Several sites blocked on Cool Ideas

cobuskruger

Well-Known Member
Joined
Sep 21, 2009
Messages
184
Hi everyone. I'm having a really frustrating time with Cool Ideas, and I was wondering if anyone else has seen this symptom.

On some days, I get 403 error messages with several websites. The first time or two, it coincided with major outages (like the AWS outage end of November), but then it started happening more frequently and I investigated.

On most days, one or more of the following sites are blocked:
steampowered.com
olx.co.za
shein.com
cisp.co.za
coolideas.co.za

Yes, those last two are actually Cool Ideas properties, but they could not tell me why the IP is blocked.

The stock response they keep giving me is that my IP had been blocked, because I (or someone on my network) had been sending bulk email. They can't say on which blacklist it is included. I then ran malware scans on all networked devices in my house, and found nothing. I don't believe the explanation given. Two other bits of information clash with their assessment.

First, I have a dynamic IP and it gets refreshed every 24 hours. It also gets refreshed when I restart the fiber router. I then tested using only one device connected to the network. I can restart the router, get a new IP address, and will be often immediately blocked on one or more of the above sites. If I'm not blocked, then I can access them the entire day, from any device on the network. It therefore seems to me that I'm already blocked by the time I receive the IP address.

Second, I now do daily blacklist checks using both https://mxtoolbox.com/blacklists.aspx and https://whatismyipaddress.com/blacklist-check. The IPs are listed on Spamhaus, but it turns out the entire 102.132.128.0/18 range is listed. That's the bulk of all IP addresses used by Cool Ideas. It is a blacklist used email servers though, and should not cause websites to block me AFAIK. That's the only blacklist showing the IPs.

Has anyone else seen this? Weird messages like the one below, that appear on sites one day and are gone the next?
 

cobuskruger

Well-Known Member
Joined
Sep 21, 2009
Messages
184
Here are examples of the messages I get.

The first is a simple server error message on a white background. I normally get this one on Steam:

Access Denied
You don't have permission to access "http://steampowered.com/" on this server.
Reference #18.4d28f748.1607527279.fadcf71


On the Cool Ideas site itself, I get the following message, followed by steps to have the IP unblocked (which don't work):

403 Forbidden

WHAT? Why am I seeing this?

Your access to this site was blocked by Wordfence, a security provider, who protects sites from malicious activity.
 

swakop_toe

Well-Known Member
Joined
Sep 17, 2013
Messages
332
@PBCool ,
If a whole range of IPs is blocked, surely you are responsible to clear it?
Theoretically, an ISP can go out of bussiness if all their allocated IP's blacklisted. Or have I oversimplified it?
 

gfmalan

Expert Member
Joined
Nov 11, 2013
Messages
2,676
Hi Cobus,

I’m with CISP, and all of the sites you have listed work for me.

I can take screenshots, but no issues here.
 

swakop_toe

Well-Known Member
Joined
Sep 17, 2013
Messages
332
Is your current public IP part of the range Cobus noted above?
My current CISP IP is 102.132.211.xxx and all the above site also work for me.
But I proven nothing except that the range(s) Cobus is being allocated is in fact blacklisted.
 

Flywheel

Honorary Master
Joined
May 11, 2009
Messages
11,902
Sounds like an admin at Cool Ideas accidentally spilled beer on one of the keyboards.
 

LazyLion

King of de Jungle
Joined
Mar 17, 2005
Messages
103,801
Hi everyone. I'm having a really frustrating time with Cool Ideas, and I was wondering if anyone else has seen this symptom.

On some days, I get 403 error messages with several websites. The first time or two, it coincided with major outages (like the AWS outage end of November), but then it started happening more frequently and I investigated.

On most days, one or more of the following sites are blocked:
steampowered.com
olx.co.za
shein.com
cisp.co.za
coolideas.co.za

Yes, those last two are actually Cool Ideas properties, but they could not tell me why the IP is blocked.

