For 2 weeks I have been greylised at drupal.org and requested whitelisting. Today I was banned. I don't know why this is happening and don't know what to do to fix this. Do I have a virus, spyware problem? Where can I find help with this? I have a dual boot (Ubuntu karmic and Windows XP) - it happens on both OS's.
I now can't download serial field (http://drupal.org/project/serial).
I use Telkom (South Africa) ADSL and wireless. Should I contact my service provider rather than drupal.org?
Attempts to google this issue informed me I have done something wrong. What? Is my computer sending spam without me knowing it?
Assistance and clarity would be greatly appreciated.

Heli
(Desperate site builder trying to meet a deadline.)

Comments

killes@www.drop.org’s picture

killes@www.drop.org commented

I've removed the blacklist entry.

YOu end up there when projecthoneypot has your IP blacklisted. Why they did that is explained at their site:

www.projecthoneypot.org

You can search for your IP there.

http://whatismyip.org/

will tell you which IP you use at the moment.

KG2’s picture

KG2 commented

Thanks so much for unblocking and getting back to me - I'll follow this up.

KG2’s picture

KG2 commented

Update:

My IP keeps being blacklisted at http://drupal.org (this despite the fact that according to Honeypot the current IP has been whitelisted since 15 October). This is happening both at home and at work (both Telkom modems). I just appear to have been unblacklisted - is it perhaps because of your intervention and the fact that I've logged in?

According to a comment on honeypot
http://www.projecthoneypot.org/ip_196.25.255.218

D.Volek commented...
This is an address within the range of dynamic IPs allocated by Telkom, the country's biggest service provider. IP addresses are dynamically changed every 24 hours. It is therefore ideal for spammers but sadly the people who are "trapped" are not the spammers (who have since moved to a new IP), but innocent people who happened to get allocated that IP address today.

killes@www.drop.org’s picture

killes@www.drop.org commented

No, I didn't do anything regarding your IP. It is not in the blacklist atm.

KG2’s picture

KG2 commented

It has taken me at least 20 minutes and many page refreshes to be able to reply to your post.

I receive the following messages from http://drupal.org (same day, same computer):

Sorry, 196.25.255.194 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

Click on http://drupal.org/httpbl/whitelist

Sorry, 196.25.255.218 has been blacklisted by http:BL.

Go to Honeypot:

You are trying to whitelist 196.25.255.194, but are connecting from 198.54.202.195. Please connect from 196.25.255.194 and try again.

Refresh the page at http://drupal.org several times, get through, then it happens again:

Sorry, 198.54.202.226 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist

.

Sorry, 196.25.255.218 has been blacklisted by http:BL.

-----------

Sorry, 196.25.255.195 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

etc etc
-----------------
Meanwhile according to honeypot:

Whitelist IP: 196.25.255.218
- 196.25.255.218 has been whitelisted 6 time(s) and delisted 5 time(s)
- Whitelist status: This IP is currently whitelisted and has been since October 15, 2011 09:25 AM PDT.

I am starting to feel a little crazy here (though no doubt this attributable to my ignorance). As far as I can tell:
  • The greylisted IP reported at drupal.org is not necessarily the IP I am connecting with when I click the link to honeypot (http:BL)
  • The IP (randomly)reported blacklisted by http://drupal.org, is whitelisted by honeypot
killes@www.drop.org’s picture

killes@www.drop.org commented

Hmm, have you tried to use the whitelist form? It will set a session var that should whitelist you locally.

KG2’s picture

KG2 commented

The whitelist form now takes me to
Sorry, 196.25.255.218 has been blacklisted by http:BL.
(it did work a few weeks ago)
and sometimes I end up on the Access Denied page

KG2’s picture

KG2 commented

It happened repeatedly trying to reply to you.
The link to the whitelist form took me to 'Access Denied'.
On refresh to: Sorry, 196.25.255.218 has been blacklisted by http:BL.
I don't know if this will get through. But currently, for me, http://drupal.org is virtually unusable.

KG2’s picture

KG2 commented

i am now on my cell phone and see the above was posted (despite greylist, access denied, blacklist repeat on save). I am now blacklisted on both my laptop and desktop and page refreshes are not making a difference.

killes@www.drop.org’s picture

killes@www.drop.org commented

there was a single IP in the access list. I unfortunately purged it before checking which IP...

