SORBS blacklists IP over and over again - amazon-ses

I've got a problem with SORBS which still blacklists my IPs via which I send notifications to users (IPs are dedicated Amazon SES IPs). I report every ban in their support platform (support.sorbs.net), in first requests they suggested to implement List-unsubscribe header in emails - and I've done it.
Every de-list request seems similar - I'm writing which IP is banned, they require to explain why they should de-list this IP address, the answer is that I deliver notifications for users (which they've accepted during registration and they have opportunity to disable it). Still my IPS are blacklisted over and over again.
Have someone similar problem with SORBS spam trap? SORBS don't want to tell the exact reason for blacklisting my IPs.

Related

Is it possible that .htaccess login method is blocked in China?

I am currently building a small portal for an organisation to store some very basic confidential info (but not terribly important/secret). The staff are worldwide.
I initially decided to just use a basic .htaccess method (with https) but one person in China says they can't login (the domain itself is not blocked from China though).
Does anyone know if this is likely a normal thing/protocol that gets blocked in China? It seems a very basic thing to block and I am not sure how it would be blocked if the actual domain works...
i.e. In other words, is it possible to block htaccess logins at domains that are themselves not blocked?
In seeking this answer I am just trying to establish the likely cause of why they can't use the site (i.e. either blocked or not working for some other unknown reason).

How do I limit access to my tomcat page by allowing multiple ip ranges not a specific IP address?

I'm using Tomcat 8 and I need to whitelist (allow) multiple sets of IP ranges only to have access to the tomcat login page.
I've found documentation on how to do specific IP addresses but not ranges.
Is this possible?
I've already tried many suggestions from other posts here but I've not seen anything related specifically to ip ranges.
Ideally I'm looking for something like this ;
I expect from implementing this limitation that nobody is shown the login page apart from people connecting from the allowed IP range.

Company's passowords leak led to many successfull logins from TOR IPs. Can I trace them?

Long story short, our company's passowords got leaked, which led to many successfull logins to our sites, FTP servers, cloud accounts, etc. Causing many data loss, plenty of time to recover it and prevent it from happening from the future.
It is our fault, we stored our passwords in a file, which was located on our cloud, but the one who did it must be someone who might have access to that cloud, possibly someone who worked in the company in the past.
I installed a plugin to one of our WordPress sites to see the login attempts. I can see the IP of a person who tried to login with the correct password (however, we changed it already). When I tried to look up some info about the IP able, it was an IP of a TOR browser. I am new to this, but AFAIK it is practically untraceable.
My question is, is there a way (easy or hard) to trace this attacker?
Practically, no.
Tor is designed to obfuscate the origin of a connection. In order to break Tor's anonymity, you'd have to see the traffic entering and leaving the Tor network. With some clever correlating you could then find out who's connecting where (the NSA & co are doing that) but for a normal person/company this is impossible.

Strange POSTs in my Apache access log

My Apache server has been overloading and I'm trying to trouble shoot why.
In looking into the apache access log I see tons of entries like this:
POST /?CtrlFunc_999999AAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.0
POST /?CtrlFunc_ppppqqqqqqqrrrrrrrsssssssstttt HTTP/1.0
POST /?CtrlFunc_KOUZdilsx27BGKOSXbfkpv05AGKPTX HTTP/1.0
POST /?CtrlFunc_rrsssssstttttuuuuuvvvvvwwwwwwx HTTP/1.0
All from different IP addresses. It seems strange that all these different IP's would all be sending sequential alpha-numeric requests. Is this some type of encoding that I'm not familiar with? I couldn't find out anything about the:
?CtrlFunc
either. There are hundreds of entries like this coming from IP addresses in China, Taiwan, India, Equador, and Spain to name a few.
Is this normal behavior? I'm just trying to track down why my apache server gets overloaded every time I turn it on. Maybe there's a more efficient way to look at the server processes, but I haven't found it.
I've seen the same attack.
The people over at the Internet Storm Center do not have a method for stopping the flow, but have some suggestions on how to drop the incoming requests:
https://isc.sans.edu/forums/diary/Defending+Against+Web+Server+Denial+of+Service+Attacks/16240
Particularly Comment #2, from the Mod_Security team member, which seems to work well for me.

what does “GCMRegsistrar.register” do?

follow this link:https://developer.android.com/guide/google/gcm/demo.html
At home i can run the gcm demo successfully.
But in the company, it runs failed with ‘authentication failed’
I think there is something wrong with the networks in my workplace(blocked ip or Protocol).
Because i cant find the source code of gcm jars.
So,does anyone know what happened when the client invoke the ‘GCMRegsistrar.register’?
I want to ask our network admin to help me to solve this problem.
I've got the Answer:https://groups.google.com/forum/#!topic/android-gcm/7qPUp0Ym3Ak
Note:
If your organization has a firewall that restricts the traffic to or from the Internet, you'll need to configure it to allow connectivity with GCM. The ports to open are: 5228, 5229, and 5230. GCM typically only uses 5228, but it sometimes uses 5229 and 5230. GCM doesn't provide specific IPs. It changes IPs frequently. We recommend against using ACLs but if you must use them, take a broad approach such as the method suggested in this support link.
It is helpful to me.
You can find this kind of answers in the offical documentation, here.
Considering this, register() method is the one responsible for
Initiate messaging registration for the current application.
You should take a look at method description, here.