'xxxx' to make them harder to trace.

To stop this happening all you have to do is got to the referer blocker configuration and remove the line that says 'xxxx' from the list and save.

BUT - before you go rushing off to do the miracle cure thing, asl yourself two important questions....
1. Do you want to allow anyone who tries to hide their IP from accessing your site.
2. Knowing that when they were banned they would have seen the appropriate template message warning which says something like "If you think this was a mistake, contact the Webmaster at youATyoursiteDOTcom" - how many of these banned people bothered to email you and explain it WAS a mistake?

Posted: Sat Jul 08, 2006 12:17 pm

Guardian2003 wrote:

This one is common enough. They were blocked because their IP was hidden. Or more accurately, either AOL or the users firewall is substituting their true referer id with 'xxxx' to make them harder to trace.

To stop this happening all you have to do is got to the referer blocker configuration and remove the line that says 'xxxx' from the list and save.

BUT - before you go rushing off to do the miracle cure thing, asl yourself two important questions....
1. Do you want to allow anyone who tries to hide their IP from accessing your site.
2. Knowing that when they were banned they would have seen the appropriate template message warning which says something like "If you think this was a mistake, contact the Webmaster at youATyoursiteDOTcom" - how many of these banned people bothered to email you and explain it WAS a mistake?

OK, Thanks very much for the quick response. I will not change the settings at this time or may be never because I do hate people hiding there IP or using proxy.

In the first place, I went to the lengths to protect my site, and yes, now I remember that is after I did some reading on Senteniel and add the settings I stated seeing blocks as this one.

While on the subject, I did turn proxy on and had a friend come to the site through a proxy and got through. Is the proxy setting not ment to stop that?

Again, Many Thanks.

Posted: Sat Jul 08, 2006 2:25 pm

Normally, if the 'block proxies' is urned on it should block them but there may be others reasons why it didnt such as if they were an admin or the IP was in the excluded or protected range.

Posted: Sat Jul 08, 2006 3:28 pm

Guardian2003 wrote:

Normally, if the 'block proxies' is urned on it should block them but there may be others reasons why it didnt such as if they were an admin or the IP was in the excluded or protected range.

OK, Thanks.

None of the two were true. I just set the option to "yes", called up my nephew let him turnon his proxy software and try to reach the site and he did but I might have missed another option to set it right or as your said, some other reason.

Will run another test sometime and watch out for what I might have not done right.

I don't remember from which country that he pick up the IP but he is using the same ISP as I am. We just live some miles apart.

Thanks, Again

registered · Posted: Sun Jul 09, 2006 8:04 am

There are three levels of proxy blocking in NS. Which one did you choose? Have you tried all three and he is still not getting blocked?

However, please look at the pop-up help on that field in the NS administration. "This is not 100%".

Posted: Sun Jul 09, 2006 2:43 pm

OK, Then Thanks.

I will report back after I run those test again.

From my installation of Ravennuke76, when I click on the question makes there is no popup windows while I can see the code on the status bar.

Not sure what's the problem. Will also take a closer look at the setting in NS.

Thanks.