I have the suspicion, that you are a victim of some bad caching rather than actual blackisting. I am not sure if that happens on our side or on yours, though.

KG2’s picture

KG2 commented

It appears your suspicions are correct, and the issue is with my service provider. I found this: http://projecthoneypot.org/board/read.php?f=4&i=725&t=725
hope it makes more sense to you than me... Something to do with SAIX web-caching. Interestingly, the example IPs are the ones I'm having an issue with today. Drupal.org reports greylisting on the former (194) and Honey Pot says I'm accessing from the latter (195).

Is there anything more that can be done at drupal.org? I suspect not... Thanks for all the attention you have given my support request. I really appreciate it.

Heli (who has reverted to phone and Opera Mini in desperate attempt to access drupal...)

killes@www.drop.org’s picture

killes@www.drop.org commented

I have now manually whitelisted 196.25.255.218 fr a month, does that help?

KG2’s picture

KG2 commented

Made no difference I'm afraid.

killes@www.drop.org’s picture

killes@www.drop.org commented

Currently, no addresses that can be associated with South Africa are blocked locally.

Can you access

http://drupal.org/httpbl/whitelist directly?

KG2’s picture

KG2 commented

Can't access http://drupal.org/httpbl/whitelist

Access denied
You are not authorized to access this page.

-------
Tried get assistance from Drupal South Africa group. Following message:
"Your submission has triggered the spam filter and will not be accepted."
--------
According to http://whatismyip.org/ my IP (both laptop and desktop) is: 41.146.226.143
Do you have any record of this IP?
---------
My attempt to get assistance from Telkom has failed thus far. After lengthy description was asked, "Are you connected to the internet?" and given instructions for turning on my modem. I'll steal myself and try again to day.
--------
My last 2 attempts to reply to you disappeared with greylisted message on 'Save'. Lets hope it doesn't happen again.

Heli

killes@www.drop.org’s picture

killes@www.drop.org commented

I have no record of 41.146.226.143, it is not blacklisted.

It is strange that you cannot access http://drupal.org/httpbl/whitelist _and_ get mesages about being greylisted at the same time. You should have access there.

I have now manually whitelisted 41.146.226.143.

KG2’s picture

KG2 commented

Update:

Service Provider, Telkom, is unable to assist in anyway. Reportedly, since my IP is dynamically assigned every 24 hrs, it is not possible that this has anything to do with them.

This on the honey Pot message board would appear to disagree:
http://projecthoneypot.org/board/read.php?f=4&i=725&t=725
-----------
I'm still trying to get my head around this:
* The greylisted IP reported at http://drupal.org is not necessarily the IP I am connecting with when I click the link to honeypot (http:BL)
* The IP reported blacklisted by http://drupal.org, is whitelisted by honeypot
-----------

I suppose the next port of call would be to pursue it with honeypot...

KG2’s picture

KG2 commented

According to Telkom, since my IP is dynamically assigned every 24 hrs, there is no way that a problem that has been occurring for a few weeks has anything to do with them.

This post at honeypot would appear to disagree:
http://projecthoneypot.org/board/read.php?f=4&i=725&t=725

I'm still trying to get my head around the logic of this:
* The greylisted IP reported at http://drupal.org is not necessarily the IP I am connecting with when I click the link to honeypot (http:BL)
* The IP reported blacklisted by http://drupal.org, is whitelisted by honeypot
* This is happening on 3 different computers with different operating systems, 2 different modems (same service provider)
---------
I suppose the next port of call would be to pursue this with honeypot...
or get a new service provider...

(I'm afraid your last manual whitelist made no difference.)

KG2’s picture

KG2 commented

Come to think of it, one of your interventions has made a difference. I am no longer getting the blacklisted message. i.e.

Sorry, 196.25.255.218 has been blacklisted by http:BL.

It stops at greylisted (today),

Sorry, 198.54.202.226 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

Then Access denied for the whitelist form (this is the stage where I previously got the blacklisted message)...

(Honey Pot: the greylisted IP 198.54.202.226 encountered 'bad activity' in Nov 2010, but has been whitelisted since March)

killes@www.drop.org’s picture

killes@www.drop.org commented

I think the situation is that the proxy through which you leave your provider's net is changing with every request you make. That would explain why you get greylisted with one request and then white or blacklisted on the next ie when you try to access the whitelist form.

