Issue with Validation Change

We’re using security software that among other things queries the Spamhaus Project’s RBL and blocks source IPs which are listed. Several of the testing IPs used by the new validation technique are being blocked due to being listed on the Spamhaus XBL list. Querying those IPs, we find that Spamhaus has them listed because they are listed on the AbuseAt Composite Blocking List (CBL) at https://www.abuseat.org/. Testing the three validation IPs that were blocked, shows that according to the CBL, those IPs have been identified as having been infected with a botnet, either nymaim/Gamarue or matsnu.

https://www.abuseat.org/lookup.cgi?ip=3.14.255.131

https://www.abuseat.org/lookup.cgi?ip=18.194.58.132

https://www.abuseat.org/lookup.cgi?ip=34.222.229.130

We can either disable these checks in our security software, but that defeats the purpose of the software. We can whitelist individual IPs, but we don’t know what IPs we need to whitelist or if the list will change without any forewarning, and regardless I’m wary about whitelisting IPs that may be involved with botnets.

It has always been the case that Let's Encrypt's validation IPs can change at any time and that you cannot block any IPs.

That CBL used to sometimes falsely block Let's Encrypt's traditional IPs as well. See most recently:

Maybe they added those IPs to some kind of exception list but not the new ones.

You should stop blocking things, stop using that blocklist, add some kind of exception for the validation requests (e.g. the /.well-known/acme-challenge/ path for HTTP-01 validation), or use DNS-01 validation (assuming your DNS servers don't use these blocklists too).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.