Spyware Blocker Question

[katabroc]

Hi guys, im kind new to Untangle, and I´ve got a question.
First of all I would like to thank everybody that did and support this software, it´s very good, functionally and graphically speaking.
Well, my concern is about spyware blocker. I see there are many events that has the "pass" flag on it, even tough they look like spyware to me , like this one 209.62.176.0/19 : Doubleclick (reason In Subnet List)
Why isnt it blocking such things? Arent they considered spyware? How can I make it block then besides just logging it? I mean, there is no "block" option on "subnet list", just "Log".
Thanks in advance for your help and patience!

[amac]

Hey,
I don't quite get where the issue is. I take it that you are blocking some spyware, but not all of it that you would like?
In the module, what type of mail traffic are you using? SMTP, IMAP, or POP? And which threshold are you set on?
If you can answer these, we can help out more
Hope that everything else is going well. Let us know, and welcome to the forums.

[gotkimchi]

welcome to the forums Katabroc... The Untangle spyware blocker module is blocking that subnet. The subnet list is under the block lists tab, meaning it will be blocked. You have the option to log this incident or you can leave the check mark box empty.

[katabroc]

Well, thanks for answering so fast! U guys are awesome.

But I´m not quite sure if I said what I wanted to. This is what I get on my Event log :



Aren´t those requests supposed to be blocked? I mean, if they have "pass" action, they are not being blocked, right?

[katabroc]

Does anybody know something about my question? Thanks

[mdh]

I think I do, thanks to someone who has a deep history! The subnet list is in some ways live, and in some ways, a historical reference. Spyware sites may still own every IP address in a block that is listed on the subnet list, but other legitimate sites may now be in a listed block as well. We cannot block a legitimate site because of this, so the known sites are blocked by URL. I hope this helps. It has provided a basis for learning for more than one of us!

[gotkimchi]

katabroc, the subnets do not get blocked, however they do get logged. As for the doubleclick ads and such, they do get blocked and logged by our Spyware blocker, since they belong in the cookie list. There are non published spyware URL filters inside the Untangle, working behind the scenes.

[katabroc]

Hmm, now I got it. I think Im goin to block the rest of them with the firewall.
Thanks for the help guys!

[dmorris]

gotkimchi is correct, they are only logged and in the report each access is reported under 'suspicious clients'

the goal of the subnet list is to detect suspicious behavior.

many many moons ago we had a 'block' checkbox for each subnet and if the user turned it on they were overwhelmed by false positives. the problem is that those subnets are suspected to host spyware/adware related servers, but blocking them entirely creates more problems than good.