The stock response they keep giving me is that my IP had been blocked, because I (or someone on my network) had been sending bulk email. They can't say on which blacklist it is included. I then ran malware scans on all networked devices in my house, and found nothing. I don't believe the explanation given. Two other bits of information clash with their assessment.

First, I have a dynamic IP and it gets refreshed every 24 hours. It also gets refreshed when I restart the fiber router. I then tested using only one device connected to the network. I can restart the router, get a new IP address, and will be often immediately blocked on one or more of the above sites. If I'm not blocked, then I can access them the entire day, from any device on the network. It therefore seems to me that I'm already blocked by the time I receive the IP address.

Second, I now do daily blacklist checks using both https://mxtoolbox.com/blacklists.aspx and https://whatismyipaddress.com/blacklist-check. The IPs are listed on Spamhaus, but it turns out the entire 102.132.128.0/18 range is listed. That's the bulk of all IP addresses used by Cool Ideas. It is a blacklist used email servers though, and should not cause websites to block me AFAIK. That's the only blacklist showing the IPs.

Has anyone else seen this? Weird messages like the one below, that appear on sites one day and are gone the next?
I'm on Cool Ideas and all those sites open for me just fine.
 

PBCool

Cool Ideas
Company Rep
Joined
Jan 11, 2016
Messages
10,129
Sounds to me like some kind of malware.
I agree, we don't block anything on our network, this is more than likely something to do with the device in question or alternative service at play. Have you tried with multiple devices?
 

cobuskruger

Well-Known Member
Joined
Sep 21, 2009
Messages
184
@PBCool I'm not saying Cool Ideas is blocking anything. I'm saying some of the addresses that get assigned to me are blocked on other sites. All the sites work for me on the IP I have now, but not on the one I had this morning.

The one thing that you guys can check, is why Wordfence is blocking it on the Cool Ideas site. The way Wordfence works, it will be explicitly listed as either IP or IP range. Either on the firewall, or on one of the explicit lists specified on it. That really is the only way Wordfence blocks sites.

The IP you can check is 155.93.153.200
 

PBCool

Cool Ideas
Company Rep
Joined
Jan 11, 2016
Messages
10,129
@PBCool I'm not saying Cool Ideas is blocking anything. I'm saying some of the addresses that get assigned to me are blocked on other sites. All the sites work for me on the IP I have now, but not on the one I had this morning.

The one thing that you guys can check, is why Wordfence is blocking it on the Cool Ideas site. The way Wordfence works, it will be explicitly listed as either IP or IP range. Either on the firewall, or on one of the explicit lists specified on it. That really is the only way Wordfence blocks sites.

The IP you can check is 155.93.153.200
If your IP keeps changing and keeps getting blocked it's typically because something is causing the IPs to be blocked IE blacklisted. Which router are you using?
 

TheRoDent

Cool Ideas Rep
Joined
Aug 6, 2003
Messages
5,502
1608540690319.png

According to wordfence documentation this block was based on a real-time blacklist that they maintain based on activity on other wordfence enabled websites. I am assuming that the blocks on steampowered.com and olx.co.za etc are also related to some activity that flags the IP you're using as being suspicious.


If this continues to happen to you with each new IP that you get (after a while) it might be worth investigating your network and all devices on it further than you already have.

In the meantime I will review your PPPoE logs and previous IP's assigned to you to see if we can find a pattern. Unfortunately there's no immediate way to know what list is being used by the other sites, or what activitity is causing the blocklisting to occur.

Thanks for reporting.

Edit: I see support has already been in contact with you and it appears that each new IP you receive eventually gets blacklisted on Spamhaus. I also see you are using a Mikrotik. One of our support members might ask for access to your router to verify the firewall rules and integrity of the router. It could be a compromised router.

Edit: Edit, I see the screenshot I saw was from our side. Are you using our stock TP-Link router ?
 
Last edited:

RedViking

Nord of the South
Joined
Feb 23, 2012
Messages
36,628
Not MTU this time :), more than likely a compromised router.
OK cool. Lol. My sister also couldn't access some websites. Changed the MTU as I did for mine and it worked.... Oh well. I guess checking with another router is the best option.
 
Top