Ie the IP that you appear to come from changed from request to request.

Can you verify this by calling whatismyip.org a couple of times.

Collect the IPs that you see, so that I can whitelist them.

KG2’s picture

KG2 commented

That's the weird thing. BOTH my desktop and laptop show the same IP at http://whatismyip.org/

41.146.226.143

Called it several times on both computers and the number didn't change (although also got 'Server Error [code=SERVER_RESPONSE_RESET] ' and 'Too frequent!')

The honey pot post mentioned http://projecthoneypot.org/board/read.php?f=4&i=725&t=725

It is SAIX policy to transparent cache all shaped and unshaped ADSL IP addresses. Therefor the source IP address will always change to a network IP address of a cache appliance, hence you will see plenty sessions from the 198.54.202.0 and 196.25.255.0 segments. If you examine the HTTP header information, you should fine the real "Source IP" in the X-forward-for "field". The cache appliance will rewrite the HTTP header to reveal this info. Those 41.x.x.x. IPs that you seeing are IPNET edges with no web-cache appliances and usually are very small DSLAM sites.

I'm afraid this not my area of expertise and I really don't know what the above means - but it seems relevant

What about whitelisting the IP currently reported greylisted by drupal.org: 198.54.202.226 and see if it helps.

Still wondering why I can't access the whitelist form...

Heli

killes@www.drop.org’s picture

killes@www.drop.org commented

I don't understnad that description either...

I'll try to find somebody who does.

198.54.202.226 is now whitelisted.

KG2’s picture

KG2 commented

I really though the whitelisting would work. But what do you know, the greylist message is now:
Desktop:

Sorry, 196.25.255.250 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

Laptop:

Sorry, 196.25.255.194 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

And of course "Access denied" at http://drupal.org/httpbl/whitelist

Thanks again for all the attention you have given this support request. I really appreciate it and hope this issue is not driving you as nuts as it is me.

Heli

Tried to edit a post and now the message is

Sorry, 198.54.202.246 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

So that is the IP thats changing (not whatever is showing at http://whatismyip.org/)
---
few minutes later
196.25.255.250 again
------
few minutes later

Sorry, 198.54.202.250 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

--------
My laptop is now greylisted with the same IP that the desktop was greylisted with when I started this post:
196.25.255.250

KG2’s picture

KG2 commented

Discovered this IP was not whitelisted, 196.25.255.250 managed to send the request without the usual 'try again' with changing IP errors -(now wondering if this was because I previously tried this with a wireless connection...) :

You are connecting from 196.25.255.246 which qualifies you to submit any IP from 196.25.255.1 - 196.25.255.255 (or 196.25.255.0/24) for automatic whitelisting.

Whitelist IP: 196.25.255.250
- 196.25.255.250 has been whitelisted 3 time(s) and delisted 2 time(s)
- Whitelist status: This IP was whitelisted, but has since been reverted due to detected bad activity. It was reverted on February 04, 2011 11:07 PM PST.
- Whitelist delay: 00:02:05 (hours:minutes:seconds)
-------------
ATTENTION
* Your IP address, 196.25.255.250, has been scheduled for whitelisting and will be automatically listed on October 26, 2011 04:33 AM PDT. The IP will remain on our whitelists until bad activity is encountered.

You are connecting from 196.25.255.218 which qualifies you to submit any IP from 196.25.255.1 - 196.25.255.255 (or 196.25.255.0/24) for automatic whitelisting.

Whitelist IP: 196.25.255.218
- 196.25.255.218 has been whitelisted 6 time(s) and delisted 5 time(s)
- Whitelist status: This IP is currently whitelisted and has been since October 15, 2011 09:25 AM PDT.
- Whitelist delay: 04:20:25 (hours:minutes:seconds)

killes@www.drop.org’s picture

killes@www.drop.org commented

I have whitelisted all recorded IPs starting with 198. _locally_ (which will expire tomorrow).

If you still get the messages "access denied" when trying to access the form please update here. I added some debug info.

KG2’s picture

KG2 commented

On reading this, in quick succession,

1) Went to http://drupal.org
Sorry, 198.54.202.210 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

http://drupal.org/httpbl/whitelist : 'Access Denied'

2) Opened http://drupal.org/node/1308240, clicked reply (http://drupal.org/comment/reply/1308240/5164050)
Sorry, 196.25.255.194 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

http://drupal.org/httpbl/whitelist : 'Access Denied'

3) http://drupal.org/comment/reply/1308240/5164050 On 'Save'
Sorry, 196.25.255.194 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

http://drupal.org/httpbl/whitelist : 'Access Denied'

4) Opened new tab

http://drupal.org/node/1308240 saw this was not posted. Will paste it and try again

KG2’s picture

KG2 commented

Checked the http:BL links.

1) 198.54.202.210 is whitelisted

http://www.projecthoneypot.org/ip_198.54.202.210
Honey Pot System commented...
WHITELIST NOTICE: This IP has been whitelisted. Future bad activity will result in automatic removal.
October 04 2011 04:40 AM

2) Requested whitelisting for 196.25.255.194

Your IP address, 196.25.255.194, has been scheduled for whitelisting and will be automatically listed on October 26, 2011 05:50 AM PDT. The IP will remain on our whitelists until bad activity is encountered.

KG2’s picture

KG2 commented

Then miraculously all links appeared to work and I thought you'd fixed it, and then, not:

Sorry, 196.25.255.250 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

http://drupal.org/httpbl/whitelist 'Access denied'

But it does appear to be happening less often...

KG2’s picture

KG2 commented

http://drupal.org/search/apachesolr_multisitesearch/rules%20token%20cond...

Sorry, 196.25.255.194 has been greylisted by http:BL.
You may try whitelisting on http://drupal.org/httpbl/whitelist.

http://drupal.org/httpbl/whitelist 'Access denied'

killes@www.drop.org’s picture

killes@www.drop.org commented

I've whitelisted additional IPs (those that start with 196.2)

Frankly: I blame your provider despite what they say. Can't they give you a semi-permanent IP? With yours changing every couple of requests you are going to have trouble elsewhere too.

KG2’s picture

KG2 commented

I need to investigate this with Telkom - but have failed to communicate with anyone who believes this is a real problem. My last attempt was met with, "Can you access Google? Can you access Facebook? Can you access Youtube?" The implication was that these 3 are "the internet", while Drupal is not.
(But it is true that I haven't noticed a problem with other sites - but to be honest I'm currently so busy with a Drupal project that I haven't spent much time elsewhere of late...)

One thing that is odd, is that I was told that the IP changes every 24hrs - but we've found that it is changing every couple of requests...

By the way, we're not talking about any service provider here. This is South Africa's main telecommunications company, a parastatal (monopoly on landlines, cables etc)

Thank you very much for all your help.

Heli

killes@www.drop.org’s picture

killes@www.drop.org commented

You really should get into contact with other South African drupal.org users. There must be quite a few by now and you appear to be the only one who has these issues. Or maybe you are the only one who hasn't given up :-?

Only alternative would be to whitelist the whole country. We'd need a while to compile a list of IPs.

burningdog’s picture

burningdog commented

KG2 has alerted us at http://groups.drupal.org/node/186079

We'll see if we get some more info at that thread. I personally haven't had any blacklisting issues. My ISP is Afrihost, but eventually all internet in South Africa goes through SAIX. Maybe KG2 should set up a VPN at linode or something...

bassplaya’s picture

bassplaya commented

haven't been following the whole story but I am currently getting the same issue as KG2. I've never ever seen such thing in my life. I've been to whatismyip.org and that shows another ip each time that I refresh...

michelle’s picture

michelle
she/her
Primary language English
Location Wisconsin, USA
commented
Status: Active » Fixed

It's been months since the last activity here. If there is still a problem, please re-open.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

joaogarin’s picture

joaogarin commented

Hello I am greylisted as well. How do you handle this and how can I remove this?

I use Drupal for more than 4 years, never seen this.

Can someone help?thanks Ip is 91.217.119.254

killes@www.drop.org’s picture

killes@www.drop.org commented
Issue summary: View changes

https://www.projecthoneypot.org/ip_91.217.119.254

Go there using that IP and you should get whitelisted.